From: Joshua Brindle <jbrindle@tresys.com>
To: Ivan Gyurdiev <ivg2@cornell.edu>
Cc: SELinux List <SELinux@tycho.nsa.gov>,
Stephen Smalley <sds@tycho.nsa.gov>,
dwalsh@redhat.com
Subject: Re: [SEMANAGE][SEPOL] Enable ports
Date: Mon, 02 Jan 2006 13:59:47 -0500 [thread overview]
Message-ID: <43B97823.3080201@tresys.com> (raw)
In-Reply-To: <43ACADB3.7070509@cornell.edu>
Ivan Gyurdiev wrote:
> Ok, I've tried get ports working enough times now, that I think my
> approach is making it too difficult. I've been trying to put too much
> logic into the port key - for example, I wanted the add() function to
> detect overlapping ranges, and complain about it (the range key
> represents all ports from low to high). I wanted the query function to
> match inexactly (if you query port 80, 10-1024 to match...)
> I wanted del() to match a range, and clear only the specified sub-range.
> But... this is too difficult to do, and adds lots of extra complexity,
> and we need to get ports working.
>
> So, this patch takes the simplest possible approach - a key matches if
> low = low2, high = high2, and proto = proto2. This means that at the key
> level, ranges 10-20, and 15-30 are completely different, even though
> they overlap and represent the same ports. Two ranges with matching
> bounds and protocol are not allowed, but they can overlap inexactly. In
> that case, the one added later takes precedence, and is written at the
> end of the file (and pushed at the beginning of the list in the
> policydb). If additional overlap checks are needed, they should be
> implemented at the libsemanage client.
>
> This brings up an interesting point - if ordering of records matters,
> then some thought should go into which way iterate() loops over the
> records... (and what order list() returns). Currently for files, the
> ordering is backwards to what appears in the file (not sure what
> policydb does).
>
This should be fixed. the policy parser (policy_parse.y) currently
preserves the order exactly as specified, with errors in the case of
duplicate or shadowed entries.
I think a good workaround for now is to only expose exact port labeling
via libsemanage, that way you can prepend them to the policydb list and
not worry about sorting, etc. If the user needs to set multiple ports
the client can expose that functionality, and limited intelligence can
be added there (error checking and such). the policydb portcons would
still have ranges so the fallbacks (1-1024, etc) would still be there.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-01-02 18:59 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-12-24 2:08 [SEMANAGE][SEPOL] Enable ports Ivan Gyurdiev
2006-01-02 18:59 ` Joshua Brindle [this message]
2006-01-02 18:51 ` Ivan Gyurdiev
2006-01-03 7:23 ` Ivan Gyurdiev
2006-01-03 16:28 ` Joshua Brindle
2006-01-03 14:35 ` Ivan Gyurdiev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43B97823.3080201@tresys.com \
--to=jbrindle@tresys.com \
--cc=SELinux@tycho.nsa.gov \
--cc=dwalsh@redhat.com \
--cc=ivg2@cornell.edu \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.