Bug 1794531
| Summary: | missing definition for both TCP and UDP port 61000 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.2 | CC: | info, lvrabec, mmalik, plautrba, ssekidde |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.4 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 14:57:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Milos Malik
2020-01-23 19:16:10 UTC
Seems the change introduced in Fedora with this patch:
$ git show 17994ab421f6d9516523f6d75d5d79e50b6c1140
commit 17994ab421f6d9516523f6d75d5d79e50b6c1140
Author: Lukas Vrabec <lvrabec>
Date: Wed Dec 12 15:55:16 2018 +0100
Fixing range for ephemeral ports BZ(1518807)
Range of ephemeral ports is 32768-60999 based on:
# sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768 60999
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index ff8ce41e8..b9b1f21e9 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -398,10 +398,10 @@ portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
-portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
+portcon tcp 32768-60999 gen_context(system_u:object_r:ephemeral_port_t, s0)
portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
-portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
+portcon udp 32768-60999 gen_context(system_u:object_r:ephemeral_port_t, s0)
portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
########################################
has left the port 61000 without a specific label for tcp and udp:
portcon tcp 32768-60999 gen_context(system_u:object_r:ephemeral_port_t, s0)
portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon udp 32768-60999 gen_context(system_u:object_r:ephemeral_port_t, s0)
portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
*** Bug 1850029 has been marked as a duplicate of this bug. *** I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/475 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1639 |