* [refpolicy] TCP server howto [not found] ` <20090302153448.GH31276@fi.muni.cz> @ 2009-03-02 16:58 ` Daniel J Walsh 2009-03-05 14:23 ` Christopher J. PeBenito 0 siblings, 1 reply; 2+ messages in thread From: Daniel J Walsh @ 2009-03-02 16:58 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jan Kasprzak wrote: > Dominick Grift wrote: > : I think corenet_reserved_port() is what you are looking for. > : > Thanks for the hint. It is _almost_ exactly as you wrote, > except: > > : # Declarations > : > : type my_port_t; > : corenet_reserved_port(my_port_t) > : > : # Policy > : > : corenet_all_recvfrom_unlabeled($1) > : corenet_all_recvfrom_netlabel($1) > : corenet_tcp_sendrecv_generic_if($1) > : corenet_tcp_sendrecv_generic_node($1) > : corenet_tcp_sendrecv_all_ports($1) > - corenet_tcp_bind_generic_node($1) > + corenet_tcp_bind_inadrr_any_node($1) > > : allow $1 my_port_t:tcp_socket name_bind; > > + allow $1 self:capability net_bind_service; > + allow $1 self:tcp_socket create_stream_socket_perms; > > : #EOF > : > : sudo semanage port -a -t my_port_t -p tcp 40 > > I would however like to have a really-high-level macro (or two) > to do the above - I guess this is what many users would like to do > - saying "this context belongs to my port", and "this domain can run > a TCP server on this port". The similar way how the files_pid_file() > and files_pid_filetrans() macros allow for the > "I want to have my own PID file in /var/run" case. > > Would it be acceptable to submit this as a patch for inclusion > in the upstream policy? > > I would like to have other things included upstream as well - for > example, now I have a policy bits for Perl: file contexts for > /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying > "this domain can run Perl scripts". > > Thanks, > > -Yenya > Yenya, take this discussion to the refpolicy list <refpolicy@oss.tresys.com> Better to discuss it there. I think having a higher level template for creating a tcp or udp port would not be a bad idea. See what upstream thinks. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmsDzYACgkQrlYvE4MpobNJHwCfZ5YbOsiYpBATkbTZyCqkZWh+ wGUAn1qN1EySr3iW5Pn4TO8aDrhJKZRA =+xoQ -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 2+ messages in thread
* [refpolicy] TCP server howto 2009-03-02 16:58 ` [refpolicy] TCP server howto Daniel J Walsh @ 2009-03-05 14:23 ` Christopher J. PeBenito 0 siblings, 0 replies; 2+ messages in thread From: Christopher J. PeBenito @ 2009-03-05 14:23 UTC (permalink / raw) To: refpolicy On Mon, 2009-03-02 at 11:58 -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jan Kasprzak wrote: > > Dominick Grift wrote: > > : I think corenet_reserved_port() is what you are looking for. > > : > > Thanks for the hint. It is _almost_ exactly as you wrote, > > except: > > > > : # Declarations > > : > > : type my_port_t; > > : corenet_reserved_port(my_port_t) > > : > > : # Policy > > : > > : corenet_all_recvfrom_unlabeled($1) > > : corenet_all_recvfrom_netlabel($1) > > : corenet_tcp_sendrecv_generic_if($1) > > : corenet_tcp_sendrecv_generic_node($1) > > : corenet_tcp_sendrecv_all_ports($1) > > - corenet_tcp_bind_generic_node($1) > > + corenet_tcp_bind_inadrr_any_node($1) > > > > : allow $1 my_port_t:tcp_socket name_bind; > > > > + allow $1 self:capability net_bind_service; > > + allow $1 self:tcp_socket create_stream_socket_perms; > > > > : #EOF > > : > > : sudo semanage port -a -t my_port_t -p tcp 40 > > > > I would however like to have a really-high-level macro (or two) > > to do the above - I guess this is what many users would like to do > > - saying "this context belongs to my port", and "this domain can run > > a TCP server on this port". The similar way how the files_pid_file() > > and files_pid_filetrans() macros allow for the > > "I want to have my own PID file in /var/run" case. > > > > Would it be acceptable to submit this as a patch for inclusion > > in the upstream policy? > > > > I would like to have other things included upstream as well - for > > example, now I have a policy bits for Perl: file contexts for > > /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying > > "this domain can run Perl scripts". > > > > Thanks, > > > > -Yenya > > > > Yenya, take this discussion to the refpolicy list > > <refpolicy@oss.tresys.com> > > Better to discuss it there. I think having a higher level template for > creating a tcp or udp port would not be a bad idea. See what upstream > thinks. I'm willing to consider it, but it'll need a good name. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-03-05 14:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20090227230224.GF30997@fi.muni.cz>
[not found] ` <1235817998.11365.12.camel@notebook1.grift.internal>
[not found] ` <20090302153448.GH31276@fi.muni.cz>
2009-03-02 16:58 ` [refpolicy] TCP server howto Daniel J Walsh
2009-03-05 14:23 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.