On 03/12/16 10:16, Sven Vermeulen wrote:
On Fri, Dec 02, 2016 at 12:05:50PM +0000, Robert Sharp wrote:
Mongo uses tcp on port 27017 and there is nothing defined for this in
the core policy. There is a mongodb policy in contrib but it uses
corenet_all_recvfrom_unlabeled, corenet_tcp_sendrecv_generic_if and the
likes.
I know you can't define a port mapping in the "legacy" (for lack of a better
name, call it .pp or so if you want ;) approach, but can't we define a port
type in a module, and then use the 'semanage port' command to map it to the
right port?
Another approach that works is to create your port definition with CIL. See
the following two posts (the CIL code is in the first, loading in the second
as the first post didn't know yet they were directly loadable):
http://blog.siphos.be/2015/06/where-does-cil-play-in-the-selinux-system/
http://blog.siphos.be/2015/07/loading-cil-modules-directly/
Wkr,
Sven Vermeulen
Thanks for this. I wrote a little CIL snippet based on your example for
27017 and semodule'd it in. I could then see the port with semanage port
-l and I could use it in the .te file as well. I made a mistake first
time round by naming the .cil file the same as the others, which create
mayhem when I tried importing the module. I removed the .cil bit,
renamed it mongodb.cil and tried again. This time it worked. I guess I
ought to look at the mongodb in contrib to see if there should be a
client side to the policy, and perhaps rename my CIL to something like
mongodb_port.cil.
Is there a plan to move everything to CIL? It is just that you referred
to the .pp approach as "legacy". I just wonder because CIL looks fairly
unfriendly and may even be an intermediate language. Also, are there any
plans to make the whole thing more modular? Looking at corenetwork.if,
for example, is a bit of a surprise.
Best regards,
Robert
