From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 30 Sep 2011 14:47:58 -0400 Subject: [refpolicy] I think we are declaring ports incorrectly. Message-ID: <4E860EDE.7000207@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 # bindresvport in glibc starts searching for reserved ports at 512 define(`declare_ports',`dnl ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type; ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl') ',` ifelse(eval(range_start($3) < 32768),1,`typeattribute $1 unreserved_port_type;',` ifelse(eval(range_start($3) > 61001),1,`typeattribute $1 unreserved_port_type;',` typeattribute $1 ephemeral_port_type; ') ') ') portcon $2 $3 gen_context(system_u:object_r:$1,$4) ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl ') define(`network_port',` type $1_port_t, port_type, defined_port_type; type $1_client_packet_t, packet_type, client_packet_type; type $1_server_packet_t, packet_type, server_packet_type; declare_ports($1_port_t,shift($*))dnl ') Currently every network port on the system gets declared in network_port interface and this calls into declare_ports, which then recusively calls itself for every port defined in the network_ports line. I think we need to split this up so we only add one attribute to the type, and then declare the portcon. Currently we can end up with one port like http_port_t with multiple attributes. # seinfo -thttp_port_t -x | grep port http_port_t port_type reserved_port_type unreserved_port_type defined_port_type network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port This happens because we call declare_ports(http_port_t, tcp,80,s0) -> reserved_port_type declare_ports(http_port_t, tcp,443,s0) -> reserved_port_type declare_ports(http_port_t, tcp,488,s0) -> reserved_port_type; declare_ports(http_port_t, tcp,80087,s0) -> unreserved_port_type; I think it would be safer and more secure to just add the attribute to the lowest port definition. By splitting these into three definitions. define(`declare_port_type',`dnl ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type; ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl') ',` ifelse(eval(range_start($3) < 32768),1,`typeattribute $1 unreserved_port_type;',` ifelse(eval(range_start($3) > 61001),1,`typeattribute $1 unreserved_port_type;',` typeattribute $1 ephemeral_port_type; ') ') ') ') # bindresvport in glibc starts searching for reserved ports at 512 define(`declare_ports',`dnl portcon $2 $3 gen_context(system_u:object_r:$1,$4) ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl ') define(`network_port',` type $1_port_t, port_type, defined_port_type; type $1_client_packet_t, packet_type, client_packet_type; type $1_server_packet_t, packet_type, server_packet_type; declare_port_type($1_port_t,shift($*))dnl declare_ports($1_port_t,shift($*))dnl ') What do you think? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6GDt4ACgkQrlYvE4MpobN0xgCg10AQG/Hy8y9FxAHzGLdgE+cu t+0AoNNc/rJMqYTQmBN03sCuTFEQMHvG =MvSZ -----END PGP SIGNATURE-----