Samba guys reviewed samba policy and fixed some of the ports used by samba

Samba guys reviewed samba policy and fixed some of the ports used by samba

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 32 bytes --]

Also added new ports for squid.

[-- Attachment #2: corenet_port_type.patch --]
[-- Type: text/x-patch, Size: 1361 bytes --]

--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2007-02-19 11:32:51.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/kernel/corenetwork.if.in	2007-03-22 15:06:58.000000000 -0400
@@ -1977,3 +1977,57 @@
 
 	typeattribute $1 corenet_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Define type to be a network port type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used for network ports.
+##	</summary>
+## </param>
+#
+interface(`corenet_port_type',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	typeattribute $1 port_type;
+')
+
+########################################
+## <summary>
+##	Define network type to be a reserved port (lt 1024) 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used for network ports.
+##	</summary>
+## </param>
+#
+interface(`corenet_reserved_port_type',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	typeattribute $1 reserved_port_type;
+')
+
+########################################
+## <summary>
+##	Define network type to be a rpc port ( 512 lt PORT lt 1024) 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used for network ports.
+##	</summary>
+## </param>
+#
+interface(`corenet_rpc_port_type',`
+	gen_require(`
+		attribute rpc_port_type;
+	')
+
+	typeattribute $1 rpc_port_type;
+')

Re: Samba guys reviewed samba policy and fixed some of the ports used by samba

[Christopher J. PeBenito]

On Fri, 2007-03-23 at 15:15 -0400, Daniel J Walsh wrote:
> Also added new ports for squid.

Looks like the wrong patch.

> 
> 
> 
> 
> 
> 
> differences
> between files
> attachment
> (corenet_port_type.patch), "corenet_port_type.patch"
> 
> ---
> nsaserefpolicy/policy/modules/kernel/corenetwork.if.in      2007-02-19
> 11:32:51.000000000 -0500
> +++
> serefpolicy-2.5.10/policy/modules/kernel/corenetwork.if.in  2007-03-22
> 15:06:58.000000000 -0400
> @@ -1977,3 +1977,57 @@
>  
>         typeattribute $1 corenet_unconfined_type;
>  ')
> +
> +########################################
> +## <summary>
> +##     Define type to be a network port type
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Type to be used for network ports.
> +##     </summary>
> +## </param>
> +#
> +interface(`corenet_port_type',`
> +       gen_require(`
> +               attribute port_type;
> +       ')
> +
> +       typeattribute $1 port_type;
> +')
> +
> +########################################
> +## <summary>
> +##     Define network type to be a reserved port (lt 1024) 
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Type to be used for network ports.
> +##     </summary>
> +## </param>
> +#
> +interface(`corenet_reserved_port_type',`
> +       gen_require(`
> +               attribute reserved_port_type;
> +       ')
> +
> +       typeattribute $1 reserved_port_type;
> +')
> +
> +########################################
> +## <summary>
> +##     Define network type to be a rpc port ( 512 lt PORT lt 1024) 
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Type to be used for network ports.
> +##     </summary>
> +## </param>
> +#
> +interface(`corenet_rpc_port_type',`
> +       gen_require(`
> +               attribute rpc_port_type;
> +       ')
> +
> +       typeattribute $1 rpc_port_type;
> +')
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Samba guys reviewed samba policy and fixed some of the ports used by samba

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 198 bytes --]

Christopher J. PeBenito wrote:
> On Fri, 2007-03-23 at 15:15 -0400, Daniel J Walsh wrote:
>   
>> Also added new ports for squid.
>>     
>
> Looks like the wrong patch.
>
>   
Sorry try this one.


[-- Attachment #2: corenetwork.te.in.patch --]
[-- Type: text/x-patch, Size: 1831 bytes --]

--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2007-02-19 11:32:51.000000000 -0500
+++ serefpolicy-2.5.11/policy/modules/kernel/corenetwork.te.in	2007-03-27 15:45:12.000000000 -0400
@@ -100,7 +105,7 @@
 network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
 network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
 network_port(ktalkd, udp,517,s0, udp,518,s0)
-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
+network_port(ldap, tcp,3268,s0, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
 network_port(lmtp, tcp,24,s0, udp,24,s0)
 network_port(mail, tcp,2000,s0)
@@ -108,7 +113,7 @@
 network_port(mysqld, tcp,3306,s0)
 network_port(nessus, tcp,1241,s0)
 network_port(netsupport, tcp,5405,s0, udp,5405,s0)
-network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
+network_port(nmbd, udp,137,s0, udp,138,s0)
 network_port(ntp, udp,123,s0)
 network_port(ocsp, tcp,9080,s0)
 network_port(openvpn, tcp,1194,s0, udp,1194,s0)
@@ -132,7 +137,7 @@
 network_port(router, udp,520,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
-network_port(smbd, tcp,137-139,s0, tcp,445,s0)
+network_port(smbd, tcp,139,s0, tcp,445,s0)
 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
 network_port(spamd, tcp,783,s0)
@@ -140,6 +145,7 @@
 network_port(soundd, tcp,8000,s0, tcp,9433,s0)
 type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
 type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
+network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0, )
 network_port(swat, tcp,901,s0)
 network_port(syslogd, udp,514,s0)
 network_port(telnetd, tcp,23,s0)

Re: Samba guys reviewed samba policy and fixed some of the ports used by samba

[Christopher J. PeBenito]

On Wed, 2007-03-28 at 14:32 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Fri, 2007-03-23 at 15:15 -0400, Daniel J Walsh wrote:
> >   
> >> Also added new ports for squid.
> >>     
> >
> > Looks like the wrong patch.
> >
> >   
> Sorry try this one.

Merged smbd and nmbd parts.

> 
> 
> 
> 
> 
> 
> differences
> between files
> attachment
> (corenetwork.te.in.patch)
> 
> --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in      2007-02-19 11:32:51.000000000 -0500
> +++ serefpolicy-2.5.11/policy/modules/kernel/corenetwork.te.in  2007-03-27 15:45:12.000000000 -0400
> @@ -100,7 +105,7 @@
>  network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
>  network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
>  network_port(ktalkd, udp,517,s0, udp,518,s0)
> -network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
> +network_port(ldap, tcp,3268,s0, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
>  type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
>  network_port(lmtp, tcp,24,s0, udp,24,s0)
>  network_port(mail, tcp,2000,s0)
> @@ -108,7 +113,7 @@
>  network_port(mysqld, tcp,3306,s0)
>  network_port(nessus, tcp,1241,s0)
>  network_port(netsupport, tcp,5405,s0, udp,5405,s0)
> -network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
> +network_port(nmbd, udp,137,s0, udp,138,s0)
>  network_port(ntp, udp,123,s0)
>  network_port(ocsp, tcp,9080,s0)
>  network_port(openvpn, tcp,1194,s0, udp,1194,s0)
> @@ -132,7 +137,7 @@
>  network_port(router, udp,520,s0)
>  network_port(rsh, tcp,514,s0)
>  network_port(rsync, tcp,873,s0, udp,873,s0)
> -network_port(smbd, tcp,137-139,s0, tcp,445,s0)
> +network_port(smbd, tcp,139,s0, tcp,445,s0)
>  network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
>  network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
>  network_port(spamd, tcp,783,s0)
> @@ -140,6 +145,7 @@
>  network_port(soundd, tcp,8000,s0, tcp,9433,s0)
>  type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
>  type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
> +network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0, )
>  network_port(swat, tcp,901,s0)
>  network_port(syslogd, udp,514,s0)
>  network_port(telnetd, tcp,23,s0)
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.