Bug 1794531
Summary: | missing definition for both TCP and UDP port 61000 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 8.2 | CC: | info, lvrabec, mmalik, plautrba, ssekidde |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | 8.4 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-18 14:57:35 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Milos Malik
2020-01-23 19:16:10 UTC
Seems the change introduced in Fedora with this patch: $ git show 17994ab421f6d9516523f6d75d5d79e50b6c1140 commit 17994ab421f6d9516523f6d75d5d79e50b6c1140 Author: Lukas Vrabec <lvrabec> Date: Wed Dec 12 15:55:16 2018 +0100 Fixing range for ephemeral ports BZ(1518807) Range of ephemeral ports is 32768-60999 based on: # sysctl net.ipv4.ip_local_port_range net.ipv4.ip_local_port_range = 32768 60999 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index ff8ce41e8..b9b1f21e9 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -398,10 +398,10 @@ portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0) -portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0) +portcon tcp 32768-60999 gen_context(system_u:object_r:ephemeral_port_t, s0) portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0) portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0) -portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0) +portcon udp 32768-60999 gen_context(system_u:object_r:ephemeral_port_t, s0) portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0) ######################################## has left the port 61000 without a specific label for tcp and udp: portcon tcp 32768-60999 gen_context(system_u:object_r:ephemeral_port_t, s0) portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0) portcon udp 32768-60999 gen_context(system_u:object_r:ephemeral_port_t, s0) portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0) *** Bug 1850029 has been marked as a duplicate of this bug. *** I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/475 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1639 |