Hello,

what is a recommended way of allowing a domain to act as a generic TCP
server. I.e. to create a stream socket, bind(2) it to a single defined
port with INADDR_ANY, listen(2) on it, accept(2) connections on it,
and communicate (read/write/send*/recv*) on it.

So far I am using audit2allow, and it has led me to the following
setup (actual reading/writing not verified yet, more rules would probably
be needed):

allow $1 hi_reserved_port_t:tcp_socket name_bind;
allow $1 inaddr_any_node_t:tcp_socket node_bind;
allow $1 self:capability net_bind_service;

However, I guess hi_reserver_port_t is not a _single_ port. I have
seen the network_port() macro in corenetwork.if, but using

network_port($1, tcp,654,s0);

gives a syntax error.

Is there any high-level macro for setting up a single port and allowing
it to be bound, listened, read and written?

[ my system is Fedora 10 with the targeted policy ]

Thanks,

-Yenya

--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

On Sat, 2009-02-28 at 00:02 +0100, Jan Kasprzak wrote:
> Hello,
>
> what is a recommended way of allowing a domain to act as a generic TCP
> server. I.e. to create a stream socket, bind(2) it to a single defined
> port with INADDR_ANY, listen(2) on it, accept(2) connections on it,
> and communicate (read/write/send*/recv*) on it.
>
> So far I am using audit2allow, and it has led me to the following
> setup (actual reading/writing not verified yet, more rules would probably
> be needed):
>
> allow $1 hi_reserved_port_t:tcp_socket name_bind;
> allow $1 inaddr_any_node_t:tcp_socket node_bind;
> allow $1 self:capability net_bind_service;
>
> However, I guess hi_reserver_port_t is not a _single_ port. I have
> seen the network_port() macro in corenetwork.if, but using
>
> network_port($1, tcp,654,s0);
>
> gives a syntax error.
>
> Is there any high-level macro for setting up a single port and allowing
> it to be bound, listened, read and written?
>
> [ my system is Fedora 10 with the targeted policy ]
>
> Thanks,
>
> -Yenya
>

I think corenet_reserved_port() is what you are looking for.

something like this:

# Declarations

type my_port_t;
corenet_reserved_port(my_port_t)

# Policy

corenet_all_recvfrom_unlabeled($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_all_ports($1)
corenet_tcp_bind_generic_node($1)

allow $1 my_port_t:tcp_socket name_bind;

#EOF

sudo semanage port -a -t my_port_t -p tcp 40

hth , Dominick

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Dominick Grift wrote:
: I think corenet_reserved_port() is what you are looking for.
:
Thanks for the hint. It is _almost_ exactly as you wrote,
except:

: # Declarations
:
: type my_port_t;
: corenet_reserved_port(my_port_t)
:
: # Policy
:
: corenet_all_recvfrom_unlabeled($1)
: corenet_all_recvfrom_netlabel($1)
: corenet_tcp_sendrecv_generic_if($1)
: corenet_tcp_sendrecv_generic_node($1)
: corenet_tcp_sendrecv_all_ports($1)
- corenet_tcp_bind_generic_node($1)
+ corenet_tcp_bind_inadrr_any_node($1)

: allow $1 my_port_t:tcp_socket name_bind;

+ allow $1 self:capability net_bind_service;
+ allow $1 self:tcp_socket create_stream_socket_perms;

: #EOF
:
: sudo semanage port -a -t my_port_t -p tcp 40

I would however like to have a really-high-level macro (or two)
to do the above - I guess this is what many users would like to do
- saying "this context belongs to my port", and "this domain can run
a TCP server on this port". The similar way how the files_pid_file()
and files_pid_filetrans() macros allow for the
"I want to have my own PID file in /var/run" case.

Would it be acceptable to submit this as a patch for inclusion
in the upstream policy?

I would like to have other things included upstream as well - for
example, now I have a policy bits for Perl: file contexts for
/usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying
"this domain can run Perl scripts".

Thanks,

-Yenya

--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

On Mon, 2009-03-02 at 16:34 +0100, Jan Kasprzak wrote:
> Dominick Grift wrote:
> : I think corenet_reserved_port() is what you are looking for.
> :
> Thanks for the hint. It is _almost_ exactly as you wrote,
> except:
>
> : # Declarations
> :
> : type my_port_t;
> : corenet_reserved_port(my_port_t)
> :
> : # Policy
> :
> : corenet_all_recvfrom_unlabeled($1)
> : corenet_all_recvfrom_netlabel($1)
> : corenet_tcp_sendrecv_generic_if($1)
> : corenet_tcp_sendrecv_generic_node($1)
> : corenet_tcp_sendrecv_all_ports($1)
> - corenet_tcp_bind_generic_node($1)
> + corenet_tcp_bind_inadrr_any_node($1)
>
> : allow $1 my_port_t:tcp_socket name_bind;
>
> + allow $1 self:capability net_bind_service;
> + allow $1 self:tcp_socket create_stream_socket_perms;
>
> : #EOF
> :
> : sudo semanage port -a -t my_port_t -p tcp 40
>
> I would however like to have a really-high-level macro (or two)
> to do the above - I guess this is what many users would like to do
> - saying "this context belongs to my port", and "this domain can run
> a TCP server on this port". The similar way how the files_pid_file()
> and files_pid_filetrans() macros allow for the
> "I want to have my own PID file in /var/run" case.
>
> Would it be acceptable to submit this as a patch for inclusion
> in the upstream policy?

