From: dac.override@gmail.com (Dominick Grift) Date: Thu, 10 Mar 2016 15:07:10 +0100 Subject: [refpolicy] Enable ftpd_connect_all_unreserved boolean by default In-Reply-To: <56E17F13.5020907@tresys.com> References: <56E170E2.4080302@redhat.com> <56E17F13.5020907@tresys.com> Message-ID: <56E17F8E.5090704@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 03/10/2016 03:05 PM, Christopher J. PeBenito wrote: > On 3/10/2016 8:04 AM, Lukas Vrabec wrote: >> Hi all, >> >> In current selinux-policy we have two booleans related to ftp >> active/passive mode communication. Both of these booleans are >> turned off by default. ftpd_use_passive_mode (off , >> off) ftpd_connect_all_unreserved (off , off) >> >> In this situation, ftp daemon cannot start without changing one >> of this booleans. >> >> I suggest enabling "ftpd_connect_all_unreserved" boolean by >> default. >> >> Your ideas? >> >> >> Thank you for discussion. > > It sounds like there may be some port labeling problems. The > passive mode Boolean allows TCP binding on all unreserved ports and > the connect_all allows TCP connecting to all unreserved ports. > (unreserved ports means 1024-65535 that are not otherwise labeled) > Might be related to fedoras' ephemeral_port_t? - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJW4X+KAAoJECV0jlU3+UdpGvkMAICRq2Eplf/NLkd/BL/DdyNQ Ll7UHdacQhEHJVeT2xmCIgZ1zXJO1yeRKW6kwpiREF/Wdw41tb7rhnNZWWaw69rI jGz64dX+eoeNAmGWJHLFnOU9+l2B8mt+Qz//qASTxeRoTwGBFeLJwtuq8CJBTVX/ CjTNqPAXq9Z0+5rMrkpgoW1hXHjhVziY2D0zrG1s9hA/eYDfIrmCX7F/bO7U53fv vW7/CV8wSlQX6HVJmF7Q1XiqT3fPCdnhIUnskcJaHGgBLu6c78h1sUUUcOb3qMMO uK/SQFcBbIkO0e9PCbKzMc7xhpWbyvvmougbGQvrAvjPYwE/zE8IOkYTHt7oTcoq K3EfkhuRcVU2c8sf2rvIVZ/aRgRy9s4igmM9jQIChhNzYL0v9Z1F/GzFfCu4esQS kUqoChoQfhvRkcH7sMfiQ5Deu9Gj3SYr8EJD80uNlJ2/psSiplWbZmSt+Cb245L8 jbqvEkcTrysi+jv8LvMGERbFBiMDJiingS1wQWn9wg== =DCWQ -----END PGP SIGNATURE-----