From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 10 Mar 2016 09:08:24 -0500
Subject: [refpolicy] Enable ftpd_connect_all_unreserved boolean by
	default
In-Reply-To: <56E17F8E.5090704@gmail.com>
References: <56E170E2.4080302@redhat.com> <56E17F13.5020907@tresys.com>
	<56E17F8E.5090704@gmail.com>
Message-ID: <56E17FD8.5030607@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 3/10/2016 9:07 AM, Dominick Grift wrote:
> On 03/10/2016 03:05 PM, Christopher J. PeBenito wrote:
>> On 3/10/2016 8:04 AM, Lukas Vrabec wrote:
>>> Hi all,
>>>
>>> In current selinux-policy we have two booleans related to ftp 
>>> active/passive mode communication. Both of these booleans are
>>> turned off by default. ftpd_use_passive_mode          (off  ,
>>> off) ftpd_connect_all_unreserved    (off  ,  off)
>>>
>>> In this situation, ftp daemon cannot start without changing one
>>> of this booleans.
>>>
>>> I suggest enabling "ftpd_connect_all_unreserved" boolean by
>>> default.
>>>
>>> Your ideas?
>>>
>>>
>>> Thank you for discussion.
> 
>> It sounds like there may be some port labeling problems.  The
>> passive mode Boolean allows TCP binding on all unreserved ports and
>> the connect_all allows TCP connecting to all unreserved ports.
>> (unreserved ports means 1024-65535 that are not otherwise labeled)
> 
> 
> Might be related to fedoras' ephemeral_port_t?

That's a good point.  I'm looking at refpolicy.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com