only allow 1 port for listening

Mark elihusmails at gmail.com
Wed Aug 8 17:39:25 UTC 2007 

after running semanage, will the information remain in the policy after a
reboot?

-- 
..Cheers
Mark

On 8/8/07, Forrest Taylor <ftaylor at redhat.com> wrote:
>
> That is one way to do it.  If you run the semanage utility, it will
> compile that information into the policy as well, and you don't have to
> recompile the base policy.
>
> Forrest
>
> On Wed, 2007-08-08 at 13:21 -0400, Mark wrote:
> > ok.  Thanks.
> >
> > So I need to update corenetwork.te, recompile the policy, set the
> > policy to the newly compiled one and reboot?  Correct?
> >
> >
> >
> > --
> > ..Cheers
> > Mark
> >
> > On 8/8/07, Forrest Taylor <ftaylor at redhat.com> wrote:
> >         You cannot.  You need to run this as a separate command or
> >         build it into
> >         the base module (corenetwork.te).
> >
> >         Forrest
> >
> >         On Wed, 2007-08-08 at 13:12 -0400, Mark wrote:
> >         > thanks for the information, but how could I add this to
> >         my .te file?
> >         >
> >         >
> >         > --
> >         > ..Cheers
> >         > Mark
> >         >
> >         > On 8/8/07, Forrest Taylor <ftaylor at redhat.com> wrote:
> >         >         On Wed, 2007-08-08 at 11:40 -0400, Mark wrote:
> >         >         > I am new to writing policies and have been reading
> >         the
> >         >         reference
> >         >         > policy files.  I wrote a simple TCP server that
> >         listens on a
> >         >         port for
> >         >         > connections.  I would like to write a policy that
> >         will only
> >         >         allow my
> >         >         > program to bind to a specific port(9999).  I
> >         looked at the
> >         >         reference
> >         >         > policy and see that the ports that programs are
> >         allowed to
> >         >         use is in
> >         >         > policy/modules/kernel/corenetwork.te.  My
> >         questions is, can
> >         >         I specify
> >         >         > the port in my programs type enforcement file so
> >         that I can
> >         >         make a
> >         >         > module instead of listing this in the kernel
> >         policy?  If so,
> >         >         what
> >         >         > would the syntax be?
> >         >
> >         >         portcon is only valid in the base module, not a
> >         normal
> >         >         loadable module.
> >         >         The command to generate the port entry for the
> >         policy is
> >         >         semanage.  It
> >         >         should look something like the following:
> >         >
> >         >         semanage port -a -t my_port_t -p tcp 9999
> >         >
> >         >         Forrest
> >         >
> >         >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20070808/f21845e4/attachment.html

More information about the selinux mailing list