|
 |
e65efd |
From 53c27e891b9053a9bbbbca5a854deb4fc526a8a2 Mon Sep 17 00:00:00 2001
|
|
|
e65efd |
From: Masatake YAMATO <yamato@redhat.com>
|
|
|
e65efd |
Date: Thu, 14 Dec 2017 15:57:58 +0900
|
|
|
e65efd |
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
|
|
|
e65efd |
|
|
|
e65efd |
Currently only reserved_port_t, port_t and hi_reserved_port_t are
|
|
|
e65efd |
handled as special when making a ports-dictionary. However, as fas as
|
|
|
e65efd |
corenetwork.te.in of serefpolicy, unreserved_port_t and
|
|
|
e65efd |
ephemeral_port_t should be handled in the same way, too.
|
|
|
e65efd |
|
|
|
e65efd |
(Details) I found the need of this change when I was using
|
|
|
e65efd |
selinux-polgengui. Though tcp port 12345, which my application may
|
|
|
e65efd |
use, was given to the gui, selinux-polgengui generates expected te
|
|
|
e65efd |
file and sh file which didn't utilize the tcp port.
|
|
|
e65efd |
|
|
|
e65efd |
selinux-polgengui checks whether a port given via gui is already typed
|
|
|
e65efd |
or not.
|
|
|
e65efd |
|
|
|
e65efd |
If it is already typed, selinux-polgengui generates a te file having
|
|
|
e65efd |
rules to allow the application to use the port. (A)
|
|
|
e65efd |
|
|
|
e65efd |
If not, it seems for me that selinux-polgengui is designed to generate
|
|
|
e65efd |
a te file having rules to allow the application to own(?) the port;
|
|
|
e65efd |
and a sh file having a command line to assign the application own type
|
|
|
e65efd |
to the port. (B)
|
|
|
e65efd |
|
|
|
e65efd |
As we can see the output of `semanage port -l' some of ports for
|
|
|
e65efd |
specified purpose have types already. The important point is that the
|
|
|
e65efd |
rest of ports also have types already:
|
|
|
e65efd |
|
|
|
e65efd |
hi_reserved_port_t tcp 512-1023
|
|
|
e65efd |
hi_reserved_port_t udp 512-1023
|
|
|
e65efd |
unreserved_port_t tcp 1024-32767, 61001-65535
|
|
|
e65efd |
unreserved_port_t udp 1024-32767, 61001-65535
|
|
|
e65efd |
ephemeral_port_t tcp 32768-61000
|
|
|
e65efd |
ephemeral_port_t udp 32768-61000
|
|
|
e65efd |
|
|
|
e65efd |
As my patch shows, the original selinux-polgengui ignored
|
|
|
e65efd |
hi_reserved_port_t; though hi_reserved_port_t is assigned,
|
|
|
e65efd |
selinux-polgengui considered ports 512-1023 are not used. As the
|
|
|
e65efd |
result selinux-polgengui generates file sets of (B).
|
|
|
e65efd |
|
|
|
e65efd |
For the purpose of selinux-polgengui, I think unreserved_port_t and
|
|
|
e65efd |
ephemeral_port_t are treated as the same as hi_reserved_port_t.
|
|
|
e65efd |
|
|
|
e65efd |
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
|
|
|
e65efd |
|
|
|
e65efd |
Fedora only patch:
|
|
|
e65efd |
https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redhat.com/
|
|
|
e65efd |
---
|
|
|
e65efd |
python/sepolicy/sepolicy/generate.py | 4 +++-
|
|
|
e65efd |
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
e65efd |
|
|
|
e65efd |
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
|
|
|
e65efd |
index 43180ca6fda4..d60a08e1d72c 100644
|
|
|
e65efd |
--- a/python/sepolicy/sepolicy/generate.py
|
|
|
e65efd |
+++ b/python/sepolicy/sepolicy/generate.py
|
|
|
e65efd |
@@ -99,7 +99,9 @@ def get_all_ports():
|
|
|
e65efd |
for p in sepolicy.info(sepolicy.PORT):
|
|
|
e65efd |
if p['type'] == "reserved_port_t" or \
|
|
|
e65efd |
p['type'] == "port_t" or \
|
|
|
e65efd |
- p['type'] == "hi_reserved_port_t":
|
|
|
e65efd |
+ p['type'] == "hi_reserved_port_t" or \
|
|
|
e65efd |
+ p['type'] == "ephemeral_port_t" or \
|
|
|
e65efd |
+ p['type'] == "unreserved_port_t":
|
|
|
e65efd |
continue
|
|
|
e65efd |
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
|
|
|
e65efd |
return dict
|
|
|
e65efd |
--
|
|
|
e65efd |
2.32.0
|
|
|
e65efd |
|