| 1 |
On 03/12/16 10:16, Sven Vermeulen wrote: |
| 2 |
> On Fri, Dec 02, 2016 at 12:05:50PM +0000, Robert Sharp wrote: |
| 3 |
>> Mongo uses tcp on port 27017 and there is nothing defined for this in |
| 4 |
>> the core policy. There is a mongodb policy in contrib but it uses |
| 5 |
>> corenet_all_recvfrom_unlabeled, corenet_tcp_sendrecv_generic_if and the |
| 6 |
>> likes. |
| 7 |
> I know you can't define a port mapping in the "legacy" (for lack of a better |
| 8 |
> name, call it .pp or so if you want ;) approach, but can't we define a port |
| 9 |
> type in a module, and then use the 'semanage port' command to map it to the |
| 10 |
> right port? |
| 11 |
> |
| 12 |
> Another approach that works is to create your port definition with CIL. See |
| 13 |
> the following two posts (the CIL code is in the first, loading in the second |
| 14 |
> as the first post didn't know yet they were directly loadable): |
| 15 |
> |
| 16 |
> http://blog.siphos.be/2015/06/where-does-cil-play-in-the-selinux-system/ |
| 17 |
> http://blog.siphos.be/2015/07/loading-cil-modules-directly/ |
| 18 |
> |
| 19 |
> Wkr, |
| 20 |
> Sven Vermeulen |
| 21 |
> |
| 22 |
Thanks for this. I wrote a little CIL snippet based on your example for |
| 23 |
27017 and semodule'd it in. I could then see the port with semanage port |
| 24 |
-l and I could use it in the .te file as well. I made a mistake first |
| 25 |
time round by naming the .cil file the same as the others, which create |
| 26 |
mayhem when I tried importing the module. I removed the .cil bit, |
| 27 |
renamed it mongodb.cil and tried again. This time it worked. I guess I |
| 28 |
ought to look at the mongodb in contrib to see if there should be a |
| 29 |
client side to the policy, and perhaps rename my CIL to something like |
| 30 |
mongodb_port.cil. |
| 31 |
|
| 32 |
Is there a plan to move everything to CIL? It is just that you referred |
| 33 |
to the .pp approach as "legacy". I just wonder because CIL looks fairly |
| 34 |
unfriendly and may even be an intermediate language. Also, are there any |
| 35 |
plans to make the whole thing more modular? Looking at corenetwork.if, |
| 36 |
for example, is a bit of a surprise. |
| 37 |
|
| 38 |
Best regards, |
| 39 |
|
| 40 |
Robert |
Archives