From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 4 Oct 2011 09:52:47 -0400
Subject: [refpolicy] I think we are declaring ports incorrectly.
In-Reply-To: <4E860EDE.7000207@redhat.com>
References: <4E860EDE.7000207@redhat.com>
Message-ID: <4E8B0FAF.6060503@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/30/11 14:47, Daniel J Walsh wrote:
> Currently every network port on the system gets declared in
> network_port interface and this calls into declare_ports, which then
> recusively calls itself for every port defined in the network_ports
> line.  I think we need to split this up so we only add one attribute
> to the type, and then declare the portcon.
> 
> Currently we can end up with one port like http_port_t with multiple
> attributes.
> 
> # seinfo  -thttp_port_t -x | grep port
>    http_port_t
>       port_type
>       reserved_port_type
>       unreserved_port_type
>       defined_port_type
> 
> 
> network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0,
> tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
> 
> 
> This happens because we call
> 
> declare_ports(http_port_t, tcp,80,s0) -> reserved_port_type
> declare_ports(http_port_t, tcp,443,s0) -> reserved_port_type
> declare_ports(http_port_t, tcp,488,s0) -> reserved_port_type;
> declare_ports(http_port_t, tcp,80087,s0) -> unreserved_port_type;
> 
> I think it would be safer and more secure to just add the attribute to
> the lowest port definition.  By splitting these into three definitions.
[...]
> What do you think?

I'm fine with this, but there is a different problem, which is we lose some rpc_port_types.  I've got a working implementation which still appropriately adds rpc_port_type, and chooses reserved_port_type over unreserved_port_type if the type has ports above and below 1024.  How does that sound?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com