Daniel J Walsh wrote:
> This looks fine for a test policy. What you have said here is to allow
user_t and secadm_t to bind to all ports that are not labeled.
You could have defined a port, say
gen_require(`
type secadm_t, sysadm_t, user_t;
type inaddr_any_node_t;
')
type test_port_t
allow user_t test_port_t:tcp_socket name_bind;
allow secadm_t test_port_t:tcp_socket name_bind;
allow sysadm_t inaddr_any_node_t:tcp_socket node_bind;
Then use semanage to assign ports to test_port_t.
semanage port -a -p tcp -t test_port_t 3333
This would give you a little tighter security and would allow you to
test out some of the other features available with SELinux.
Thank Dan,
I didn't know about the boolean user_tcp_server. I'll set it up and that should
take care of the user executing nc correctly.
Thanks for the policy tip as well .. I'll try it :)
- Loulwa
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
