From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] I think we are declaring ports incorrectly.
Date: Tue, 04 Oct 2011 11:14:41 -0400 [thread overview]
Message-ID: <4E8B22E1.3010801@redhat.com> (raw)
In-Reply-To: <4E8B0FAF.6060503@tresys.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/04/2011 09:52 AM, Christopher J. PeBenito wrote:
> On 09/30/11 14:47, Daniel J Walsh wrote:
>> Currently every network port on the system gets declared in
>> network_port interface and this calls into declare_ports, which
>> then recusively calls itself for every port defined in the
>> network_ports line. I think we need to split this up so we only
>> add one attribute to the type, and then declare the portcon.
>>
>> Currently we can end up with one port like http_port_t with
>> multiple attributes.
>>
>> # seinfo -thttp_port_t -x | grep port http_port_t port_type
>> reserved_port_type unreserved_port_type defined_port_type
>>
>>
>> network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0,
>> tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default
>> port
>>
>>
>> This happens because we call
>>
>> declare_ports(http_port_t, tcp,80,s0) -> reserved_port_type
>> declare_ports(http_port_t, tcp,443,s0) -> reserved_port_type
>> declare_ports(http_port_t, tcp,488,s0) -> reserved_port_type;
>> declare_ports(http_port_t, tcp,80087,s0) ->
>> unreserved_port_type;
>>
>> I think it would be safer and more secure to just add the
>> attribute to the lowest port definition. By splitting these into
>> three definitions.
> [...]
>> What do you think?
>
> I'm fine with this, but there is a different problem, which is we
> lose some rpc_port_types. I've got a working implementation which
> still appropriately adds rpc_port_type, and chooses
> reserved_port_type over unreserved_port_type if the type has ports
> above and below 1024. How does that sound?
>
Sounds good, on list.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6LIuEACgkQrlYvE4MpobMAagCgxaf2ndcXk21keatvKnw9orC0
MJoAni0EC9EwNVh8R42tJLTUAh+wIaVN
=ItOl
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2011-10-04 15:14 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-30 18:47 [refpolicy] I think we are declaring ports incorrectly Daniel J Walsh
2011-10-04 13:52 ` Christopher J. PeBenito
2011-10-04 15:14 ` Daniel J Walsh [this message]
2011-10-04 20:01 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E8B22E1.3010801@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.