Hello,
what is a recommended way of allowing a domain to act as a generic TCP server. I.e. to create a stream socket, bind(2) it to a single defined port with INADDR_ANY, listen(2) on it, accept(2) connections on it, and communicate (read/write/send*/recv*) on it.
So far I am using audit2allow, and it has led me to the following setup (actual reading/writing not verified yet, more rules would probably be needed):
allow $1 hi_reserved_port_t:tcp_socket name_bind; allow $1 inaddr_any_node_t:tcp_socket node_bind; allow $1 self:capability net_bind_service;
However, I guess hi_reserver_port_t is not a _single_ port. I have seen the network_port() macro in corenetwork.if, but using
network_port($1, tcp,654,s0);
gives a syntax error.
Is there any high-level macro for setting up a single port and allowing it to be bound, listened, read and written?
[ my system is Fedora 10 with the targeted policy ]
Thanks,
-Yenya
On Sat, 2009-02-28 at 00:02 +0100, Jan Kasprzak wrote:
Hello,
what is a recommended way of allowing a domain to act as a generic TCP server. I.e. to create a stream socket, bind(2) it to a single defined port with INADDR_ANY, listen(2) on it, accept(2) connections on it, and communicate (read/write/send*/recv*) on it.
So far I am using audit2allow, and it has led me to the following setup (actual reading/writing not verified yet, more rules would probably be needed):
allow $1 hi_reserved_port_t:tcp_socket name_bind; allow $1 inaddr_any_node_t:tcp_socket node_bind; allow $1 self:capability net_bind_service;
However, I guess hi_reserver_port_t is not a _single_ port. I have seen the network_port() macro in corenetwork.if, but using
network_port($1, tcp,654,s0);
gives a syntax error.
Is there any high-level macro for setting up a single port and allowing it to be bound, listened, read and written?
[ my system is Fedora 10 with the targeted policy ]
Thanks,
-Yenya
I think corenet_reserved_port() is what you are looking for.
something like this:
# Declarations
type my_port_t; corenet_reserved_port(my_port_t)
# Policy
corenet_all_recvfrom_unlabeled($1) corenet_all_recvfrom_netlabel($1) corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_all_ports($1) corenet_tcp_bind_generic_node($1)
allow $1 my_port_t:tcp_socket name_bind;
#EOF
sudo semanage port -a -t my_port_t -p tcp 40
hth , Dominick
Dominick Grift wrote: : I think corenet_reserved_port() is what you are looking for. : Thanks for the hint. It is _almost_ exactly as you wrote, except:
: # Declarations : : type my_port_t; : corenet_reserved_port(my_port_t) : : # Policy : : corenet_all_recvfrom_unlabeled($1) : corenet_all_recvfrom_netlabel($1) : corenet_tcp_sendrecv_generic_if($1) : corenet_tcp_sendrecv_generic_node($1) : corenet_tcp_sendrecv_all_ports($1) - corenet_tcp_bind_generic_node($1) + corenet_tcp_bind_inadrr_any_node($1)
: allow $1 my_port_t:tcp_socket name_bind;
+ allow $1 self:capability net_bind_service; + allow $1 self:tcp_socket create_stream_socket_perms;
: #EOF : : sudo semanage port -a -t my_port_t -p tcp 40
I would however like to have a really-high-level macro (or two) to do the above - I guess this is what many users would like to do - saying "this context belongs to my port", and "this domain can run a TCP server on this port". The similar way how the files_pid_file() and files_pid_filetrans() macros allow for the "I want to have my own PID file in /var/run" case.
Would it be acceptable to submit this as a patch for inclusion in the upstream policy?
I would like to have other things included upstream as well - for example, now I have a policy bits for Perl: file contexts for /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying "this domain can run Perl scripts".
Thanks,
-Yenya
On Mon, 2009-03-02 at 16:34 +0100, Jan Kasprzak wrote:
Dominick Grift wrote: : I think corenet_reserved_port() is what you are looking for. : Thanks for the hint. It is _almost_ exactly as you wrote, except:
: # Declarations : : type my_port_t; : corenet_reserved_port(my_port_t) : : # Policy : : corenet_all_recvfrom_unlabeled($1) : corenet_all_recvfrom_netlabel($1) : corenet_tcp_sendrecv_generic_if($1) : corenet_tcp_sendrecv_generic_node($1) : corenet_tcp_sendrecv_all_ports($1)
- corenet_tcp_bind_generic_node($1)
- corenet_tcp_bind_inadrr_any_node($1)
: allow $1 my_port_t:tcp_socket name_bind;
- allow $1 self:capability net_bind_service;
- allow $1 self:tcp_socket create_stream_socket_perms;
: #EOF : : sudo semanage port -a -t my_port_t -p tcp 40
I would however like to have a really-high-level macro (or two) to do the above - I guess this is what many users would like to do
- saying "this context belongs to my port", and "this domain can run
a TCP server on this port". The similar way how the files_pid_file() and files_pid_filetrans() macros allow for the "I want to have my own PID file in /var/run" case.
