I am new to writing policies and have been reading the reference policy files. I wrote a simple TCP server that listens on a port for connections. I would like to write a policy that will only allow my program to bind to a specific port(9999). I looked at the reference policy and see that the ports that programs are allowed to use is in policy/modules/kernel/corenetwork.te. My questions is, can I specify the port in my programs type enforcement file so that I can make a module instead of listing this in the kernel policy? If so, what would the syntax be?
Thanks in advance.
On Wed, 2007-08-08 at 11:40 -0400, Mark wrote:
I am new to writing policies and have been reading the reference policy files. I wrote a simple TCP server that listens on a port for connections. I would like to write a policy that will only allow my program to bind to a specific port(9999). I looked at the reference policy and see that the ports that programs are allowed to use is in policy/modules/kernel/corenetwork.te. My questions is, can I specify the port in my programs type enforcement file so that I can make a module instead of listing this in the kernel policy? If so, what would the syntax be?
portcon is only valid in the base module, not a normal loadable module. The command to generate the port entry for the policy is semanage. It should look something like the following:
semanage port -a -t my_port_t -p tcp 9999
Forrest
thanks for the information, but how could I add this to my .te file?
You cannot. You need to run this as a separate command or build it into the base module (corenetwork.te).
Forrest
On Wed, 2007-08-08 at 13:12 -0400, Mark wrote:
thanks for the information, but how could I add this to my .te file?
-- ..Cheers Mark
On 8/8/07, Forrest Taylor ftaylor@redhat.com wrote: On Wed, 2007-08-08 at 11:40 -0400, Mark wrote: > I am new to writing policies and have been reading the reference > policy files. I wrote a simple TCP server that listens on a port for > connections. I would like to write a policy that will only allow my > program to bind to a specific port(9999). I looked at the reference > policy and see that the ports that programs are allowed to use is in > policy/modules/kernel/corenetwork.te. My questions is, can I specify > the port in my programs type enforcement file so that I can make a > module instead of listing this in the kernel policy? If so, what > would the syntax be?
portcon is only valid in the base module, not a normal loadable module. The command to generate the port entry for the policy is semanage. It should look something like the following: semanage port -a -t my_port_t -p tcp 9999 Forrest
ok. Thanks.
So I need to update corenetwork.te, recompile the policy, set the policy to the newly compiled one and reboot? Correct?
That is one way to do it. If you run the semanage utility, it will compile that information into the policy as well, and you don't have to recompile the base policy.
Forrest
On Wed, 2007-08-08 at 13:21 -0400, Mark wrote:
ok. Thanks.
So I need to update corenetwork.te, recompile the policy, set the policy to the newly compiled one and reboot? Correct?
-- ..Cheers Mark
On 8/8/07, Forrest Taylor ftaylor@redhat.com wrote: You cannot. You need to run this as a separate command or build it into the base module (corenetwork.te).
Forrest On Wed, 2007-08-08 at 13:12 -0400, Mark wrote: > thanks for the information, but how could I add this to my .te file? > > > -- > ..Cheers > Mark > > On 8/8/07, Forrest Taylor <ftaylor@redhat.com> wrote: > On Wed, 2007-08-08 at 11:40 -0400, Mark wrote: > > I am new to writing policies and have been reading the > reference > > policy files. I wrote a simple TCP server that listens on a > port for > > connections. I would like to write a policy that will only > allow my > > program to bind to a specific port(9999). I looked at the > reference > > policy and see that the ports that programs are allowed to > use is in > > policy/modules/kernel/corenetwork.te. My questions is, can > I specify > > the port in my programs type enforcement file so that I can > make a > > module instead of listing this in the kernel policy? If so, > what > > would the syntax be? > > portcon is only valid in the base module, not a normal > loadable module. > The command to generate the port entry for the policy is > semanage. It > should look something like the following: > > semanage port -a -t my_port_t -p tcp 9999 > > Forrest > >
after running semanage, will the information remain in the policy after a reboot?
"SS" == Stephen Smalley sds@tycho.nsa.gov writes:
SS> Yes, the change is persistent.
Which reminds me to ask: if I flub a semanage command (which I find I do very often), how do I undo my mistake?
- J<
On Wed, 2007-08-08 at 12:51 -0500, Jason L Tibbitts III wrote:
"SS" == Stephen Smalley sds@tycho.nsa.gov writes:
SS> Yes, the change is persistent.
Which reminds me to ask: if I flub a semanage command (which I find I do very often), how do I undo my mistake?
Where you add a -a to add, replace that with a -d to delete, or a -m to modify.
Forrest
"FT" == Forrest Taylor ftaylor@redhat.com writes:
FT> Where you add a -a to add, replace that with a -d to delete, or a FT> -m to modify.
Yeah, that was overly easy. I guess I was confused by how I'm supposed to know what "NAME" is, especially for fcontext rules where you give a pattern. (NAME seems to be the pattern itself.)
I s there a simple way to know if an fcontext pattern matches anything so I can tell if I'm going to screw my system before deleting one?
- J<
On Wed, 2007-08-08 at 13:07 -0500, Jason L Tibbitts III wrote:
"FT" == Forrest Taylor ftaylor@redhat.com writes:
FT> Where you add a -a to add, replace that with a -d to delete, or a FT> -m to modify.
Yeah, that was overly easy. I guess I was confused by how I'm supposed to know what "NAME" is, especially for fcontext rules where you give a pattern. (NAME seems to be the pattern itself.)
I s there a simple way to know if an fcontext pattern matches anything so I can tell if I'm going to screw my system before deleting one?
Do a -l to list it, and use grep to match your rule ;o) semanage won't let you remove a rule that is not there. Nor will it let you add a rule that already exists (you must modify it [-m]).
Forrest
"FT" == Forrest Taylor ftaylor@redhat.com writes:
FT> Do a -l to list it, and use grep to match your rule ;o)
I was trying to see if an fcontext pattern actually matched any files in the filesystem. Actually I'd like to know something more specific: if it actually has any effect. It could be covered by another rule.
An example: I see a AVC denial on one file, add a rule to change the context on that file and realize later that I need a rule matching the whole directory. A week later and I'm cleaning up; can I really delete that first rule? There are a whole lot of fcontext rules; how do I know it really doesn't have any effect?
- J<
On Wed, 2007-08-08 at 13:45 -0500, Jason L Tibbitts III wrote:
"FT" == Forrest Taylor ftaylor@redhat.com writes:
FT> Do a -l to list it, and use grep to match your rule ;o)
I was trying to see if an fcontext pattern actually matched any files in the filesystem. Actually I'd like to know something more specific: if it actually has any effect. It could be covered by another rule.
An example: I see a AVC denial on one file, add a rule to change the context on that file and realize later that I need a rule matching the whole directory. A week later and I'm cleaning up; can I really delete that first rule? There are a whole lot of fcontext rules; how do I know it really doesn't have any effect?
In that specific example, you could remove the file rule and use restorecon to verify that it works as expected. It is rather difficult to determine the file context without using some empirical evidence. Note that file_type_auto_trans could also come into play here negating the fcontext rules.
Forrest
selinux@lists.fedoraproject.org
-
Elihu Smails -
Forrest Taylor -
Jason L Tibbitts III -
Stephen Smalley