diff --git a/Changelog b/Changelog index ccdaf250f..e41356a74 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Fix network_port() in corenetwork to correctly handle port ranges. - SE-Postgresql updates from KaiGai Kohei. - X object manager revisions from Eamon Walsh. - Added modules: diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 index 27b4bb601..6ceddc8a9 100644 --- a/policy/modules/kernel/corenetwork.te.m4 +++ b/policy/modules/kernel/corenetwork.te.m4 @@ -5,6 +5,16 @@ # define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')') +# +# range_start(num) +# +# return the low port in a range. +# +# range_start(600) returns "600" +# range_start(1200-1600) returns "1200" +# +define(`range_start',`ifelse(-1,index(`$1', `-'),$1,substr($1,0,index(`$1', `-')))') + # # build_option(option_name,true,[false]) # @@ -68,10 +78,10 @@ declare_nodes($1_node_t,shift($*)) ') define(`declare_ports',`dnl -ifelse(eval($3 < 1024),1,` +ifelse(eval(range_start($3) < 1024),1,` typeattribute $1 reserved_port_type; #bindresvport in glibc starts searching for reserved ports at 600 -ifelse(eval($3 >= 600),1,`typeattribute $1 rpc_port_type;',`dnl') +ifelse(eval(range_start($3) >= 600),1,`typeattribute $1 rpc_port_type;',`dnl') ',`dnl') portcon $2 $3 gen_context(system_u:object_r:$1,$4) ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl