From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Wed, 17 Aug 2011 03:58:59 +0000 Subject: [refpolicy] [PATCH 1/1] Allow NFS daemon to listen on an UDP port In-Reply-To: References: <20110813191106.GA19074@siphos.be> <4E4AC530.7000208@tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Aug 16, 2011 at 7:29 PM, Christopher J. PeBenito wrote: > On 8/13/2011 3:11 PM, Sven Vermeulen wrote: >> To support NFS over UDP, we should allow rpcd_t to listen on a udp_socket. > > I'm confused. I don't see any UDP port binding for rpcd_t. It's pulled in through rpc_domain_template: rpc.te: rpc_domain_template(rpc) --> corenet_udp_bind_generic_port($1_t) To be honest, I'm also confused (but that's due to inexperience) why listen isn't part of create_socket_perms. If one creates a socket & binds to it, what cases are there that you don't listen on it? What is the need for create_stream_socket_perms? Considering that, the patch might be best within the rpc_domain_template() template, considering that it currently reads: allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; so the second line might then be best changed to create_stream_socket_perms. But I'll need to check first if this is needed for nfsd_t and gssd_t too. Wkr, Sven Vermeulen PS Sorry Christopher for remailing, got the wrong To again. Heh.