portage: connect all unreserved for FTP PASV mode.

FTP PASV mode does not use specific ports, so the only way is to allow all unreserved. avc: denied { name_connect } for pid=5274 comm="wget" dest=26213 scontext=root:sysadm_r:portage_fetch_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=0 Gentoo bug 540056
author: Jason Zaman <jason@perfinion.com> 2015-05-30 16:42:54 +0400
committer: Jason Zaman <jason@perfinion.com> 2015-05-30 16:42:54 +0400
commit: 23a0cb85e78deca55835b7e4964a8c19d6aa508e (patch)
tree: a75f141090a7715fdd972e735f3c962ee254fed4
parent: salt: use init_startstop_service interface in _admin (diff)
download: hardened-refpolicy-23a0cb85.tar.gz
hardened-refpolicy-23a0cb85.tar.bz2
hardened-refpolicy-23a0cb85.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 83d6ab4a9..2e8ab9e53 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -295,6 +295,8 @@ corenet_sendrecv_rsync_client_packets(portage_fetch_t)
 # it occasionally comes up
 corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
 corenet_tcp_connect_generic_port(portage_fetch_t)
+# bug 540056
+corenet_tcp_connect_all_unreserved_ports(portage_fetch_t)
 
 dev_dontaudit_read_rand(portage_fetch_t)
author	Jason Zaman <jason@perfinion.com>	2015-05-30 16:42:54 +0400
committer	Jason Zaman <jason@perfinion.com>	2015-05-30 16:42:54 +0400
commit	23a0cb85e78deca55835b7e4964a8c19d6aa508e (patch)
tree	a75f141090a7715fdd972e735f3c962ee254fed4
parent	salt: use init_startstop_service interface in _admin (diff)
download	hardened-refpolicy-23a0cb85.tar.gz hardened-refpolicy-23a0cb85.tar.bz2 hardened-refpolicy-23a0cb85.zip