reserved_port_type attribute

reserved_port_type attribute

[Christopher J. PeBenito]

According to attrib.te, reserved_port_type is supposed to be for ports
that are less than 1024.  Why is reserved_port_t not included?  Also,
http_cache_port_t, ptal_port_t, clamd_port_t, pyzor_port_t, and
dbskkd_port_t aren't labeling any ports below 1024 (dbskkd_port_t
doesn't even have a portcon), so why have they been given this
attribute?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: reserved_port_type attribute

[Stephen Smalley]

On Mon, 2005-09-26 at 13:50 -0400, Christopher J. PeBenito wrote:
> According to attrib.te, reserved_port_type is supposed to be for ports
> that are less than 1024.  Why is reserved_port_t not included?

As I recall, reserved_port_type was introduced for dontaudit rules to
suppress noise when userspace scans for an available reserved port (in
particular, when libc sunrpc client code calls bindresvport(3)).  So in
these cases, I think that the domain was already being allowed name_bind
to the reserved_port_t type, and only needed dontaudit for the specific
port types.

If checkpolicy were enhanced to prune unnecessary auditallow and
dontaudit rules after collecting all allow rules, then it would do no
harm to add reserved_port_t to the attribute.  At present, you'll bloat
the policy slightly by doing it because checkpolicy isn't smart enough
to drop the extraneous dontaudit rule for the allowed case.

>   Also,
> http_cache_port_t, ptal_port_t, clamd_port_t, pyzor_port_t, and
> dbskkd_port_t aren't labeling any ports below 1024 (dbskkd_port_t
> doesn't even have a portcon), so why have they been given this
> attribute?

Likely shouldn't have it.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: reserved_port_type attribute

[Stephen Smalley]

On Mon, 2005-09-26 at 14:20 -0400, Stephen Smalley wrote:
> If checkpolicy were enhanced to prune unnecessary auditallow and
> dontaudit rules after collecting all allow rules, then it would do no
> harm to add reserved_port_t to the attribute.  At present, you'll bloat
> the policy slightly by doing it because checkpolicy isn't smart enough
> to drop the extraneous dontaudit rule for the allowed case.

Except that in this case, since the rules are in terms of an attribute,
it shouldn't matter much in policy.20.  

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: reserved_port_type attribute

[Daniel J Walsh]

Christopher J. PeBenito wrote:

>According to attrib.te, reserved_port_type is supposed to be for ports
>that are less than 1024.  Why is reserved_port_t not included?  Also,
>http_cache_port_t, ptal_port_t, clamd_port_t, pyzor_port_t, and
>dbskkd_port_t aren't labeling any ports below 1024 (dbskkd_port_t
>doesn't even have a portcon), so why have they been given this
>attribute?
>
>  
>
They should not be.  Probably cut and paste errors.


portcon tcp 1-1023 system_u:object_r:reserved_port_t
Since a  portmap and friends are allowed to connect to any port that is 
not a  reserved_port_type, the above rule would
not allow portmap to use any ports less then 1023 I believe. 

It probably would not be a bad idea to prevent portmapper and freinds 
from connecting to any port that is defined.





-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.