My example of declaring a port would not be acceptable upstream. If you
want your policy upstream then you would have to declare your port in
the corenetwork.te.in file that is in the kernel section of the policy
source. If you add a declaration there, then interfaces will be
generated that you can use, when you build the source.

For example:
network_port(myport, tcp,40,s0)
would create interfaces like:
corenet_tcp_bind_myport_port()

that you can use

hth , Dominick

>
> I would like to have other things included upstream as well - for
> example, now I have a policy bits for Perl: file contexts for
> /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying
> "this domain can run Perl scripts".
>
> Thanks,
>
> -Yenya
>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jan Kasprzak wrote:
> Dominick Grift wrote:
> : I think corenet_reserved_port() is what you are looking for.
> :
> Thanks for the hint. It is _almost_ exactly as you wrote,
> except:
>
> : # Declarations
> :
> : type my_port_t;
> : corenet_reserved_port(my_port_t)
> :
> : # Policy
> :
> : corenet_all_recvfrom_unlabeled($1)
> : corenet_all_recvfrom_netlabel($1)
> : corenet_tcp_sendrecv_generic_if($1)
> : corenet_tcp_sendrecv_generic_node($1)
> : corenet_tcp_sendrecv_all_ports($1)
> - corenet_tcp_bind_generic_node($1)
> + corenet_tcp_bind_inadrr_any_node($1)
>
> : allow $1 my_port_t:tcp_socket name_bind;
>
> + allow $1 self:capability net_bind_service;
> + allow $1 self:tcp_socket create_stream_socket_perms;
>
> : #EOF
> :
> : sudo semanage port -a -t my_port_t -p tcp 40
>
> I would however like to have a really-high-level macro (or two)
> to do the above - I guess this is what many users would like to do
> - saying "this context belongs to my port", and "this domain can run
> a TCP server on this port". The similar way how the files_pid_file()
> and files_pid_filetrans() macros allow for the
> "I want to have my own PID file in /var/run" case.
>
> Would it be acceptable to submit this as a patch for inclusion
> in the upstream policy?
>
> I would like to have other things included upstream as well - for
> example, now I have a policy bits for Perl: file contexts for
> /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying
> "this domain can run Perl scripts".
>
> Thanks,
>
> -Yenya
>

Yenya, take this discussion to the refpolicy list

<refpolicy@oss.tresys.com>

Better to discuss it there. I think having a higher level template for
creating a tcp or udp port would not be a bad idea. See what upstream
thinks.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmsDzYACgkQrlYvE4MpobNJHwCfZ5YbOsiYpB ATkbTZyCqkZWh+
wGUAn1qN1EySr3iW5Pn4TO8aDrhJKZRA
=+xoQ
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

On Mon, 2009-03-02 at 11:58 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jan Kasprzak wrote:
> > Dominick Grift wrote:
> > : I think corenet_reserved_port() is what you are looking for.
> > :
> > Thanks for the hint. It is _almost_ exactly as you wrote,
> > except:
> >
> > : # Declarations
> > :
> > : type my_port_t;
> > : corenet_reserved_port(my_port_t)
> > :
> > : # Policy
> > :
> > : corenet_all_recvfrom_unlabeled($1)
> > : corenet_all_recvfrom_netlabel($1)
> > : corenet_tcp_sendrecv_generic_if($1)
> > : corenet_tcp_sendrecv_generic_node($1)
> > : corenet_tcp_sendrecv_all_ports($1)
> > - corenet_tcp_bind_generic_node($1)
> > + corenet_tcp_bind_inadrr_any_node($1)
> >
> > : allow $1 my_port_t:tcp_socket name_bind;
> >
> > + allow $1 self:capability net_bind_service;
> > + allow $1 self:tcp_socket create_stream_socket_perms;
> >
> > : #EOF
> > :
> > : sudo semanage port -a -t my_port_t -p tcp 40
> >
> > I would however like to have a really-high-level macro (or two)
> > to do the above - I guess this is what many users would like to do
> > - saying "this context belongs to my port", and "this domain can run
> > a TCP server on this port". The similar way how the files_pid_file()
> > and files_pid_filetrans() macros allow for the
> > "I want to have my own PID file in /var/run" case.
> >
> > Would it be acceptable to submit this as a patch for inclusion
> > in the upstream policy?
> >
> > I would like to have other things included upstream as well - for
> > example, now I have a policy bits for Perl: file contexts for
> > /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying
> > "this domain can run Perl scripts".
> >
> > Thanks,
> >
> > -Yenya
> >
>
> Yenya, take this discussion to the refpolicy list
>
> <refpolicy@oss.tresys.com>
>
> Better to discuss it there. I think having a higher level template for
> creating a tcp or udp port would not be a bad idea. See what upstream
> thinks.

I'm willing to consider it, but it'll need a good name.

--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list