Fix corenetwork port declaration to choose either reserved or unreserved.
This changes the port declarations for cases where a type is used for ports above and below 1024. The old code would give both the reserved and unreserved port attribute. This new code only gives the reserved port attribute.
This commit is contained in:
Chris PeBenito
parent
7b98e4f436
commit
332c3a5fc4
|
|
@ -1,3 +1,5 @@
|
|||
- Change corenetwork port declaration to apply the reserved port type
|
||||
attribute only, when the type has ports above and below 1024.
|
||||
- Change secure_mode_policyload to disable only toggling of this Boolean
|
||||
rather than disabling all Boolean toggling permissions.
|
||||
- Use role attributes to assist with domain transitions in interactive
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
policy_module(corenetwork, 1.16.3)
|
||||
policy_module(corenetwork, 1.16.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -77,13 +77,19 @@ type $1_node_t alias node_$1_t, node_type;
|
|||
declare_nodes($1_node_t,shift($*))
|
||||
')
|
||||
|
||||
# bindresvport in glibc starts searching for reserved ports at 512
|
||||
define(`declare_ports',`dnl
|
||||
ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
|
||||
ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
|
||||
',`typeattribute $1 unreserved_port_type;')
|
||||
define(`declare_portcons',`dnl
|
||||
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
|
||||
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
|
||||
ifelse(`$5',`',`',`declare_portcons($1,shiftn(4,$*))')dnl
|
||||
')
|
||||
|
||||
define(`add_port_attribute',`dnl
|
||||
ifelse(eval(range_start($2) < 1024),1,`typeattribute $1 reserved_port_type;',`typeattribute $1 unreserved_port_type;')
|
||||
')
|
||||
|
||||
# bindresvport in glibc starts searching for reserved ports at 512
|
||||
define(`add_rpc_attribute',`dnl
|
||||
ifelse(eval(range_start($3) >= 512 && range_start($3) < 1024),1,`typeattribute $1 rpc_port_type;
|
||||
',`ifelse(`$5',`',`',`add_rpc_attribute($1,shiftn(4,$*))')')dnl
|
||||
')
|
||||
|
||||
#
|
||||
|
|
@ -93,7 +99,9 @@ define(`network_port',`
|
|||
type $1_port_t, port_type, defined_port_type;
|
||||
type $1_client_packet_t, packet_type, client_packet_type;
|
||||
type $1_server_packet_t, packet_type, server_packet_type;
|
||||
ifelse(`$2',`',`',`declare_ports($1_port_t,shift($*))')dnl
|
||||
ifelse(`$2',`',`',`add_port_attribute($1_port_t,$3)')dnl
|
||||
ifelse(`$2',`',`',`add_rpc_attribute($1_port_t,shift($*))')dnl
|
||||
ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl
|
||||
')
|
||||
|
||||
#
|
||||
|
|
|
|||
Loading…
Reference in New Issue