Re: Fedora 12 and unconfined_u sshdfilter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



"David Highley wrote:"
> 
> "Dominick Grift wrote:"
> > 
> > 
> > --===============1862406356==
> > Content-Type: multipart/signed; micalg=pgp-sha1;
> > 	protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S"
> > Content-Disposition: inline
> > 
> > 
> > --AhhlLboLdkugWU4S
> > Content-Type: text/plain; charset=us-ascii
> > Content-Disposition: inline
> > Content-Transfer-Encoding: quoted-printable
> > 
> > On Mon, Dec 14, 2009 at 10:25:08AM -0800, David Highley wrote:
> > > "Dominick Grift wrote:"
> > > >=20
> > > >=20
> > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D
> > > > Content-Type: multipart/signed; micalg=3Dpgp-sha1;
> > > > 	protocol=3D"application/pgp-signature"; boundary=3D"uAKRQypu60I7Lcqm"
> > > > Content-Disposition: inline
> > > >=20
> > > >=20
> > > > --uAKRQypu60I7Lcqm
> > > > Content-Type: text/plain; charset=3Dutf-8
> > > > Content-Disposition: inline
> > > > Content-Transfer-Encoding: quoted-printable
> > > >=20
> > > > On Mon, Dec 07, 2009 at 12:01:09PM +0000, Moray Henderson (ICT) wrote:
> > > > > James Carter wrote:
> > > > > >Dan's example used Refpolicy interfaces.  Interfaces are very useful=
> >  and
> > > > > >provide a better layer of abstraction, but they are just m4 macros,
> > > > > >which have always been used in SELinux policy.
> > > > > >
> > > > > >Interfaces should be used as much as possible, but it is not true th=
> > at
> > > > > >you can't mix the old and new ways.
> > > > >=3D20
> > > > > Mixing the plain rules and the m4 macros didn't work when I tried it =
> > - bu=3D
> > > > t perhaps I just wasn=3DE2=3D80=3D99t writing it right.  Is there a Ref=
> > policy tut=3D
> > > > orial anywhere?
> > > >=20
> > > > I spend a little time today writing about the policy structure in Fedor=
> > a. M=3D
> > > > aybe it can help you or others:
> > > >=20
> > > > http://82.197.205.60/~dgrift/stuff/Managing_a_SELinux_environment_with_=
> > Fedo=3D
> > > > ra_12.pdf
> > >=20
> > >=20
> > > Still have not mastered this one yet. Here is the policy file created by
> > > grep of /var/log/audit/audit.log file piped to audit2allow:
> > >=20
> > > module mysshdfilter 1.0;
> > >=20
> > > require {
> > > 	type var_run_t;
> > > 	type iptables_exec_t;
> > > 	type bin_t;
> > > 	type sshd_t;
> > > 	type iptables_t;
> > > 	class lnk_file read;
> > > 	class file { read getattr open execute execute_no_trans };
> > > 	class fifo_file { read write ioctl getattr };
> > > }
> > >=20
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D iptables_t =3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D
> > > allow iptables_t bin_t:lnk_file read;
> > > allow iptables_t self:fifo_file { read write ioctl getattr };
> > 
> > echo "policy_module(newiptables, 1.0.0)" > newuiptables.te
> > echo "optional_policy(\`" >> newiptables.te
> > echo "gen_require(\'" >> newiptables.te
> > echo "type iptables_t;" >> newiptables.te
> > echo "')" >> newiptables.te
> > echo "corecmd_read_bin_symlinks(iptables_t)" >> newiptables.te
> > echo "allow iptables_t self:fifo_file rw_fifo_file_perms;" >> newiptables.te
> > echo "')" >> newiptables.te
> > 
> > make -f /usr/share/selinux/devel/Makefile newiptables.pp

Running the make for the above file ended up in an infinit loop
outputing:
myiptables.te:2: Warning: deprecated use of module name () as first
parameter of optional_policy() block.

> > sudo semodule -i newiptables.pp
> > 
> > >=20
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D
> > > allow sshd_t iptables_exec_t:file { read execute open execute_no_trans };
> > 
> > echo "policy_module(newsshd, 1.0.0)" > newsshd.te
> > echo "optional_policy(\`" >> newsshd.te
> > echo "gen_require(\`" >> newsshd.te
> > echo "type sshd_t;" >> newsshd.te
> > echo "')" >> newsshd.te
> > echo "iptables_domtrans(sshd_t)" >> newsshd.te
> > echo "')" >> newsshd.te
> > 
> > make -f /usr/share/selinux/devel/Makefile newsshd.pp
> > sudo semodule -i newsshd.pp
> > 
> > > allow sshd_t var_run_t:file getattr;
> > 
> > This one is a bit more complicated because i dont know for sure what create=
> > d it (in what context runs sshdfilter?)
> > >=20
> 
> I also ment to ask if all three policy; mysshdfilter.pp, newiptables.pp,
> and newsshd.pp; changes are needed?
> 
> <trimmed audit log entries>
> 
> > >=20
> > > > >=3D20
> > > > >=3D20
> > > > > Moray.
> > > > > "To err is human.  To purr, feline"
> > > > >=3D20
> > > > >=3D20
> > > > > --
> > > > > fedora-selinux-list mailing list
> > > > > fedora-selinux-list@xxxxxxxxxx
> > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > >=20
> > > > --uAKRQypu60I7Lcqm
> > > > Content-Type: application/pgp-signature
> > > > Content-Disposition: inline
> > > >=20
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: GnuPG v1.4.10 (GNU/Linux)
> > > >=20
> > > > iEYEARECAAYFAksdZWwACgkQMlxVo39jgT/olgCgwo9wvxeAyJG/gm4dEYHBIpGf
> > > > TNEAn2bFoQZeg8+gaYPIDuB0wxuu6N8F
> > > > =3DtNuu
> > > > -----END PGP SIGNATURE-----
> > > >=20
> > > > --uAKRQypu60I7Lcqm--
> > > >=20
> > > >=20
> > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D
> > > > Content-Type: text/plain; charset=3D"us-ascii"
> > > > MIME-Version: 1.0
> > > > Content-Transfer-Encoding: 7bit
> > > > Content-Disposition: inline
> > > >=20
> > > > --
> > > > fedora-selinux-list mailing list
> > > > fedora-selinux-list@xxxxxxxxxx
> > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D--
> > > >=20
> > >=20
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list@xxxxxxxxxx
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > 
> > --AhhlLboLdkugWU4S
> > Content-Type: application/pgp-signature
> > Content-Disposition: inline
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.10 (GNU/Linux)
> > 
> > iEYEARECAAYFAksmrEAACgkQMlxVo39jgT/UPwCfexQ3gHxMcD3IFrFCeLSmqrQK
> > 1wQAn1TK0UM7xl0MqMFwQbeBb6qr+cst
> > =b5GU
> > -----END PGP SIGNATURE-----
> > 
> > --AhhlLboLdkugWU4S--
> > 
> > 
> > --===============1862406356==
> > Content-Type: text/plain; charset="us-ascii"
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> > 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > --===============1862406356==--
> > 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux