Hello,
what is a recommended way of allowing a domain to act as a generic TCP server. I.e. to create a stream socket, bind(2) it to a single defined port with INADDR_ANY, listen(2) on it, accept(2) connections on it, and communicate (read/write/send*/recv*) on it.
So far I am using audit2allow, and it has led me to the following setup (actual reading/writing not verified yet, more rules would probably be needed):
allow $1 hi_reserved_port_t:tcp_socket name_bind; allow $1 inaddr_any_node_t:tcp_socket node_bind; allow $1 self:capability net_bind_service;
However, I guess hi_reserver_port_t is not a _single_ port. I have seen the network_port() macro in corenetwork.if, but using
network_port($1, tcp,654,s0);
gives a syntax error.
Is there any high-level macro for setting up a single port and allowing it to be bound, listened, read and written?
[ my system is Fedora 10 with the targeted policy ]
Thanks,
-Yenya