1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
Subject: [PATCH] refpolicy: allow nfsd to bind nfs port
NFS server need bind to tcp/udp 2049,20048-20049 port, but no
these rules in default refpolicy. So add the allow rules.
Upstream-Status: Pending
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
policy/modules/contrib/rpc.te | 2 ++
policy/modules/kernel/corenetwork.te | 10 ++++++++++
policy/modules/kernel/corenetwork.te.in | 1 +
3 files changed, 13 insertions(+)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 0fc7ddd..03783ae 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -128,6 +128,8 @@ corecmd_exec_shell(nfsd_t)
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
+corenet_tcp_bind_nfs_port(nfsd_t)
+corenet_udp_bind_nfs_port(nfsd_t)
dev_dontaudit_getattr_all_blk_files(nfsd_t)
dev_dontaudit_getattr_all_chr_files(nfsd_t)
diff --git a/policy/modules/kernel/corenetwork.te b/policy/modules/kernel/corenetwork.te
index a5276af..8fca50e 100644
--- a/policy/modules/kernel/corenetwork.te
+++ b/policy/modules/kernel/corenetwork.te
@@ -849,6 +849,16 @@ portcon tcp 5405 gen_context(system_u:object_r:netsupport_port_t,s0)
portcon udp 5405 gen_context(system_u:object_r:netsupport_port_t,s0)
+type nfs_port_t, port_type, defined_port_type;
+type nfs_client_packet_t, packet_type, client_packet_type;
+type nfs_server_packet_t, packet_type, server_packet_type;
+typeattribute nfs_port_t unreserved_port_type;
+portcon tcp 2049 gen_context(system_u:object_r:nfs_port_t,s0)
+portcon udp 2049 gen_context(system_u:object_r:nfs_port_t,s0)
+portcon tcp 20048-20049 gen_context(system_u:object_r:nfs_port_t,s0)
+portcon udp 20048-20049 gen_context(system_u:object_r:nfs_port_t,s0)
+
+
type nmbd_port_t, port_type, defined_port_type;
type nmbd_client_packet_t, packet_type, client_packet_type;
type nmbd_server_packet_t, packet_type, server_packet_type;
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index fe2ee5e..fca0bc3 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -164,6 +164,7 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
--
1.7.11.7
|
