Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1379396pxb;
        Thu, 4 Mar 2021 09:48:27 -0800 (PST)
X-Google-Smtp-Source: ABdhPJw7+IPDZHrMYKnS8aH4sY1mkAW8ciscGWrC1IXVuoJWPKtwXrXUqDyoN7sEe5/zOCt3oTNC
X-Received: by 2002:a17:906:110d:: with SMTP id h13mr5630728eja.357.1614880107635;
        Thu, 04 Mar 2021 09:48:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1614880107; cv=none;
        d=google.com; s=arc-20160816;
        b=mwOr3wMovl0/yobYYnenvaZgRQ0AVym3yYnkIhHyJSKJILdafwfdKhDjwDFvvYS1vv
         4xIRTWsjfmmoxm0djYQlIbCED7lxRARZGSbIMyfFuCsV5YMM5iGpptXdhGxTmVoWiwUw
         2AsoBCBvQMTn4ckGqAEQn3n6okQe3QB/0BrMbsCWlMFyZkJpHqRIyGmqwNdhDh2wuhcS
         U8Q1m2gnfHfwOsjx1ume26QEJCf3vMf8N6ppdK382ruh5EvKkvu13ZwBb+oeVohbEjt3
         C2mOadwRS0TvsaxZDZDQP44AgYdini/IeCr8cB2flNFTLSE9JDNJNGBID/Q2eE7t4A4C
         W2mA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to
         :date:references:subject:cc:to:from:dkim-signature:dkim-filter;
        bh=unUtQBNvzyxAzgL7bZiyPzsLTnzMLnahgKv5eknLT90=;
        b=lXU21uMZhlE7L08m5Gn9EDT08TARaLE4MTX8emvsgaQ3yX2+Ep6EYCHzIMlc9WxS7X
         lHDGyiUyFanqxPcUHXP8RItC5CRVqusS2qfKUlw6tgRyFWlPO/44Do9Q+TQGSuGJabmc
         a9HMYMsMs9c6se8hNy+NWn6qomWlWcFXMAJrz6EMOCAxt5x0cupbC7qmjua75yjNoywm
         2KC/5cXjTEo1y8kEvYvob9FYYcH343K/I/pVyKSNObsW07rtuNdoMqArMhEHiJuI8UTv
         3zw6fyedwFWHYf/xP6IBhiizPlgLDo5IpsveUnXL5xrwC9DxW0e0zEujTl+CKsS1lAWb
         8NKg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=OxWpudUZ;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id by17si14337413ejc.260.2021.03.04.09.48.21;
        Thu, 04 Mar 2021 09:48:27 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=OxWpudUZ;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S241820AbhCDOTb (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 16 others); Thu, 4 Mar 2021 09:19:31 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60476 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S241818AbhCDOT0 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 4 Mar 2021 09:19:26 -0500
Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 73269C06175F
        for <selinux-refpolicy@vger.kernel.org>; Thu,  4 Mar 2021 06:18:45 -0800 (PST)
Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438])
        by agnus.defensec.nl (Postfix) with ESMTPSA id 4F18D2A124E;
        Thu,  4 Mar 2021 15:18:41 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 4F18D2A124E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl;
        s=default; t=1614867523;
        bh=unUtQBNvzyxAzgL7bZiyPzsLTnzMLnahgKv5eknLT90=;
        h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
        b=OxWpudUZ/liPbDYoTdgEZjJrcwAljMRKoPIjUJIyb+W90eDBBDJ5iMVARcd4UjbWK
         povYnk+Bwz2VsQMW+mh+sA5m7vL+Zc+pwK1nQkg/nnoR6XgzdjIE+DUHTFfpMsa1Wm
         O1Q+B1LlATZ4xS5vKWhcX2/RTFbMkJxGqp7gxYiM=
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     Russell Coker <russell@coker.com.au>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: unreserved_port_t
References: <1956679.fmg26ZhMKt@liv>
Date:   Thu, 04 Mar 2021 15:18:39 +0100
In-Reply-To: <1956679.fmg26ZhMKt@liv> (Russell Coker's message of "Wed, 03 Mar
        2021 21:26:37 +1100")
Message-ID: <ypjl5z27m280.fsf@defensec.nl>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Russell Coker <russell@coker.com.au> writes:

> How are we supposed to write policy for programs that bind to random unused 
> ports >1024?  There doesn't seem to be any macro that allows binging to 
> unreserved_port_t except corenet_tcp_bind_all_unreserved_ports() which is too 
> permissive.

Seems like corenet_tcp_bind_unreserved_ports() is currently missing. Please
add. There is a corenet_tcp_bind_reserved_ports().


-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift