From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 10 Mar 2016 09:08:24 -0500 Subject: [refpolicy] Enable ftpd_connect_all_unreserved boolean by default In-Reply-To: <56E17F8E.5090704@gmail.com> References: <56E170E2.4080302@redhat.com> <56E17F13.5020907@tresys.com> <56E17F8E.5090704@gmail.com> Message-ID: <56E17FD8.5030607@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 3/10/2016 9:07 AM, Dominick Grift wrote: > On 03/10/2016 03:05 PM, Christopher J. PeBenito wrote: >> On 3/10/2016 8:04 AM, Lukas Vrabec wrote: >>> Hi all, >>> >>> In current selinux-policy we have two booleans related to ftp >>> active/passive mode communication. Both of these booleans are >>> turned off by default. ftpd_use_passive_mode (off , >>> off) ftpd_connect_all_unreserved (off , off) >>> >>> In this situation, ftp daemon cannot start without changing one >>> of this booleans. >>> >>> I suggest enabling "ftpd_connect_all_unreserved" boolean by >>> default. >>> >>> Your ideas? >>> >>> >>> Thank you for discussion. > >> It sounds like there may be some port labeling problems. The >> passive mode Boolean allows TCP binding on all unreserved ports and >> the connect_all allows TCP connecting to all unreserved ports. >> (unreserved ports means 1024-65535 that are not otherwise labeled) > > > Might be related to fedoras' ephemeral_port_t? That's a good point. I'm looking at refpolicy. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com