rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh. 

We went back and reread the bindreservport code in glibc.

Turns out the range or ports that this will reserve are 512-1024 rather
then 600-1024.

The code actually first tries to reserve a port from 600-1024 and if
they are ALL reserved will try 512-599.

So we need to change corenetwork to reflect this.
This commit is contained in:
Chris PeBenito 2010-07-19 14:22:44 -04:00
parent 29f3bfa464
commit 21fdee9dd5
3 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Changelog
View File

@ -1,3 +1,4 @@
- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
- Add JIT usage for freshclam. - Add JIT usage for freshclam.
- Remove ethereal module since the application was renamed to wireshark. - Remove ethereal module since the application was renamed to wireshark.
- Remove duplicate/redundant rules, from Russell Coker. - Remove duplicate/redundant rules, from Russell Coker.

12
policy/modules/kernel/corenetwork.te.in
View File

@ -1,4 +1,4 @@
policy_module(corenetwork, 1.14.0) policy_module(corenetwork, 1.14.1)
######################################## ########################################
# #
@ -54,7 +54,7 @@ sid port gen_context(system_u:object_r:port_t,s0)
type reserved_port_t, port_type, reserved_port_type; type reserved_port_t, port_type, reserved_port_type;
# #
# hi_reserved_port_t is the type of INET port numbers between 600-1023. # hi_reserved_port_t is the type of INET port numbers between 512-1023.
# #
type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
@ -217,10 +217,10 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence; # Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared. # these entries just cover any remaining reserved ports not otherwise declared.
portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-599 gen_context(system_u:object_r:reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-599 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
######################################## ########################################
# #

4
policy/modules/kernel/corenetwork.te.m4
View File

@ -77,10 +77,10 @@ type $1_node_t alias node_$1_t, node_type;
declare_nodes($1_node_t,shift($*)) declare_nodes($1_node_t,shift($*))
') ')
# bindresvport in glibc starts searching for reserved ports at 600 # bindresvport in glibc starts searching for reserved ports at 512
define(`declare_ports',`dnl define(`declare_ports',`dnl
ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type; ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
ifelse(eval(range_start($3) >= 600),1,`typeattribute $1 rpc_port_type;',`dnl') ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
',`dnl') ',`dnl')
portcon $2 $3 gen_context(system_u:object_r:$1,$4) portcon $2 $3 gen_context(system_u:object_r:$1,$4)
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl