* CIL: invalid protocol (dccp portcon) @ 2016-03-28 12:53 Dominick Grift 2016-03-28 13:21 ` Paul Moore 2016-03-28 13:27 ` Stephen Smalley 0 siblings, 2 replies; 5+ messages in thread From: Dominick Grift @ 2016-03-28 12:53 UTC (permalink / raw) To: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I was adding support for syslog ports, and /etc/services indicated to me that syslog(_tls) has support for dccp protocol. So tried to add that support in. However when trying to specify a portcon, secilc tells me dccp is an invalid protocol. e.g. (portcon "dccp" 6514 port_obj_context) - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJW+Sk2AAoJECV0jlU3+UdpstQMALrcdpqAQIFTKpQ7qmg9HZUE ybu/cMobCNWWE+bfXs8+emaQtbm46f4FIwXnXkfVzkH0tnUV3+XrUytsT4K1iYFs nVZsNBUxNuNb2RgRugeIYtdq03tsY74G5YtIOjjYESES2kcuZTcA24XeVqSuqqlF nFvx4iwGAzJ4hQmhCk3PVZfvked/7dDDDt6XA+csYsbnKRnoJLiE5Wxm6LzCF/4n itImypngR8/rNs9CKdJk0GSfkPKV+llAzn+w+ZgqeVlb3HiHe9rtUqhe8JsVfyax NWjNAXOE5/cUABVC1rofvs1gmbe2/vu6PTvvFHiA0dtJ4yWMgiM1Mwn2SSMjbclA qrkzfPmOakHlWzBd8ZZzHpboLJZ7V/9BI9Wi9guZnmBhHBzHi9VNmXFH6v3zkebU ETFGVpEzR3cbyrA8QuDkee2YQeI53cvKz79hP1gPzANpG3HrPnTiX4ooobhfZz+k 1Cr1tXwKfVqXKTBRha7T7Kv78Al341m/RxlNmHs4vQ== =iix7 -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: CIL: invalid protocol (dccp portcon) 2016-03-28 12:53 CIL: invalid protocol (dccp portcon) Dominick Grift @ 2016-03-28 13:21 ` Paul Moore 2016-03-28 13:22 ` Dominick Grift 2016-03-28 13:27 ` Stephen Smalley 1 sibling, 1 reply; 5+ messages in thread From: Paul Moore @ 2016-03-28 13:21 UTC (permalink / raw) To: Dominick Grift; +Cc: selinux On Mon, Mar 28, 2016 at 8:53 AM, Dominick Grift <dac.override@gmail.com> wrote: > I was adding support for syslog ports, and /etc/services indicated to > me that syslog(_tls) has support for dccp protocol. So tried to add > that support in. > > However when trying to specify a portcon, secilc tells me dccp is an > invalid protocol. > > e.g. > > (portcon "dccp" 6514 port_obj_context) I'm not sure if the CIL toolchain checks /etc/protocols or if it uses hardcoded values, but did you check to make sure "dccp" is listed in /etc/protocols? -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: CIL: invalid protocol (dccp portcon) 2016-03-28 13:21 ` Paul Moore @ 2016-03-28 13:22 ` Dominick Grift 0 siblings, 0 replies; 5+ messages in thread From: Dominick Grift @ 2016-03-28 13:22 UTC (permalink / raw) To: Paul Moore; +Cc: selinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 03/28/2016 03:21 PM, Paul Moore wrote: > On Mon, Mar 28, 2016 at 8:53 AM, Dominick Grift > <dac.override@gmail.com> wrote: >> I was adding support for syslog ports, and /etc/services >> indicated to me that syslog(_tls) has support for dccp protocol. >> So tried to add that support in. >> >> However when trying to specify a portcon, secilc tells me dccp is >> an invalid protocol. >> >> e.g. >> >> (portcon "dccp" 6514 port_obj_context) > > I'm not sure if the CIL toolchain checks /etc/protocols or if it > uses hardcoded values, but did you check to make sure "dccp" is > listed in /etc/protocols? > did'nt check, but did now. it is in there. - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJW+TArAAoJECV0jlU3+UdpCToL/RJ7/gTd41XwLiSj3Zn7WVim XoNXj27ULqaF2wpODpPQEtRT3ugE8VfWHbu86n25Hx1INahkd4ec0ufmZd1IDrFH amIirVx7vVlVWQIZswAqp6Q0+rWAmaU3CegzIfqoENZnxDUmSAKsU5AuNbcA4WVL AcZh6CiwwffgMC5buxiV3cgKT2k5gaTXa+pSe3quFU0hzHNxJMiNQJR7Qps0TSB2 