Subject: [PATCH] refpolicy: allow nfsd to bind nfs port

NFS server need bind to tcp/udp 2049,20048-20049 port, but no
these rules in default refpolicy. So add the allow rules.

Upstream-Status: Pending

Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
 policy/modules/contrib/rpc.te           |  2 ++
 policy/modules/kernel/corenetwork.te    | 10 ++++++++++
 policy/modules/kernel/corenetwork.te.in |  1 +
 3 files changed, 13 insertions(+)

diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 0fc7ddd..03783ae 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -128,6 +128,8 @@ corecmd_exec_shell(nfsd_t)
 
 corenet_tcp_bind_all_rpc_ports(nfsd_t)
 corenet_udp_bind_all_rpc_ports(nfsd_t)
+corenet_tcp_bind_nfs_port(nfsd_t)
+corenet_udp_bind_nfs_port(nfsd_t)
 
 dev_dontaudit_getattr_all_blk_files(nfsd_t)
 dev_dontaudit_getattr_all_chr_files(nfsd_t)
diff --git a/policy/modules/kernel/corenetwork.te b/policy/modules/kernel/corenetwork.te
index a5276af..8fca50e 100644
--- a/policy/modules/kernel/corenetwork.te
+++ b/policy/modules/kernel/corenetwork.te
@@ -849,6 +849,16 @@ portcon tcp 5405 gen_context(system_u:object_r:netsupport_port_t,s0)
 portcon udp 5405 gen_context(system_u:object_r:netsupport_port_t,s0)
 
 
+type nfs_port_t, port_type, defined_port_type;
+type nfs_client_packet_t, packet_type, client_packet_type;
+type nfs_server_packet_t, packet_type, server_packet_type;
+typeattribute nfs_port_t unreserved_port_type;
+portcon tcp 2049 gen_context(system_u:object_r:nfs_port_t,s0)
+portcon udp 2049 gen_context(system_u:object_r:nfs_port_t,s0)
+portcon tcp 20048-20049 gen_context(system_u:object_r:nfs_port_t,s0)
+portcon udp 20048-20049 gen_context(system_u:object_r:nfs_port_t,s0)
+
+
 type nmbd_port_t, port_type, defined_port_type;
 type nmbd_client_packet_t, packet_type, client_packet_type;
 type nmbd_server_packet_t, packet_type, server_packet_type;
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index fe2ee5e..fca0bc3 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -164,6 +164,7 @@ network_port(mysqlmanagerd, tcp,2273,s0)
 network_port(nessus, tcp,1241,s0)
 network_port(netport, tcp,3129,s0, udp,3129,s0)
 network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0)
 network_port(nmbd, udp,137,s0, udp,138,s0)
 network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
 network_port(ntp, udp,123,s0)
-- 
1.7.11.7