* Re: [SELinux-notebook PATCH] network_support.md: clarify local port range and name_bind
@ 2022-05-27 17:14 Paul Moore
2022-05-27 17:51 ` Dominick Grift
2022-05-27 18:04 ` [PATCH v2] " Dominick Grift
0 siblings, 2 replies; 4+ messages in thread
From: Paul Moore @ 2022-05-27 17:14 UTC (permalink / raw)
To: Dominick Grift; +Cc: selinux
My apologies for not replying directly to the original posting, for
some reason this never hit my inbox.
From: Dominick Grift @ 2022-05-23
> diff --git a/src/network_support.md b/src/network_support.md
> index bec725e..05ec0e8 100644
> --- a/src/network_support.md
> +++ b/src/network_support.md
> @@ -668,6 +668,17 @@ statements):
> semanage port -a -t my_server_port_t -p tcp -r s0 12345
> ```
>
> +Ports in the local port range can be auto-assigned by the kernel to
> +unbound sockets on first use. Controlling binding to ports is only
> +useful when the port number is a "name" (i.e. a well-defined value that
> +is expected to correspond to a specific service).
> +
> +The *name_bind* operation is not controlled on sockets associated
> +with ports in the local port range:
> +```
> +sysctl net.ipv4.ip_local_port_range
> +```
> +
Despite the sysctl name, these ports are typically referred to as
"ephemeral ports" and not "local ports". I would suggest the text
below as an alternate solution, what do you think?
Only ports that fall outside the local, or ephemeral, port range are
subject to the additional *name_bind* access check. You can see the
current ephemeral port range on your system by checking the
*net.ipv4.ip_local_port_range* sysctl:
```
sysctl net.ipv4.ip_local_port_range
```
--
paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [SELinux-notebook PATCH] network_support.md: clarify local port range and name_bind
2022-05-27 17:14 [SELinux-notebook PATCH] network_support.md: clarify local port range and name_bind Paul Moore
@ 2022-05-27 17:51 ` Dominick Grift
2022-05-27 18:04 ` [PATCH v2] " Dominick Grift
1 sibling, 0 replies; 4+ messages in thread
From: Dominick Grift @ 2022-05-27 17:51 UTC (permalink / raw)
To: Paul Moore; +Cc: selinux
Paul Moore <paul@paul-moore.com> writes:
> My apologies for not replying directly to the original posting, for
> some reason this never hit my inbox.
No problem
>
> From: Dominick Grift @ 2022-05-23
>> diff --git a/src/network_support.md b/src/network_support.md
>> index bec725e..05ec0e8 100644
>> --- a/src/network_support.md
>> +++ b/src/network_support.md
>> @@ -668,6 +668,17 @@ statements):
>> semanage port -a -t my_server_port_t -p tcp -r s0 12345
>> ```
>>
>> +Ports in the local port range can be auto-assigned by the kernel to
>> +unbound sockets on first use. Controlling binding to ports is only
>> +useful when the port number is a "name" (i.e. a well-defined value that
>> +is expected to correspond to a specific service).
>> +
>> +The *name_bind* operation is not controlled on sockets associated
>> +with ports in the local port range:
>> +```
>> +sysctl net.ipv4.ip_local_port_range
>> +```
>> +
>
> Despite the sysctl name, these ports are typically referred to as
> "ephemeral ports" and not "local ports". I would suggest the text
> below as an alternate solution, what do you think?
>
> Only ports that fall outside the local, or ephemeral, port range are
> subject to the additional *name_bind* access check. You can see the
> current ephemeral port range on your system by checking the
> *net.ipv4.ip_local_port_range* sysctl:
> ```
> sysctl net.ipv4.ip_local_port_range
> ```
Yes, looks good I will post a V2 tomorrow.
Thanks
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2] network_support.md: clarify local port range and name_bind
2022-05-27 17:14 [SELinux-notebook PATCH] network_support.md: clarify local port range and name_bind Paul Moore
2022-05-27 17:51 ` Dominick Grift
@ 2022-05-27 18:04 ` Dominick Grift
2022-05-27 19:06 ` Paul Moore
1 sibling, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2022-05-27 18:04 UTC (permalink / raw)
To: selinux; +Cc: paul, Dominick Grift
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
v2: rephrases the whole things
src/network_support.md | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/network_support.md b/src/network_support.md
index bec725e..a8fe234 100644
--- a/src/network_support.md
+++ b/src/network_support.md
@@ -668,6 +668,14 @@ statements):
semanage port -a -t my_server_port_t -p tcp -r s0 12345
```
+Only ports that fall outside the local, or ephemeral, port range are
+subject to the additional *name_bind* access check. You can see the
+current ephemeral port range on your system by checking the
+*net.ipv4.ip_local_port_range* sysctl:
+```
+sysctl net.ipv4.ip_local_port_range
+```
+
## Labeled Network FileSystem (NFS)
Version 4.2 of NFS supports labeling between client/server and requires
--
2.36.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2] network_support.md: clarify local port range and name_bind
2022-05-27 18:04 ` [PATCH v2] " Dominick Grift
@ 2022-05-27 19:06 ` Paul Moore
0 siblings, 0 replies; 4+ messages in thread
From: Paul Moore @ 2022-05-27 19:06 UTC (permalink / raw)
To: Dominick Grift; +Cc: selinux
On Fri, May 27, 2022 at 2:05 PM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
> ---
> v2: rephrases the whole things
>
> src/network_support.md | 8 ++++++++
> 1 file changed, 8 insertions(+)
Tomorrow came very quickly :) Merged, thanks Dominick.
--
paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-05-27 19:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-27 17:14 [SELinux-notebook PATCH] network_support.md: clarify local port range and name_bind Paul Moore
2022-05-27 17:51 ` Dominick Grift
2022-05-27 18:04 ` [PATCH v2] " Dominick Grift
2022-05-27 19:06 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.