All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] TCP server howto
       [not found]   ` <20090302153448.GH31276@fi.muni.cz>
@ 2009-03-02 16:58     ` Daniel J Walsh
  2009-03-05 14:23       ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Daniel J Walsh @ 2009-03-02 16:58 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jan Kasprzak wrote:
> Dominick Grift wrote:
> : I think corenet_reserved_port() is what you are looking for.
> : 
> 	Thanks for the hint. It is _almost_ exactly as you wrote,
> except:
> 
> : # Declarations
> : 
> : type my_port_t;
> : corenet_reserved_port(my_port_t)
> : 
> : # Policy
> : 
> : corenet_all_recvfrom_unlabeled($1)
> : corenet_all_recvfrom_netlabel($1)
> : corenet_tcp_sendrecv_generic_if($1)
> : corenet_tcp_sendrecv_generic_node($1)
> : corenet_tcp_sendrecv_all_ports($1)
> - corenet_tcp_bind_generic_node($1)
> + corenet_tcp_bind_inadrr_any_node($1)
> 
> : allow $1 my_port_t:tcp_socket name_bind;
> 
> + allow $1 self:capability net_bind_service;
> + allow $1 self:tcp_socket create_stream_socket_perms;
> 
> : #EOF
> : 
> : sudo semanage port -a -t my_port_t -p tcp 40
> 
> 	I would however like to have a really-high-level macro (or two)
> to do the above - I guess this is what many users would like to do
> - saying "this context belongs to my port", and "this domain can run
> a TCP server on this port". The similar way how the files_pid_file()
> and files_pid_filetrans() macros allow for the
> "I want to have my own PID file in /var/run" case.
> 
> 	Would it be acceptable to submit this as a patch for inclusion
> in the upstream policy?
> 
> 	I would like to have other things included upstream as well - for
> example, now I have a policy bits for Perl: file contexts for
> /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying
> "this domain can run Perl scripts".  
> 
> 	Thanks,
> 
> -Yenya
> 

Yenya, take this discussion to the refpolicy list

<refpolicy@oss.tresys.com>

Better to discuss it there.  I think having a higher level template for
creating a tcp or udp port would not be a bad idea.  See what upstream
thinks.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmsDzYACgkQrlYvE4MpobNJHwCfZ5YbOsiYpBATkbTZyCqkZWh+
wGUAn1qN1EySr3iW5Pn4TO8aDrhJKZRA
=+xoQ
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 2+ messages in thread
* [refpolicy] TCP server howto
  2009-03-02 16:58     ` [refpolicy] TCP server howto Daniel J Walsh
@ 2009-03-05 14:23       ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2009-03-05 14:23 UTC (permalink / raw)
  To: refpolicy

On Mon, 2009-03-02 at 11:58 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jan Kasprzak wrote:
> > Dominick Grift wrote:
> > : I think corenet_reserved_port() is what you are looking for.
> > : 
> > 	Thanks for the hint. It is _almost_ exactly as you wrote,
> > except:
> > 
> > : # Declarations
> > : 
> > : type my_port_t;
> > : corenet_reserved_port(my_port_t)
> > : 
> > : # Policy
> > : 
> > : corenet_all_recvfrom_unlabeled($1)
> > : corenet_all_recvfrom_netlabel($1)
> > : corenet_tcp_sendrecv_generic_if($1)
> > : corenet_tcp_sendrecv_generic_node($1)
> > : corenet_tcp_sendrecv_all_ports($1)
> > - corenet_tcp_bind_generic_node($1)
> > + corenet_tcp_bind_inadrr_any_node($1)
> > 
> > : allow $1 my_port_t:tcp_socket name_bind;
> > 
> > + allow $1 self:capability net_bind_service;
> > + allow $1 self:tcp_socket create_stream_socket_perms;
> > 
> > : #EOF
> > : 
> > : sudo semanage port -a -t my_port_t -p tcp 40
> > 
> > 	I would however like to have a really-high-level macro (or two)
> > to do the above - I guess this is what many users would like to do
> > - saying "this context belongs to my port", and "this domain can run
> > a TCP server on this port". The similar way how the files_pid_file()
> > and files_pid_filetrans() macros allow for the
> > "I want to have my own PID file in /var/run" case.
> > 
> > 	Would it be acceptable to submit this as a patch for inclusion
> > in the upstream policy?
> > 
> > 	I would like to have other things included upstream as well - for
> > example, now I have a policy bits for Perl: file contexts for
> > /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying
> > "this domain can run Perl scripts".  
> > 
> > 	Thanks,
> > 
> > -Yenya
> > 
> 
> Yenya, take this discussion to the refpolicy list
> 
> <refpolicy@oss.tresys.com>
> 
> Better to discuss it there.  I think having a higher level template for
> creating a tcp or udp port would not be a bad idea.  See what upstream
> thinks.

I'm willing to consider it, but it'll need a good name.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-03-05 14:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20090227230224.GF30997@fi.muni.cz>
     [not found] ` <1235817998.11365.12.camel@notebook1.grift.internal>
     [not found]   ` <20090302153448.GH31276@fi.muni.cz>
2009-03-02 16:58     ` [refpolicy] TCP server howto Daniel J Walsh
2009-03-05 14:23       ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.