On Fri, Dec 02, 2016 at 12:05:50PM +0000, Robert Sharp wrote: > Mongo uses tcp on port 27017 and there is nothing defined for this in > the core policy. There is a mongodb policy in contrib but it uses > corenet_all_recvfrom_unlabeled, corenet_tcp_sendrecv_generic_if and the > likes. > > From what I can make out, semanage port will only allow me to assign a > port to an existing label? Looks like I can only define a port label in > the reference policy? What is the best way forward? If I was to add > something to corenetwork.te it would look like this, I guess: > > type mongodb_port_t, port_type, defined_port_type; > type mongodb_client_packet_t, packet_type, client_packet_type; > type mongodb_server_packet_t, packet_type, server_packet_type; > typeattribute mongodb_port_t unreserved_port_type; > portcon tcp 27017 gen_context(system_u:object_r:mongodb_port_t,s0) > > Would that then create a "corenet_tcp_connect_mongodb_port" interface? > > Incidentally, if I have a little family of apps that use use a number > of unreserved ports. Seems a little monolithic if the only way I can > integrate them is to have them included in the base policy? Luckily > they are not on the machine I am trying to get to strict atm, but they > are on the next one.
I know you can't define a port mapping in the "legacy" (for lack of a better name, call it .pp or so if you want ;) approach, but can't we define a port type in a module, and then use the 'semanage port' command to map it to the right port? Another approach that works is to create your port definition with CIL. See the following two posts (the CIL code is in the first, loading in the second as the first post didn't know yet they were directly loadable): http://blog.siphos.be/2015/06/where-does-cil-play-in-the-selinux-system/ http://blog.siphos.be/2015/07/loading-cil-modules-directly/ Wkr, Sven Vermeulen
