From: dac.override@gmail.com (Dominick Grift) Date: Thu, 10 Mar 2016 16:17:42 +0100 Subject: [refpolicy] Enable ftpd_connect_all_unreserved boolean by default In-Reply-To: <56E17FD8.5030607@tresys.com> References: <56E170E2.4080302@redhat.com> <56E17F13.5020907@tresys.com> <56E17F8E.5090704@gmail.com> <56E17FD8.5030607@tresys.com> Message-ID: <56E19016.7000207@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 03/10/2016 03:08 PM, Christopher J. PeBenito wrote: > On 3/10/2016 9:07 AM, Dominick Grift wrote: >> On 03/10/2016 03:05 PM, Christopher J. PeBenito wrote: >>> On 3/10/2016 8:04 AM, Lukas Vrabec wrote: >>>> Hi all, >>>> >>>> In current selinux-policy we have two booleans related to ftp >>>> active/passive mode communication. Both of these booleans >>>> are turned off by default. ftpd_use_passive_mode >>>> (off , off) ftpd_connect_all_unreserved (off , off) >>>> >>>> In this situation, ftp daemon cannot start without changing >>>> one of this booleans. >>>> >>>> I suggest enabling "ftpd_connect_all_unreserved" boolean by >>>> default. >>>> >>>> Your ideas? >>>> >>>> >>>> Thank you for discussion. >> >>> It sounds like there may be some port labeling problems. The >>> passive mode Boolean allows TCP binding on all unreserved ports >>> and the connect_all allows TCP connecting to all unreserved >>> ports. (unreserved ports means 1024-65535 that are not >>> otherwise labeled) >> >> >> Might be related to fedoras' ephemeral_port_t? > > That's a good point. I'm looking at refpolicy. > I think, but i am not sure that at anything one of the two booleans must be set. passive mode requires binding , active mode requires connecting. The problem is that it could be either any time. So i think it would be reasonable to leave both off just to make no assumptions. - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJW4ZARAAoJECV0jlU3+Udp5U4L/R/LUK3YcL3IVX8mAwUrtPyx UFWYI5+/hLUzgYEMbiyobps/n63mgQCBArPDQsCdr6iqBwSKzFVIZm8pfzkUayRP bPf+MJVmeSHQp/pMim3WxUy8em7TsS8Y4SbtD3Sq3pTST7KeCjtN7+kcLcrZJAVz rm5DIlamB9wu/J1wDDg+8NWyjLC8mYaWAtPvC/SyjI2aCHIHjt5oFo256v8s7w8h 9oVh/hLsDFtmneWeTL0yXQqLlGwrtq6iEwxJeL8WGAsn652C/7soOgZVQC8rIiW1 LZleSJ1ZAThACJD6vF5A9F19WVSLLOfyuwa+3mbsGIxtU61jDgNTZHkqIipaMgg8 0OJbe2lbZOc3hO23BY+u+E5g0xjgQZGf6p7r7LsuXWUpYGLhNlBkjC8U4dnZa5IJ vnFLMdq8ulxlVAZoUT6x0FQGNm/0ZQ/YPrCiaExBFG68aG+TYbkzDh8Mp6QrDs73 6C6BNdSWDQAVArTTR+Z7yIR2CqIDlc4aAETp6kF53A== =sW2f -----END PGP SIGNATURE-----