Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.

We went back and reread the bindreservport code in glibc. Turns out the range or ports that this will reserve are 512-1024 rather then 600-1024. The code actually first tries to reserve a port from 600-1024 and if they are ALL reserved will try 512-599. So we need to change corenetwork to reflect this.
2010-07-19 14:22:44 -04:00 · 2010-07-19 14:22:44 -04:00 · 21fdee9dd5
parent 29f3bfa464
commit 21fdee9dd5
3 changed files with 9 additions and 8 deletions
--- a/1
+++ b/1
@ -1,3 +1,4 @@
+- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
 - Add JIT usage for freshclam.
 - Remove ethereal module since the application was renamed to wireshark.
 - Remove duplicate/redundant rules, from Russell Coker.
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.14.0)
+policy_module(corenetwork, 1.14.1)

 ########################################
 #
@ -54,7 +54,7 @@ sid port gen_context(system_u:object_r:port_t,s0)
 type reserved_port_t, port_type, reserved_port_type;

 #
-# hi_reserved_port_t is the type of INET port numbers between 600-1023.
+# hi_reserved_port_t is the type of INET port numbers between 512-1023.
 #
 type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;

@ -217,10 +217,10 @@ network_port(zope, tcp,8021,s0)
 # Defaults for reserved ports.  Earlier portcon entries take precedence;
 # these entries just cover any remaining reserved ports not otherwise declared.

-portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
-portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
-portcon tcp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
-portcon udp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)

 ########################################
 #
--- a/policy/modules/kernel/corenetwork.te.m4
+++ b/policy/modules/kernel/corenetwork.te.m4
@ -77,10 +77,10 @@ type $1_node_t alias node_$1_t, node_type;
 declare_nodes($1_node_t,shift($*))
 ')

-# bindresvport in glibc starts searching for reserved ports at 600
+# bindresvport in glibc starts searching for reserved ports at 512
 define(`declare_ports',`dnl
 ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
-ifelse(eval(range_start($3) >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
+ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
 ',`dnl')
 portcon $2 $3 gen_context(system_u:object_r:$1,$4)
 ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl