David Highley wrote: >"Daniel J Walsh wrote:" >> >> On 12/03/2009 12:33 AM, David Highley wrote: >> > I'm trying to get sshdfilter a Perl wrapper around sshd to work in >> > Fedora 12. The script needs to be able to call iptables to drop in new >> > rejection rules detected hacking connections. I used "semanage >fcontext >> > -a -t sshd_exec_t" which gave it the same context as sshd. I have not >> > been able to change the unconfined_u to system_u: >> > lz -Z /usr/sbin/sshdfilter unconfined_u:object_r:sshd_exec_t:s0 >> > >> > I was getting avc errors so I created an allow policy: >> > module mysshdfilter 1.0; >> > >> > require { >> > type iptables_exec_t; >> > type iptables_t; >> > type sshd_t; >> > class file execute; >> > class fifo_file read; >> > } >> > >> > #============= iptables_t ============== >> > allow iptables_t self:fifo_file read; >> > >> > #============= sshd_t ============== >> > allow sshd_t iptables_exec_t:file execute; >> > >> > >> > Now I'm getting: >> > time->Wed Dec 2 21:07:04 2009 >> > type=USER_ROLE_CHANGE msg=audit(1259816824.474:201): user pid=3664 >uid=0 >> > auid=0 ses=12 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 >msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0- >s0:c0.c1023 selected-context=?: exe= "/usr/sbin/sshd" hostname=? addr=? >terminal=? res=failed' >> > >> > -- >> > fedora-selinux-list mailing list >> > fedora-selinux-list@xxxxxxxxxx >> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > >> > >> You probably want >> >> iptables_domtrans(sshd_t) > >I tried adding this statement to the file, but checkmodule gave syntax >error. I tried searching through the selinux files but did not find an >example of how to use the above statement. > >> >> The ROLE_CHANGE is not an SELinux error, it is just an audit message. >> >> I will add the fifo_file rule to iptables policy >> >> Fixed in selinux-policy-3.6.32-54.fc12 >> >> If you want to get real crazy you could write policy for >> /usr/sbin/sshdfilter >> >> >> policy_module(sshdfilter, 1.0) >> >> ssh_server_template(sshdfilter) >> iptables_domtrans(sshdfilter_t) Your original policy "module mysshdfilter 1.0;" is written in the old-fashioned way: requirements declaration followed by allow rules. This is how I write my policy, too. Daniel's example uses the new way - a whole new policy programming language which needs to be pre-processed and compiled. You can't mix the old and new ways. To compile with the new way (on EL5 - hopefully Fedora 12 is similar) you need the selinux-policy-devel package. Simply use the checkmodule command to build a .mod module file from the .te file, and then the semanage_module command to combine the .mod file with any .fc file to produce the loadable .pp module file which you can load with semodule. You can also have a .if file, but I'm not sure where that fits in to things yet. checkmodule [ -M ] -m mysshdfilter.te -o mysshdfilter.mod semanage_module -m mysshdfilter.mod -o rsyslogd.pp [ -f mysshdfilter.fc ] semodule -i mysshdfilter.pp Which leads me to a question I have been meaning to ask for a while now: if I compile my policy the old way, I get a module of a certain size. If I build exactly the same policy using the m4 macros and examine the pre-processed files, there is a whole lot of extra stuff that has been added. What is all that? What is the advantage of having it added to each module? Moray. "To err is human. To purr, feline" -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list