Re: [SELinux-notebook PATCH] network_support.md: clarify local port range and name_bind

Re: [SELinux-notebook PATCH] network_support.md: clarify local port range and name_bind

[Paul Moore]

My apologies for not replying directly to the original posting, for
some reason this never hit my inbox.

From: Dominick Grift @ 2022-05-23
> diff --git a/src/network_support.md b/src/network_support.md
> index bec725e..05ec0e8 100644
> --- a/src/network_support.md
> +++ b/src/network_support.md
> @@ -668,6 +668,17 @@ statements):
> semanage port -a -t my_server_port_t -p tcp -r s0 12345
> ```
>
> +Ports in the local port range can be auto-assigned by the kernel to
> +unbound sockets on first use. Controlling binding to ports is only
> +useful when the port number is a "name" (i.e. a well-defined value that
> +is expected to correspond to a specific service).
> +
> +The *name_bind* operation is not controlled on sockets associated
> +with ports in the local port range:
> +```
> +sysctl net.ipv4.ip_local_port_range
> +```
> +

Despite the sysctl name, these ports are typically referred to as
"ephemeral ports" and not "local ports".  I would suggest the text
below as an alternate solution, what do you think?

Only ports that fall outside the local, or ephemeral, port range are
subject to the additional *name_bind* access check.  You can see the
current ephemeral port range on your system by checking the
*net.ipv4.ip_local_port_range* sysctl:
```
sysctl net.ipv4.ip_local_port_range
```

-- 
paul-moore.com

Re: [SELinux-notebook PATCH] network_support.md: clarify local port range and name_bind

[Dominick Grift]

Paul Moore <paul@paul-moore.com> writes:

> My apologies for not replying directly to the original posting, for
> some reason this never hit my inbox.

No problem

>
> From: Dominick Grift @ 2022-05-23
>> diff --git a/src/network_support.md b/src/network_support.md
>> index bec725e..05ec0e8 100644
>> --- a/src/network_support.md
>> +++ b/src/network_support.md
>> @@ -668,6 +668,17 @@ statements):
>> semanage port -a -t my_server_port_t -p tcp -r s0 12345
>> ```
>>
>> +Ports in the local port range can be auto-assigned by the kernel to
>> +unbound sockets on first use. Controlling binding to ports is only
>> +useful when the port number is a "name" (i.e. a well-defined value that
>> +is expected to correspond to a specific service).
>> +
>> +The *name_bind* operation is not controlled on sockets associated
>> +with ports in the local port range:
>> +```
>> +sysctl net.ipv4.ip_local_port_range
>> +```
>> +
>
> Despite the sysctl name, these ports are typically referred to as
> "ephemeral ports" and not "local ports".  I would suggest the text
> below as an alternate solution, what do you think?
>
> Only ports that fall outside the local, or ephemeral, port range are
> subject to the additional *name_bind* access check.  You can see the
> current ephemeral port range on your system by checking the
> *net.ipv4.ip_local_port_range* sysctl:
> ```
> sysctl net.ipv4.ip_local_port_range
> ```

Yes, looks good I will post a V2 tomorrow.

Thanks

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift

[PATCH v2] network_support.md: clarify local port range and name_bind

[Dominick Grift]

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
v2: rephrases the whole things

 src/network_support.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/network_support.md b/src/network_support.md
index bec725e..a8fe234 100644
--- a/src/network_support.md
+++ b/src/network_support.md
@@ -668,6 +668,14 @@ statements):
 semanage port -a -t my_server_port_t -p tcp -r s0 12345
 ```
 
+Only ports that fall outside the local, or ephemeral, port range are
+subject to the additional *name_bind* access check. You can see the
+current ephemeral port range on your system by checking the
+*net.ipv4.ip_local_port_range* sysctl:
+```
+sysctl net.ipv4.ip_local_port_range
+```
+
 ## Labeled Network FileSystem (NFS)
 
 Version 4.2 of NFS supports labeling between client/server and requires
-- 
2.36.1

Re: [PATCH v2] network_support.md: clarify local port range and name_bind

[Paul Moore]

On Fri, May 27, 2022 at 2:05 PM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
> ---
> v2: rephrases the whole things
>
>  src/network_support.md | 8 ++++++++
>  1 file changed, 8 insertions(+)

Tomorrow came very quickly :)  Merged, thanks Dominick.

-- 
paul-moore.com