From: dwalsh@redhat.com (Daniel J Walsh) Date: Tue, 04 Oct 2011 11:14:41 -0400 Subject: [refpolicy] I think we are declaring ports incorrectly. In-Reply-To: <4E8B0FAF.6060503@tresys.com> References: <4E860EDE.7000207@redhat.com> <4E8B0FAF.6060503@tresys.com> Message-ID: <4E8B22E1.3010801@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/04/2011 09:52 AM, Christopher J. PeBenito wrote: > On 09/30/11 14:47, Daniel J Walsh wrote: >> Currently every network port on the system gets declared in >> network_port interface and this calls into declare_ports, which >> then recusively calls itself for every port defined in the >> network_ports line. I think we need to split this up so we only >> add one attribute to the type, and then declare the portcon. >> >> Currently we can end up with one port like http_port_t with >> multiple attributes. >> >> # seinfo -thttp_port_t -x | grep port http_port_t port_type >> reserved_port_type unreserved_port_type defined_port_type >> >> >> network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, >> tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default >> port >> >> >> This happens because we call >> >> declare_ports(http_port_t, tcp,80,s0) -> reserved_port_type >> declare_ports(http_port_t, tcp,443,s0) -> reserved_port_type >> declare_ports(http_port_t, tcp,488,s0) -> reserved_port_type; >> declare_ports(http_port_t, tcp,80087,s0) -> >> unreserved_port_type; >> >> I think it would be safer and more secure to just add the >> attribute to the lowest port definition. By splitting these into >> three definitions. > [...] >> What do you think? > > I'm fine with this, but there is a different problem, which is we > lose some rpc_port_types. I've got a working implementation which > still appropriately adds rpc_port_type, and chooses > reserved_port_type over unreserved_port_type if the type has ports > above and below 1024. How does that sound? > Sounds good, on list. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6LIuEACgkQrlYvE4MpobMAagCgxaf2ndcXk21keatvKnw9orC0 MJoAni0EC9EwNVh8R42tJLTUAh+wIaVN =ItOl -----END PGP SIGNATURE-----