Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
We went back and reread the bindreservport code in glibc. Turns out the range or ports that this will reserve are 512-1024 rather then 600-1024. The code actually first tries to reserve a port from 600-1024 and if they are ALL reserved will try 512-599. So we need to change corenetwork to reflect this.
This commit is contained in:
parent
29f3bfa464
commit
21fdee9dd5
@ -1,3 +1,4 @@
|
||||
- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
|
||||
- Add JIT usage for freshclam.
|
||||
- Remove ethereal module since the application was renamed to wireshark.
|
||||
- Remove duplicate/redundant rules, from Russell Coker.
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(corenetwork, 1.14.0)
|
||||
policy_module(corenetwork, 1.14.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -54,7 +54,7 @@ sid port gen_context(system_u:object_r:port_t,s0)
|
||||
type reserved_port_t, port_type, reserved_port_type;
|
||||
|
||||
#
|
||||
# hi_reserved_port_t is the type of INET port numbers between 600-1023.
|
||||
# hi_reserved_port_t is the type of INET port numbers between 512-1023.
|
||||
#
|
||||
type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
|
||||
|
||||
@ -217,10 +217,10 @@ network_port(zope, tcp,8021,s0)
|
||||
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
||||
# these entries just cover any remaining reserved ports not otherwise declared.
|
||||
|
||||
portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
||||
portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
||||
portcon tcp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||
portcon udp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||
portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
||||
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
||||
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -77,10 +77,10 @@ type $1_node_t alias node_$1_t, node_type;
|
||||
declare_nodes($1_node_t,shift($*))
|
||||
')
|
||||
|
||||
# bindresvport in glibc starts searching for reserved ports at 600
|
||||
# bindresvport in glibc starts searching for reserved ports at 512
|
||||
define(`declare_ports',`dnl
|
||||
ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
|
||||
ifelse(eval(range_start($3) >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
|
||||
ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
|
||||
',`dnl')
|
||||
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
|
||||
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
|
||||
|
Loading…
Reference in New Issue
Block a user