On Sun, Jan 11, 2015 at 10:49:03AM -0500, Paul Moore wrote: > On Sat, Jan 10, 2015 at 2:15 PM, Dominick Grift wrote: > > On Sat, Jan 10, 2015 at 01:54:01PM -0500, Stephen Smalley wrote: > >> Well, I noted it in the technical reports I wrote originally for > >> SELinux. I guess it didn't get carried into documentation written by > >> others, although it has been discussed on this list and the Fedora > >> SELinux list various times. Also, even if we were to implement such a > >> check, we'd have to dontaudit it in most cases because the kernel > >> would automatically be scanning the range for an available and allowed > >> port, and various userspace libraries do exactly the same thing when > >> trying to bind to an available port. Which would render it a > >> mysterious denial on random send/connect and bind calls. > > > > You hinted that implementing a check for this could affect performance, and so i am no longer in favor of that solution. > > > > however i would like some of the tools to be aware of this issue. > > > > for example if i do > > > > sesearch -A -s sshd_t -t port_type -c tcp_socket -p name_bind > > > > That it returns somehow that this access to ports in the local port range will be allowed. So that auditors see that it is allowed even though there is no rule to allow it. > > At least then they know there is something going on and can look for documentation about it. > > > > The problem is how does one implement that in an informative way without relying on customizable identifiers. > > Perhaps a mention in the relevant man pages? That is better than nothing in my opinion but I do not believe this is prominently visible enough on its own. In my view we should pro-actively inform users about this and other inconsistencies. > > -- > paul moore > www.paul-moore.com > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. -- Dominick Grift