only allow 1 port for listening

Forrest Taylor ftaylor at redhat.com
Wed Aug 8 17:26:23 UTC 2007 

That is one way to do it.  If you run the semanage utility, it will
compile that information into the policy as well, and you don't have to
recompile the base policy.

Forrest

On Wed, 2007-08-08 at 13:21 -0400, Mark wrote:
> ok.  Thanks.  
> 
> So I need to update corenetwork.te, recompile the policy, set the
> policy to the newly compiled one and reboot?  Correct?
> 
> 
> 
> -- 
> ..Cheers
> Mark 
> 
> On 8/8/07, Forrest Taylor <ftaylor at redhat.com> wrote:
>         You cannot.  You need to run this as a separate command or
>         build it into
>         the base module (corenetwork.te).
>         
>         Forrest
>         
>         On Wed, 2007-08-08 at 13:12 -0400, Mark wrote:
>         > thanks for the information, but how could I add this to
>         my .te file? 
>         >
>         >
>         > --
>         > ..Cheers
>         > Mark
>         >
>         > On 8/8/07, Forrest Taylor <ftaylor at redhat.com> wrote:
>         >         On Wed, 2007-08-08 at 11:40 -0400, Mark wrote: 
>         >         > I am new to writing policies and have been reading
>         the
>         >         reference
>         >         > policy files.  I wrote a simple TCP server that
>         listens on a
>         >         port for
>         >         > connections.  I would like to write a policy that
>         will only 
>         >         allow my
>         >         > program to bind to a specific port(9999).  I
>         looked at the
>         >         reference
>         >         > policy and see that the ports that programs are
>         allowed to
>         >         use is in 
>         >         > policy/modules/kernel/corenetwork.te.  My
>         questions is, can
>         >         I specify
>         >         > the port in my programs type enforcement file so
>         that I can
>         >         make a
>         >         > module instead of listing this in the kernel
>         policy?  If so, 
>         >         what
>         >         > would the syntax be?
>         >
>         >         portcon is only valid in the base module, not a
>         normal
>         >         loadable module.
>         >         The command to generate the port entry for the
>         policy is 
>         >         semanage.  It
>         >         should look something like the following:
>         >
>         >         semanage port -a -t my_port_t -p tcp 9999
>         >
>         >         Forrest
>         >
>         >
>         
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20070808/a443985a/attachment.bin

More information about the selinux mailing list