only allow 1 port for listening
Mark
elihusmails at gmail.com
Wed Aug 8 17:39:25 UTC 2007
after running semanage, will the information remain in the policy after a
reboot?
--
..Cheers
Mark
On 8/8/07, Forrest Taylor <ftaylor at redhat.com> wrote:
>
> That is one way to do it. If you run the semanage utility, it will
> compile that information into the policy as well, and you don't have to
> recompile the base policy.
>
> Forrest
>
> On Wed, 2007-08-08 at 13:21 -0400, Mark wrote:
> > ok. Thanks.
> >
> > So I need to update corenetwork.te, recompile the policy, set the
> > policy to the newly compiled one and reboot? Correct?
> >
> >
> >
> > --
> > ..Cheers
> > Mark
> >
> > On 8/8/07, Forrest Taylor <ftaylor at redhat.com> wrote:
> > You cannot. You need to run this as a separate command or
> > build it into
> > the base module (corenetwork.te).
> >
> > Forrest
> >
> > On Wed, 2007-08-08 at 13:12 -0400, Mark wrote:
> > > thanks for the information, but how could I add this to
> > my .te file?
> > >
> > >
> > > --
> > > ..Cheers
> > > Mark
> > >
> > > On 8/8/07, Forrest Taylor <ftaylor at redhat.com> wrote:
> > > On Wed, 2007-08-08 at 11:40 -0400, Mark wrote:
> > > > I am new to writing policies and have been reading
> > the
> > > reference
> > > > policy files. I wrote a simple TCP server that
> > listens on a
> > > port for
> > > > connections. I would like to write a policy that
> > will only
> > > allow my
> > > > program to bind to a specific port(9999). I
> > looked at the
> > > reference
> > > > policy and see that the ports that programs are
> > allowed to
> > > use is in
> > > > policy/modules/kernel/corenetwork.te. My
> > questions is, can
> > > I specify
> > > > the port in my programs type enforcement file so
> > that I can
> > > make a
> > > > module instead of listing this in the kernel
> > policy? If so,
> > > what
> > > > would the syntax be?
> > >
> > > portcon is only valid in the base module, not a
> > normal
> > > loadable module.
> > > The command to generate the port entry for the
> > policy is
> > > semanage. It
> > > should look something like the following:
> > >
> > > semanage port -a -t my_port_t -p tcp 9999
> > >
> > > Forrest
> > >
> > >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20070808/f21845e4/attachment.html
More information about the selinux
mailing list