* [refpolicy] [PATCH 1/1] Mark dhcp_use_ldap default off and enable binding to unreserved ports
@ 2012-05-01 7:04 Sven Vermeulen
2012-05-04 13:42 ` Christopher J. PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Sven Vermeulen @ 2012-05-01 7:04 UTC (permalink / raw)
To: refpolicy
Do not include the privileges for using LDAP by default (boolean defaults to off).
Also includes support for binding to unreserved ports, used by DHCP to detect the open interfaces (as seen in
common/discover.c, function "begin_iface_scan" in the DHCP sources). Include a comment in the sources to inform us about
this in the future.
See also http://oss.tresys.com/pipermail/refpolicy/2012-March/004981.html
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
dhcp.te | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/dhcp.te b/dhcp.te
index 064604a..32937ad 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -10,7 +10,7 @@ policy_module(dhcp, 1.9.1)
## Allow DHCP daemon to use LDAP backends
## </p>
## </desc>
-gen_tunable(dhcpd_use_ldap, true)
+gen_tunable(dhcpd_use_ldap, false)
type dhcpd_t;
type dhcpd_exec_t;
@@ -71,6 +71,8 @@ corenet_udp_sendrecv_generic_node(dhcpd_t)
corenet_raw_sendrecv_generic_node(dhcpd_t)
corenet_tcp_sendrecv_all_ports(dhcpd_t)
corenet_udp_sendrecv_all_ports(dhcpd_t)
+# Needed to detect open number of interfaces (common/discover.c::begin_iface_scan)
+corenet_udp_bind_all_unreserved_ports(dhcpd_t)
corenet_tcp_bind_generic_node(dhcpd_t)
corenet_udp_bind_generic_node(dhcpd_t)
corenet_tcp_bind_dhcpd_port(dhcpd_t)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH 1/1] Mark dhcp_use_ldap default off and enable binding to unreserved ports
2012-05-01 7:04 [refpolicy] [PATCH 1/1] Mark dhcp_use_ldap default off and enable binding to unreserved ports Sven Vermeulen
@ 2012-05-04 13:42 ` Christopher J. PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2012-05-04 13:42 UTC (permalink / raw)
To: refpolicy
On 05/01/12 03:04, Sven Vermeulen wrote:
> Do not include the privileges for using LDAP by default (boolean defaults to off).
>
> Also includes support for binding to unreserved ports, used by DHCP to detect the open interfaces (as seen in
> common/discover.c, function "begin_iface_scan" in the DHCP sources). Include a comment in the sources to inform us about
> this in the future.
Merged.
> See also http://oss.tresys.com/pipermail/refpolicy/2012-March/004981.html
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> dhcp.te | 4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/dhcp.te b/dhcp.te
> index 064604a..32937ad 100644
> --- a/dhcp.te
> +++ b/dhcp.te
> @@ -10,7 +10,7 @@ policy_module(dhcp, 1.9.1)
> ## Allow DHCP daemon to use LDAP backends
> ## </p>
> ## </desc>
> -gen_tunable(dhcpd_use_ldap, true)
> +gen_tunable(dhcpd_use_ldap, false)
>
> type dhcpd_t;
> type dhcpd_exec_t;
> @@ -71,6 +71,8 @@ corenet_udp_sendrecv_generic_node(dhcpd_t)
> corenet_raw_sendrecv_generic_node(dhcpd_t)
> corenet_tcp_sendrecv_all_ports(dhcpd_t)
> corenet_udp_sendrecv_all_ports(dhcpd_t)
> +# Needed to detect open number of interfaces (common/discover.c::begin_iface_scan)
> +corenet_udp_bind_all_unreserved_ports(dhcpd_t)
> corenet_tcp_bind_generic_node(dhcpd_t)
> corenet_udp_bind_generic_node(dhcpd_t)
> corenet_tcp_bind_dhcpd_port(dhcpd_t)
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-05-04 13:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-05-01 7:04 [refpolicy] [PATCH 1/1] Mark dhcp_use_ldap default off and enable binding to unreserved ports Sven Vermeulen
2012-05-04 13:42 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.