[gogoc] Allow name_connect to TCP port.

Juan Orti jorti at fedoraproject.org
Mon Jan 13 08:44:13 UTC 2014 

commit b83c432237d092cd91c773016f9392ff06671936
Author: Juan Orti Alcaine <juan.orti at miceliux.com>
Date:   Mon Jan 13 09:44:02 2014 +0100

    Allow name_connect to TCP port.

 gogoc.fc   |    3 +++
 gogoc.spec |   11 ++++++++++-
 gogoc.te   |    8 +++++++-
 3 files changed, 20 insertions(+), 2 deletions(-)
---
diff --git a/gogoc.fc b/gogoc.fc
index 3d9dcf5..f6427df 100644
--- a/gogoc.fc
+++ b/gogoc.fc
@@ -9,3 +9,6 @@
 /var/run/gogoc(/.*)?		gen_context(system_u:object_r:gogoc_var_run_t,s0)
 
 /etc/gogoc(/.*)?            gen_context(system_u:object_r:gogoc_conf_t,s0)
+
+#portcon tcp     3653   gen_context(system_u:object_r:gogoc_port_t,s0)
+#portcon udp     3653   gen_context(system_u:object_r:gogoc_port_t,s0)
diff --git a/gogoc.spec b/gogoc.spec
index 65fb0af..fb588b9 100644
--- a/gogoc.spec
+++ b/gogoc.spec
@@ -6,7 +6,7 @@
 
 Name:           gogoc
 Version:        1.2
-Release:        33%{?dist}
+Release:        34%{?dist}
 Summary:        IPv6 TSP client for gogo6
 
 Group:          System Environment/Daemons
@@ -48,6 +48,7 @@ Requires(post): policycoreutils-python
 Requires(preun): systemd
 Requires(postun): systemd
 Requires(postun): /usr/sbin/semodule
+Requires(postun): policycoreutils-python
 
 %description
 TSP is a control protocol used to establish and maintain static tunnels.
@@ -136,6 +137,9 @@ do
   /usr/sbin/semodule -s ${selinuxvariant} -i \
     %{_datadir}/selinux/${selinuxvariant}/%{name}.pp &> /dev/null || :
 done
+# http://danwalsh.livejournal.com/10607.html
+semanage port -a -t gogoc_port_t -p tcp 3653
+semanage port -a -t gogoc_port_t -p udp 3653
 /sbin/fixfiles -R %{name} restore || :
 
 %preun
@@ -146,6 +150,8 @@ done
 
 # Remove SELinux policy
 if [ $1 -eq 0 ] ; then
+  semanage port -d -p tcp 3653
+  semanage port -d -p udp 3653
   for selinuxvariant in %{selinux_variants}
   do
     /usr/sbin/semodule -s ${selinuxvariant} -r %{name} &> /dev/null || :
@@ -172,6 +178,9 @@ fi
 %{_datadir}/selinux/*/%{name}.pp
 
 %changelog
+* Sat Jan 04 2014 Juan Orti Alcaine <jorti at fedoraproject.org> - 1.2-34
+- Allow name_connect to TCP port. Bug #1047099
+
 * Mon Oct 07 2013 Juan Orti Alcaine <jorti at fedoraproject.org> - 1.2-33
 - Do not hardcode SELinux version dependency. See bug #999584
 
diff --git a/gogoc.te b/gogoc.te
index 54db602..db8c46d 100644
--- a/gogoc.te
+++ b/gogoc.te
@@ -1,4 +1,4 @@
-policy_module(gogoc, 1.0.3)
+policy_module(gogoc, 1.0.4)
 
 ########################################
 #
@@ -27,6 +27,9 @@ files_config_file(gogoc_conf_t)
 type gogoc_unit_file_t;
 systemd_unit_file(gogoc_unit_file_t)
 
+type gogoc_port_t;
+corenet_port(gogoc_port_t)
+
 ########################################
 #
 # gogoc local policy
@@ -43,6 +46,9 @@ allow gogoc_t self:capability { net_admin net_raw kill };
 allow gogoc_t self:tun_socket create_socket_perms;
 allow gogoc_t self:rawip_socket create_socket_perms;
 
+allow gogoc_t gogoc_port_t:tcp_socket name_connect;
+allow gogoc_t gogoc_port_t:udp_socket rw_socket_perms;
+
 kernel_read_network_state(gogoc_t)
 kernel_read_system_state(gogoc_t)
 kernel_request_load_module(gogoc_t)

More information about the scm-commits mailing list