From: dac.override@gmail.com (Dominick Grift)
Date: Thu, 10 Mar 2016 15:07:10 +0100
Subject: [refpolicy] Enable ftpd_connect_all_unreserved boolean by
	default
In-Reply-To: <56E17F13.5020907@tresys.com>
References: <56E170E2.4080302@redhat.com> <56E17F13.5020907@tresys.com>
Message-ID: <56E17F8E.5090704@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 03/10/2016 03:05 PM, Christopher J. PeBenito wrote:
> On 3/10/2016 8:04 AM, Lukas Vrabec wrote:
>> Hi all,
>> 
>> In current selinux-policy we have two booleans related to ftp 
>> active/passive mode communication. Both of these booleans are
>> turned off by default. ftpd_use_passive_mode          (off  ,
>> off) ftpd_connect_all_unreserved    (off  ,  off)
>> 
>> In this situation, ftp daemon cannot start without changing one
>> of this booleans.
>> 
>> I suggest enabling "ftpd_connect_all_unreserved" boolean by
>> default.
>> 
>> Your ideas?
>> 
>> 
>> Thank you for discussion.
> 
> It sounds like there may be some port labeling problems.  The
> passive mode Boolean allows TCP binding on all unreserved ports and
> the connect_all allows TCP connecting to all unreserved ports.
> (unreserved ports means 1024-65535 that are not otherwise labeled)
> 

Might be related to fedoras' ephemeral_port_t?

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJW4X+KAAoJECV0jlU3+UdpGvkMAICRq2Eplf/NLkd/BL/DdyNQ
Ll7UHdacQhEHJVeT2xmCIgZ1zXJO1yeRKW6kwpiREF/Wdw41tb7rhnNZWWaw69rI
jGz64dX+eoeNAmGWJHLFnOU9+l2B8mt+Qz//qASTxeRoTwGBFeLJwtuq8CJBTVX/
CjTNqPAXq9Z0+5rMrkpgoW1hXHjhVziY2D0zrG1s9hA/eYDfIrmCX7F/bO7U53fv
vW7/CV8wSlQX6HVJmF7Q1XiqT3fPCdnhIUnskcJaHGgBLu6c78h1sUUUcOb3qMMO
uK/SQFcBbIkO0e9PCbKzMc7xhpWbyvvmougbGQvrAvjPYwE/zE8IOkYTHt7oTcoq
K3EfkhuRcVU2c8sf2rvIVZ/aRgRy9s4igmM9jQIChhNzYL0v9Z1F/GzFfCu4esQS
kUqoChoQfhvRkcH7sMfiQ5Deu9Gj3SYr8EJD80uNlJ2/psSiplWbZmSt+Cb245L8
jbqvEkcTrysi+jv8LvMGERbFBiMDJiingS1wQWn9wg==
=DCWQ
-----END PGP SIGNATURE-----