Would it be acceptable to submit this as a patch for inclusion in the upstream policy?
My example of declaring a port would not be acceptable upstream. If you want your policy upstream then you would have to declare your port in the corenetwork.te.in file that is in the kernel section of the policy source. If you add a declaration there, then interfaces will be generated that you can use, when you build the source.
For example: network_port(myport, tcp,40,s0) would create interfaces like: corenet_tcp_bind_myport_port()
that you can use
hth , Dominick
I would like to have other things included upstream as well - for example, now I have a policy bits for Perl: file contexts for /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying "this domain can run Perl scripts".
Thanks,
-Yenya
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jan Kasprzak wrote:
Dominick Grift wrote: : I think corenet_reserved_port() is what you are looking for. : Thanks for the hint. It is _almost_ exactly as you wrote, except:
: # Declarations : : type my_port_t; : corenet_reserved_port(my_port_t) : : # Policy : : corenet_all_recvfrom_unlabeled($1) : corenet_all_recvfrom_netlabel($1) : corenet_tcp_sendrecv_generic_if($1) : corenet_tcp_sendrecv_generic_node($1) : corenet_tcp_sendrecv_all_ports($1)
- corenet_tcp_bind_generic_node($1)
- corenet_tcp_bind_inadrr_any_node($1)
: allow $1 my_port_t:tcp_socket name_bind;
- allow $1 self:capability net_bind_service;
- allow $1 self:tcp_socket create_stream_socket_perms;
: #EOF : : sudo semanage port -a -t my_port_t -p tcp 40
I would however like to have a really-high-level macro (or two) to do the above - I guess this is what many users would like to do
- saying "this context belongs to my port", and "this domain can run
a TCP server on this port". The similar way how the files_pid_file() and files_pid_filetrans() macros allow for the "I want to have my own PID file in /var/run" case.
Would it be acceptable to submit this as a patch for inclusion in the upstream policy?
I would like to have other things included upstream as well - for example, now I have a policy bits for Perl: file contexts for /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying "this domain can run Perl scripts".
Thanks,
-Yenya
Yenya, take this discussion to the refpolicy list
Better to discuss it there. I think having a higher level template for creating a tcp or udp port would not be a bad idea. See what upstream thinks.
On Mon, 2009-03-02 at 11:58 -0500, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jan Kasprzak wrote:
Dominick Grift wrote: : I think corenet_reserved_port() is what you are looking for. : Thanks for the hint. It is _almost_ exactly as you wrote, except:
: # Declarations : : type my_port_t; : corenet_reserved_port(my_port_t) : : # Policy : : corenet_all_recvfrom_unlabeled($1) : corenet_all_recvfrom_netlabel($1) : corenet_tcp_sendrecv_generic_if($1) : corenet_tcp_sendrecv_generic_node($1) : corenet_tcp_sendrecv_all_ports($1)
- corenet_tcp_bind_generic_node($1)
- corenet_tcp_bind_inadrr_any_node($1)
: allow $1 my_port_t:tcp_socket name_bind;
- allow $1 self:capability net_bind_service;
- allow $1 self:tcp_socket create_stream_socket_perms;
: #EOF : : sudo semanage port -a -t my_port_t -p tcp 40
I would however like to have a really-high-level macro (or two) to do the above - I guess this is what many users would like to do
- saying "this context belongs to my port", and "this domain can run
a TCP server on this port". The similar way how the files_pid_file() and files_pid_filetrans() macros allow for the "I want to have my own PID file in /var/run" case.
Would it be acceptable to submit this as a patch for inclusion in the upstream policy?
I would like to have other things included upstream as well - for example, now I have a policy bits for Perl: file contexts for /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying "this domain can run Perl scripts".
Thanks,
-Yenya
Yenya, take this discussion to the refpolicy list
Better to discuss it there. I think having a higher level template for creating a tcp or udp port would not be a bad idea. See what upstream thinks.
I'm willing to consider it, but it'll need a good name.
selinux@lists.fedoraproject.org