* cups sends mail, connects to smbd port and binds to ports 600-1023
@ 2007-04-20 18:52 dwalsh
2007-04-30 17:38 ` Christopher J. PeBenito
0 siblings, 1 reply; 3+ messages in thread
From: dwalsh @ 2007-04-20 18:52 UTC (permalink / raw)
To: cpebenito; +Cc: selinux
--- nsaserefpolicy/policy/modules/services/cups.te 2007-03-26 10:39:04.000000000 -0400
+++ serefpolicy-2.5.12/policy/modules/services/cups.te 2007-04-11 17:07:34.000000000 -0400
@@ -151,9 +151,11 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
+corenet_tcp_connect_smbd_port(cupsd_t)
corenet_sendrecv_hplip_client_packets(cupsd_t)
corenet_sendrecv_ipp_client_packets(cupsd_t)
corenet_sendrecv_ipp_server_packets(cupsd_t)
+corenet_tcp_bind_all_rpc_ports(cupsd_t)
dev_rw_printer(cupsd_t)
dev_read_urand(cupsd_t)
@@ -294,6 +296,10 @@
')
optional_policy(`
+ sendmail_domtrans(cupsd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(cupsd_t)
')
From: <dwalsh@redhat.com>
To: cpebenito@tresys.com
CC: selinux@tycho.nsa.gov
Subject: cups sends mail, connects to smbd port and binds to ports 600-1023
--- nsaserefpolicy/policy/modules/services/cups.te 2007-03-26 10:39:04.000000000 -0400
+++ serefpolicy-2.5.12/policy/modules/services/cups.te 2007-04-11 17:07:34.000000000 -0400
@@ -151,9 +151,11 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
+corenet_tcp_connect_smbd_port(cupsd_t)
corenet_sendrecv_hplip_client_packets(cupsd_t)
corenet_sendrecv_ipp_client_packets(cupsd_t)
corenet_sendrecv_ipp_server_packets(cupsd_t)
+corenet_tcp_bind_all_rpc_ports(cupsd_t)
dev_rw_printer(cupsd_t)
dev_read_urand(cupsd_t)
@@ -294,6 +296,10 @@
')
optional_policy(`
+ sendmail_domtrans(cupsd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(cupsd_t)
')
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: cups sends mail, connects to smbd port and binds to ports 600-1023
2007-04-20 18:52 cups sends mail, connects to smbd port and binds to ports 600-1023 dwalsh
@ 2007-04-30 17:38 ` Christopher J. PeBenito
2007-04-30 18:17 ` Daniel J Walsh
0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2007-04-30 17:38 UTC (permalink / raw)
To: dwalsh; +Cc: selinux
On Fri, 2007-04-20 at 14:52 -0400, dwalsh@redhat.com wrote:
> --- nsaserefpolicy/policy/modules/services/cups.te 2007-03-26 10:39:04.000000000 -0400
> +++ serefpolicy-2.5.12/policy/modules/services/cups.te 2007-04-11 17:07:34.000000000 -0400
> @@ -151,9 +151,11 @@
> corenet_tcp_bind_reserved_port(cupsd_t)
> corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
> corenet_tcp_connect_all_ports(cupsd_t)
> +corenet_tcp_connect_smbd_port(cupsd_t)
> corenet_sendrecv_hplip_client_packets(cupsd_t)
> corenet_sendrecv_ipp_client_packets(cupsd_t)
> corenet_sendrecv_ipp_server_packets(cupsd_t)
> +corenet_tcp_bind_all_rpc_ports(cupsd_t)
Any info on why it binds to these ports?
> dev_rw_printer(cupsd_t)
> dev_read_urand(cupsd_t)
> @@ -294,6 +296,10 @@
> ')
>
> optional_policy(`
> + sendmail_domtrans(cupsd_t)
> +')
Wouldn't mta_send_mail() be better?
> +
> +optional_policy(`
> seutil_sigchld_newrole(cupsd_t)
> ')
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: cups sends mail, connects to smbd port and binds to ports 600-1023
2007-04-30 17:38 ` Christopher J. PeBenito
@ 2007-04-30 18:17 ` Daniel J Walsh
0 siblings, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2007-04-30 18:17 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: selinux, Tim Waugh
Christopher J. PeBenito wrote:
> On Fri, 2007-04-20 at 14:52 -0400, dwalsh@redhat.com wrote:
>
>> --- nsaserefpolicy/policy/modules/services/cups.te 2007-03-26 10:39:04.000000000 -0400
>> +++ serefpolicy-2.5.12/policy/modules/services/cups.te 2007-04-11 17:07:34.000000000 -0400
>> @@ -151,9 +151,11 @@
>> corenet_tcp_bind_reserved_port(cupsd_t)
>> corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
>> corenet_tcp_connect_all_ports(cupsd_t)
>> +corenet_tcp_connect_smbd_port(cupsd_t)
>> corenet_sendrecv_hplip_client_packets(cupsd_t)
>> corenet_sendrecv_ipp_client_packets(cupsd_t)
>> corenet_sendrecv_ipp_server_packets(cupsd_t)
>> +corenet_tcp_bind_all_rpc_ports(cupsd_t)
>>
>
> Any info on why it binds to these ports?
>
>
Tim, why does cupsd bind to ports 600-1023?
>> dev_rw_printer(cupsd_t)
>> dev_read_urand(cupsd_t)
>> @@ -294,6 +296,10 @@
>> ')
>>
>> optional_policy(`
>> + sendmail_domtrans(cupsd_t)
>> +')
>>
>
> Wouldn't mta_send_mail() be better?
>
Yes
>
>> +
>> +optional_policy(`
>> seutil_sigchld_newrole(cupsd_t)
>> ')
>>
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-04-30 18:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-04-20 18:52 cups sends mail, connects to smbd port and binds to ports 600-1023 dwalsh
2007-04-30 17:38 ` Christopher J. PeBenito
2007-04-30 18:17 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.