syslogd-ng defines tcp ports to connect to.

syslogd-ng defines tcp ports to connect to.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 67 bytes --]

With this change they can use semanage to define additional ports.

[-- Attachment #2: syslog.patch --]
[-- Type: text/x-patch, Size: 2380 bytes --]

--- nsaserefpolicy/policy/modules/system/logging.te	2007-02-23 16:50:01.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/system/logging.te	2007-03-08 08:42:37.000000000 -0500
@@ -328,6 +329,9 @@
 corenet_tcp_bind_all_nodes(syslogd_t)
 corenet_tcp_bind_rsh_port(syslogd_t)
 corenet_tcp_connect_rsh_port(syslogd_t)
+# Allow users to define additional syslog ports to connect to
+corenet_tcp_bind_syslogd_port(syslogd_t)
+corenet_tcp_connect_syslogd_port(syslogd_t)
 
 # syslog-ng can send or receive logs
 corenet_sendrecv_syslogd_client_packets(syslogd_t)
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2007-02-19 11:32:51.000000000 -0500
+++ serefpolicy-2.5.8/policy/modules/kernel/corenetwork.te.in	2007-03-08 08:42:36.000000000 -0500
@@ -43,11 +43,16 @@
 sid port gen_context(system_u:object_r:port_t,s0)
 
 #
-# reserved_port_t is the type of INET port numbers below 1024.
+# reserved_port_t is the type of INET port numbers below 599.
 #
 type reserved_port_t, port_type, reserved_port_type;
 
 #
+# hi_reserved_port_t is the type of INET port numbers between 600-1023.
+#
+type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+
+#
 # server_packet_t is the default type of IPv4 and IPv6 server packets.
 #
 type server_packet_t, packet_type, server_packet_type;
@@ -140,6 +145,7 @@
 network_port(soundd, tcp,8000,s0, tcp,9433,s0)
 type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
 type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
+network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0, )
 network_port(swat, tcp,901,s0)
 network_port(syslogd, udp,514,s0)
 network_port(telnetd, tcp,23,s0)
@@ -157,8 +163,11 @@
 
 # Defaults for reserved ports.  Earlier portcon entries take precedence;
 # these entries just cover any remaining reserved ports not otherwise declared.
-portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
-portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
+
+portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon tcp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon udp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
 
 ########################################
 #

Re: syslogd-ng defines tcp ports to connect to.

[Christopher J. PeBenito]

On Thu, 2007-03-08 at 09:44 -0500, Daniel J Walsh wrote:
> --- nsaserefpolicy/policy/modules/system/logging.te     2007-02-23 16:50:01.000000000 -0500
> +++ serefpolicy-2.5.8/policy/modules/system/logging.te  2007-03-08 08:42:37.000000000 -0500
> @@ -328,6 +329,9 @@
>  corenet_tcp_bind_all_nodes(syslogd_t)
>  corenet_tcp_bind_rsh_port(syslogd_t)
>  corenet_tcp_connect_rsh_port(syslogd_t)
> +# Allow users to define additional syslog ports to connect to
> +corenet_tcp_bind_syslogd_port(syslogd_t)
> +corenet_tcp_connect_syslogd_port(syslogd_t)
>  
>  # syslog-ng can send or receive logs
>  corenet_sendrecv_syslogd_client_packets(syslogd_t)

Merged this part, the later parts are not related.

> --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in      2007-02-19 11:32:51.000000000 -0500
> +++ serefpolicy-2.5.8/policy/modules/kernel/corenetwork.te.in   2007-03-08 08:42:36.000000000 -0500
> @@ -43,11 +43,16 @@
>  sid port gen_context(system_u:object_r:port_t,s0)
>  
>  #
> -# reserved_port_t is the type of INET port numbers below 1024.
> +# reserved_port_t is the type of INET port numbers below 599.
>  #
>  type reserved_port_t, port_type, reserved_port_type;
>  
>  #
> +# hi_reserved_port_t is the type of INET port numbers between 600-1023.
> +#
> +type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
> +
> +#
>  # server_packet_t is the default type of IPv4 and IPv6 server packets.
>  #
>  type server_packet_t, packet_type, server_packet_type;
> @@ -140,6 +145,7 @@
>  network_port(soundd, tcp,8000,s0, tcp,9433,s0)
>  type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
>  type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
> +network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0, )
>  network_port(swat, tcp,901,s0)
>  network_port(syslogd, udp,514,s0)
>  network_port(telnetd, tcp,23,s0)
> @@ -157,8 +163,11 @@
>  
>  # Defaults for reserved ports.  Earlier portcon entries take precedence;
>  # these entries just cover any remaining reserved ports not otherwise declared.
> -portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
> -portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
> +
> +portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
> +portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
> +portcon tcp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
> +portcon udp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
>  
>  ########################################
>  # 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.