CIL: invalid protocol (dccp portcon)

CIL: invalid protocol (dccp portcon)

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


I was adding support for syslog ports, and /etc/services indicated to
me that syslog(_tls) has support for dccp protocol. So tried to add
that support in.

However when trying to specify a portcon, secilc tells me dccp is an
invalid protocol.

e.g.

(portcon "dccp" 6514 port_obj_context)

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJW+Sk2AAoJECV0jlU3+UdpstQMALrcdpqAQIFTKpQ7qmg9HZUE
ybu/cMobCNWWE+bfXs8+emaQtbm46f4FIwXnXkfVzkH0tnUV3+XrUytsT4K1iYFs
nVZsNBUxNuNb2RgRugeIYtdq03tsY74G5YtIOjjYESES2kcuZTcA24XeVqSuqqlF
nFvx4iwGAzJ4hQmhCk3PVZfvked/7dDDDt6XA+csYsbnKRnoJLiE5Wxm6LzCF/4n
itImypngR8/rNs9CKdJk0GSfkPKV+llAzn+w+ZgqeVlb3HiHe9rtUqhe8JsVfyax
NWjNAXOE5/cUABVC1rofvs1gmbe2/vu6PTvvFHiA0dtJ4yWMgiM1Mwn2SSMjbclA
qrkzfPmOakHlWzBd8ZZzHpboLJZ7V/9BI9Wi9guZnmBhHBzHi9VNmXFH6v3zkebU
ETFGVpEzR3cbyrA8QuDkee2YQeI53cvKz79hP1gPzANpG3HrPnTiX4ooobhfZz+k
1Cr1tXwKfVqXKTBRha7T7Kv78Al341m/RxlNmHs4vQ==
=iix7
-----END PGP SIGNATURE-----

Re: CIL: invalid protocol (dccp portcon)

[Paul Moore]

On Mon, Mar 28, 2016 at 8:53 AM, Dominick Grift <dac.override@gmail.com> wrote:
> I was adding support for syslog ports, and /etc/services indicated to
> me that syslog(_tls) has support for dccp protocol. So tried to add
> that support in.
>
> However when trying to specify a portcon, secilc tells me dccp is an
> invalid protocol.
>
> e.g.
>
> (portcon "dccp" 6514 port_obj_context)

I'm not sure if the CIL toolchain checks /etc/protocols or if it uses
hardcoded values, but did you check to make sure "dccp" is listed in
/etc/protocols?

-- 
paul moore
www.paul-moore.com

Re: CIL: invalid protocol (dccp portcon)

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 03/28/2016 03:21 PM, Paul Moore wrote:
> On Mon, Mar 28, 2016 at 8:53 AM, Dominick Grift
> <dac.override@gmail.com> wrote:
>> I was adding support for syslog ports, and /etc/services
>> indicated to me that syslog(_tls) has support for dccp protocol.
>> So tried to add that support in.
>> 
>> However when trying to specify a portcon, secilc tells me dccp is
>> an invalid protocol.
>> 
>> e.g.
>> 
>> (portcon "dccp" 6514 port_obj_context)
> 
> I'm not sure if the CIL toolchain checks /etc/protocols or if it
> uses hardcoded values, but did you check to make sure "dccp" is
> listed in /etc/protocols?
> 

did'nt check, but did now. it is in there.

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJW+TArAAoJECV0jlU3+UdpCToL/RJ7/gTd41XwLiSj3Zn7WVim
XoNXj27ULqaF2wpODpPQEtRT3ugE8VfWHbu86n25Hx1INahkd4ec0ufmZd1IDrFH
amIirVx7vVlVWQIZswAqp6Q0+rWAmaU3CegzIfqoENZnxDUmSAKsU5AuNbcA4WVL
AcZh6CiwwffgMC5buxiV3cgKT2k5gaTXa+pSe3quFU0hzHNxJMiNQJR7Qps0TSB2
QFhzFJMiYOyhbo04mLpknOaKY2G3W3HNaR5Uum/C8RR8QZemHwGaZbg51QLKCkT5
eyHbu/qdXJLZS+Hw0UCY5HqJTdHKaZVF4Pf25P3ImjpATtnmeYNH+WtLSdyxtLrs
BdvLjdl5br48mBBLJtUuIUYwCBETYWZRbiNYshQ2AjrTrHTcc/MgaILbdurJBq4c
776kr2yFODrhdwEfd0JsJJ8/AaB1DRFaGmKu/R4DxVdRIzM0ttki0LViaok5AnQ2
D/nW/jkIqJ9s1BC1AIxezN4vbWv03xTLpQZfo1R5aQ==
=EDvL
-----END PGP SIGNATURE-----

Re: CIL: invalid protocol (dccp portcon)

[Stephen Smalley]

On 03/28/2016 08:53 AM, Dominick Grift wrote:
> 
> I was adding support for syslog ports, and /etc/services indicated to
> me that syslog(_tls) has support for dccp protocol. So tried to add
> that support in.
> 
> However when trying to specify a portcon, secilc tells me dccp is an
> invalid protocol.
> 
> e.g.
> 
> (portcon "dccp" 6514 port_obj_context)

Doesn't appear to be supported by the selinux userspace presently (even
apart from CIL).  Not sure why.  Looking back, I see the original
"SELinux support for DCCP" RFC thread, which included a (now dead) link
to patches for userspace support, but I don't see any indication that
they were ever submitted.

Re: CIL: invalid protocol (dccp portcon)

[Richard Haines]

> On Monday, 28 March 2016, 14:26, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > On 03/28/2016 08:53 AM, Dominick Grift wrote:
>> 
>>  I was adding support for syslog ports, and /etc/services indicated to
>>  me that syslog(_tls) has support for dccp protocol. So tried to add
>>  that support in.
>> 
>>  However when trying to specify a portcon, secilc tells me dccp is an
>>  invalid protocol.
>> 
>>  e.g.
>> 
>>  (portcon "dccp" 6514 port_obj_context)
> 
> Doesn't appear to be supported by the selinux userspace presently (even
> apart from CIL).  Not sure why.  Looking back, I see the original
> "SELinux support for DCCP" RFC thread, which included a (now dead) 
> link
> to patches for userspace support, but I don't see any indication that

> they were ever submitted.

The only valid portcon protocol types supported by the kernel and policy
statements are "tcp" and "udp". I did some time ago send RFC patches
(kernel & CIL) to add "dccp" and "sctp" but these died. Adding support
for a dccp portcon statement would not be difficult as there is SELinux
support already for the protocol (policycoreutils is a pain though as
lots of language files !!!).
> 
> 
> 
> 
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to 
> Selinux-request@tycho.nsa.gov.
>