"Dominick Grift wrote:"
>
> On Thu, May 06, 2010 at 08:35:25PM -0700, David Highley wrote:
> > Did the usual dance after selinux policy seemed to get wiped out. Does
> > not appear to be working. I also did an semodule -r mysshdfilter just to
> > make sure there was not some thing fouled up.
> >=20
> > grep sshdfilter /var/log/audit/audit.log | tail -2 | audit2allow -M
> > mysshdfilter
> >=20
> > semodule -i mysshdfilter.pp
> >=20
> >=20
> > type=3DSYSCALL msg=3Daudit(1273152205.754:30341): arch=3Dc000003e syscall=
> =3D2
> > success=3Dno exit=3D-13 a0=3D1f16088 a1=3D241 a2=3D1b6 a3=3D7f26f5e60920 =
> items=3D0
> > ppid=3D24925 pid=3D24926 auid=3D1000 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fs=
> uid=3D0 egid=3D0
> > sgid=3D0 fsgid=3D0 tty=3D(none) ses=3D731 comm=3D"sshdfilter" exe=3D"/usr=
> /bin/perl"
> > subj=3Dunconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=3D(null)
> > type=3DAVC msg=3Daudit(1273152205.754:30341): avc: denied { write } for
> > pid=3D24926 comm=3D"sshdfilter" name=3D"sshdfilter.pid.SSHD" dev=3Ddm-0 i=
> no=3D539
> > scontext=3Dunconfined_u:system_r:sshd_t:s0-s0:c0.c1023
> > tcontext=3Dsystem_u:object_r:var_run_t:s0 tclass=3Dfile
>
>
> Looks like this app may need policy. I could not find a sshdfilter package =
> in the regular fedora repositories though.
>
> The fact of the matter is that /var/run/sshdfilter.pid.SSHD somehow is misl=
> abeled, and that sshd_t cannot access the mislabeled pid file.
>
> In some cases using audit2allow to allow stuff is a bad idea. This is one s=
> uch example.
>
> The problem needs to be solved at it core. We need to figure out why and wh=
> en the pid was mislabeled and make sure it instead gets a proper label.
Yes, it would be nice to have this application show up as a standard
package. It makes it easy to tighten up outside secure shell access. The
software comes from http://www.cs.liv.ac.uk/~greg/sshdfilter/
It is a Perl script and a configuration file. It wraps around sshd to
give you the ability to deny access to login accounts, it detects ping
probes and break in attempts and dynamically creates iptable rules to
block sites. It ages the rules and drops them back out after
configurable time periods.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