QFhzFJMiYOyhbo04mLpknOaKY2G3W3HNaR5Uum/C8RR8QZemHwGaZbg51QLKCkT5 eyHbu/qdXJLZS+Hw0UCY5HqJTdHKaZVF4Pf25P3ImjpATtnmeYNH+WtLSdyxtLrs BdvLjdl5br48mBBLJtUuIUYwCBETYWZRbiNYshQ2AjrTrHTcc/MgaILbdurJBq4c 776kr2yFODrhdwEfd0JsJJ8/AaB1DRFaGmKu/R4DxVdRIzM0ttki0LViaok5AnQ2 D/nW/jkIqJ9s1BC1AIxezN4vbWv03xTLpQZfo1R5aQ== =EDvL -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: CIL: invalid protocol (dccp portcon) 2016-03-28 12:53 CIL: invalid protocol (dccp portcon) Dominick Grift 2016-03-28 13:21 ` Paul Moore @ 2016-03-28 13:27 ` Stephen Smalley 2016-03-28 13:29 ` Richard Haines 1 sibling, 1 reply; 5+ messages in thread From: Stephen Smalley @ 2016-03-28 13:27 UTC (permalink / raw) To: Dominick Grift, selinux, Paul Moore, James Morris, Eric Paris On 03/28/2016 08:53 AM, Dominick Grift wrote: > > I was adding support for syslog ports, and /etc/services indicated to > me that syslog(_tls) has support for dccp protocol. So tried to add > that support in. > > However when trying to specify a portcon, secilc tells me dccp is an > invalid protocol. > > e.g. > > (portcon "dccp" 6514 port_obj_context) Doesn't appear to be supported by the selinux userspace presently (even apart from CIL). Not sure why. Looking back, I see the original "SELinux support for DCCP" RFC thread, which included a (now dead) link to patches for userspace support, but I don't see any indication that they were ever submitted. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: CIL: invalid protocol (dccp portcon) 2016-03-28 13:27 ` Stephen Smalley @ 2016-03-28 13:29 ` Richard Haines 0 siblings, 0 replies; 5+ messages in thread From: Richard Haines @ 2016-03-28 13:29 UTC (permalink / raw) To: Stephen Smalley, Dominick Grift, selinux@tycho.nsa.gov, Paul Moore, James Morris, Eric Paris > On Monday, 28 March 2016, 14:26, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > On 03/28/2016 08:53 AM, Dominick Grift wrote: >> >> I was adding support for syslog ports, and /etc/services indicated to >> me that syslog(_tls) has support for dccp protocol. So tried to add >> that support in. >> >> However when trying to specify a portcon, secilc tells me dccp is an >> invalid protocol. >> >> e.g. >> >> (portcon "dccp" 6514 port_obj_context) > > Doesn't appear to be supported by the selinux userspace presently (even > apart from CIL). Not sure why. Looking back, I see the original > "SELinux support for DCCP" RFC thread, which included a (now dead) > link > to patches for userspace support, but I don't see any indication that > they were ever submitted. The only valid portcon protocol types supported by the kernel and policy statements are "tcp" and "udp". I did some time ago send RFC patches (kernel & CIL) to add "dccp" and "sctp" but these died. Adding support for a dccp portcon statement would not be difficult as there is SELinux support already for the protocol (policycoreutils is a pain though as lots of language files !!!). > > > > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to > Selinux-request@tycho.nsa.gov. > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-03-28 13:32 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-03-28 12:53 CIL: invalid protocol (dccp portcon) Dominick Grift 2016-03-28 13:21 ` Paul Moore 2016-03-28 13:22 ` Dominick Grift 2016-03-28 13:27 ` Stephen Smalley 2016-03-28 13:29 ` Richard Haines
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.