From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 4 Oct 2011 16:01:29 -0400 Subject: [refpolicy] I think we are declaring ports incorrectly. In-Reply-To: <4E8B22E1.3010801@redhat.com> References: <4E860EDE.7000207@redhat.com> <4E8B0FAF.6060503@tresys.com> <4E8B22E1.3010801@redhat.com> Message-ID: <4E8B6619.3080504@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/04/11 11:14, Daniel J Walsh wrote: > On 10/04/2011 09:52 AM, Christopher J. PeBenito wrote: >> On 09/30/11 14:47, Daniel J Walsh wrote: >>> Currently every network port on the system gets declared in >>> network_port interface and this calls into declare_ports, which >>> then recusively calls itself for every port defined in the >>> network_ports line. I think we need to split this up so we only >>> add one attribute to the type, and then declare the portcon. >>> >>> Currently we can end up with one port like http_port_t with >>> multiple attributes. >>> >>> # seinfo -thttp_port_t -x | grep port http_port_t port_type >>> reserved_port_type unreserved_port_type defined_port_type >>> >>> >>> network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, >>> tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default >>> port >>> >>> >>> This happens because we call >>> >>> declare_ports(http_port_t, tcp,80,s0) -> reserved_port_type >>> declare_ports(http_port_t, tcp,443,s0) -> reserved_port_type >>> declare_ports(http_port_t, tcp,488,s0) -> reserved_port_type; >>> declare_ports(http_port_t, tcp,80087,s0) -> >>> unreserved_port_type; >>> >>> I think it would be safer and more secure to just add the >>> attribute to the lowest port definition. By splitting these into >>> three definitions. >> [...] >>> What do you think? > >> I'm fine with this, but there is a different problem, which is we >> lose some rpc_port_types. I've got a working implementation which >> still appropriately adds rpc_port_type, and chooses >> reserved_port_type over unreserved_port_type if the type has ports >> above and below 1024. How does that sound? > > Sounds good, on list. I've committed this change. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com