From: Dominick Grift <dominick.grift@defensec.nl>
To: Paul Moore <paul@paul-moore.com>
Cc: selinux@vger.kernel.org
Subject: Re: [SELinux-notebook PATCH] network_support.md: clarify local port range and name_bind
Date: Fri, 27 May 2022 19:51:59 +0200 [thread overview]
Message-ID: <877d66eudc.fsf@defensec.nl> (raw)
In-Reply-To: <CAHC9VhSJUmLmeNQBc5-ornFqtB1v1ogjmwfVBN+VKg4qK7PSuA@mail.gmail.com> (Paul Moore's message of "Fri, 27 May 2022 13:14:00 -0400")
Paul Moore <paul@paul-moore.com> writes:
> My apologies for not replying directly to the original posting, for
> some reason this never hit my inbox.
No problem
>
> From: Dominick Grift @ 2022-05-23
>> diff --git a/src/network_support.md b/src/network_support.md
>> index bec725e..05ec0e8 100644
>> --- a/src/network_support.md
>> +++ b/src/network_support.md
>> @@ -668,6 +668,17 @@ statements):
>> semanage port -a -t my_server_port_t -p tcp -r s0 12345
>> ```
>>
>> +Ports in the local port range can be auto-assigned by the kernel to
>> +unbound sockets on first use. Controlling binding to ports is only
>> +useful when the port number is a "name" (i.e. a well-defined value that
>> +is expected to correspond to a specific service).
>> +
>> +The *name_bind* operation is not controlled on sockets associated
>> +with ports in the local port range:
>> +```
>> +sysctl net.ipv4.ip_local_port_range
>> +```
>> +
>
> Despite the sysctl name, these ports are typically referred to as
> "ephemeral ports" and not "local ports". I would suggest the text
> below as an alternate solution, what do you think?
>
> Only ports that fall outside the local, or ephemeral, port range are
> subject to the additional *name_bind* access check. You can see the
> current ephemeral port range on your system by checking the
> *net.ipv4.ip_local_port_range* sysctl:
> ```
> sysctl net.ipv4.ip_local_port_range
> ```
Yes, looks good I will post a V2 tomorrow.
Thanks
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
next prev parent reply other threads:[~2022-05-27 17:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-27 17:14 [SELinux-notebook PATCH] network_support.md: clarify local port range and name_bind Paul Moore
2022-05-27 17:51 ` Dominick Grift [this message]
2022-05-27 18:04 ` [PATCH v2] " Dominick Grift
2022-05-27 19:06 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2022-05-23 7:06 [SELinux-notebook PATCH] " Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877d66eudc.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.