Make unconfined domains permissive for rawhide

Add definition for ephermeral ports
2011-09-27 10:16:54 -04:00 · 2011-09-27 10:16:54 -04:00 · 24b80bf8d9
commit 24b80bf8d9
parent 4ce5381249
3 changed files with 62 additions and 2 deletions
--- a/ephemeral.patch
+++ b/ephemeral.patch
@ -0,0 +1,39 @@
+diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
+index 3b5de31..dfd5b61 100644
+--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
+@@ -66,11 +66,17 @@ type port_t, port_type;
+ sid port gen_context(system_u:object_r:port_t,s0)
+ 
+ #
+-# port_t is the default type of INET port numbers.
+# unreserved_port_t is the default type of port numbers > 1024 and non ephemeral
+ #
+ type unreserved_port_t, port_type, unreserved_port_type;
+ 
+ #
+# ephemeral_port_t is the default type of ephemeral port numbers.
+# cat /proc/sys/net/ipv4/ip_local_port_range 
+#
+type ephemeral_port_t, port_type;
+
+#
+ # reserved_port_t is the type of INET port numbers below 1024.
+ #
+ type reserved_port_t, port_type, reserved_port_type;
+@@ -292,9 +298,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+ portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+ portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+ portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+-portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+-portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+-
+portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
+portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
+portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+ ########################################
+ #
+ # Network nodes
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,12 +17,13 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 34%{?dist}
+Release: 34.1%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
 patch: policy-F16.patch
-#patch1: ephemeral.patch
+patch1: ephemeral.patch
+patch2: unconfined_permissive.patch
 Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@ -236,6 +237,8 @@ Based off of reference policy: Checked out revision  2.20091117
 %prep 
 %setup -n serefpolicy-%{version} -q
 %patch -p1
+%patch1 -p1
+%patch2 -p1

 %install
 mkdir selinux_config
@ -467,6 +470,10 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Sep 26 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.1
+- Change unconfined_domains to permissive for Rawhide
+- Add definition for the ephemeral_ports
+
 * Mon Sep 26 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-34
 - Make mta_role() active
 - Allow asterisk to connect to jabber client port
--- a/unconfined_permissive.patch
+++ b/unconfined_permissive.patch
@ -0,0 +1,14 @@
+diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
+index 683497a..6717658 100644
+--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
+@@ -136,7 +136,8 @@ interface(`unconfined_domain',`
+ 		attribute unconfined_services;
+ 	')	
+ 
+-	unconfined_domain_noaudit($1)
+permissive $1;
+#	unconfined_domain_noaudit($1)
+ 
+ 	tunable_policy(`allow_execheap',`
+ 		auditallow $1 self:process execheap;