From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: selinux@a61.nl
Cc: selinux@tycho.nsa.gov
Subject: Re: Unreserved portnumbers in corenetwork
Date: Wed, 05 Mar 2008 11:05:23 -0500 [thread overview]
Message-ID: <1204733123.14217.48.camel@gorn> (raw)
In-Reply-To: <51324.80.95.164.250.1204732077.squirrel@www.a61.nl>
On Wed, 2008-03-05 at 16:47 +0100, selinux@a61.nl wrote:
> > Unfortunately there are 3 forces at work. The first is that for the
> > most part, ports should always be labeled, because, for example, port 80
> > is always going to be regarded as the http port. The second is that
> > thats not always the case for non well-defined ports (your situation).
> > The third is that portcons (the port labeling statements) only work in
> > the base module. So, though we want to make a happy medium between the
> > first two, we can't overcome the final one within the constraints of the
> > current toolchain.
> >
>
> Agree with that. But wouldn't the situation be a little less complicated
> if you decide not to define any ports above 1024 in the reference policy?
That breaks people that just want to use reference policy.
> If you decide to do that, you could create a portcon that allows a single
> active module to claim a port above 1024 on a per module basis. A second
> module could claim another one, as long as it's not equal to the first
> (active) one.
>
> In this way you create a generic handler for modules that need ports above
> 1024 and can create a reference policy with modules with the same ports.
> As long as they are not both active, you wouldn't have any problem.
If I understand what your suggesting, then I don't see how thats
implementable with the current toolchain.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-03-05 16:08 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-05 10:21 Unreserved portnumbers in corenetwork selinux
2008-03-05 15:24 ` Christopher J. PeBenito
2008-03-05 15:47 ` selinux
2008-03-05 16:05 ` Christopher J. PeBenito [this message]
2008-03-05 16:16 ` Ronald van den Blink
2008-03-05 16:43 ` Christopher J. PeBenito
2008-03-05 19:25 ` Ronald van den Blink
2008-03-05 20:32 ` Daniel J Walsh
2008-03-05 20:36 ` Stephen Smalley
2008-03-05 21:52 ` Daniel J Walsh
2008-03-06 3:41 ` Joe Nall
2008-03-06 14:18 ` Daniel J Walsh
2008-03-06 14:46 ` Joe Nall
2008-03-05 21:23 ` Ronald van den Blink
2008-03-05 21:29 ` Daniel J Walsh
2008-03-05 15:51 ` Stephen Smalley
2008-03-06 13:37 ` Christopher J. PeBenito
2008-03-07 13:13 ` Ronald van den Blink
2008-03-07 13:29 ` Daniel J Walsh
2008-03-07 16:15 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1204733123.14217.48.camel@gorn \
--to=cpebenito@tresys.com \
--cc=selinux@a61.nl \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.