On 06/29/2010 01:42 AM, Mr Dash Four wrote:
>
>>> I did and everything works to absolute perfection!
>>>
>>> I couldn't help but try it myself. Both "semodule -i" and "restorecon
>>> -rivvF /" (this is what I executed to relabel the whole file system - is
>>> that right?) ran without any difficulties and did the job as expected.
>>> When I later on mounted the image and logged in using qemu everything
>>> was there as expected (semodule -lv shows the newly installed module and
>>> I also ran cross checks on the SELinux file attributes to see whether
>>> they were changed with "ls -Z" and they have).
>>>
>>
>> sudo restorecon -R -v should usually be suffice.
>> The -F (force) option is to force customizable types to be reset.
>> Customizable types are types defined to not relabel by default
>>
> Noted, thanks.
>
>>> There is a slight drawback to all of this though - for some (well, most
>>> really) processes I use non-standard ports (another security measure I
>>> have taken onboard and implemented). sshd for example is not listening
>>> on the 'standard' port (tcp/22), but on a different one and this causes
>>> SELinux to issue "denied { name_bind }" alert. Also, my syslog-ng is
>>>
>>
>>
>> For example if ssh bind tcp sockets to port 11000:
>>
>> sudo semanage port -a -t ssh_port_t -p tcp 11000
>>
> Is this type "ssh_port_t" something, which is already registered (as
> part of the targeted policy perhaps?) and I am just modifying it or is
> this not the case?
>
Yes ssh_port_t is the ssh port type. tcp;22 is labelled with type
ssh_port_t, we just label tcp:11000 ssh_port_t so that ssh can bind tcp
sockets to that port as well.
>>> using a directory, which maps to a non-standard directory (through
>>> symbolic link - /var/log is a symbolic link to a different/secure
>>> partition of the disk) and that also causes "denied { read }" with
>>> "tclass=lnk_file" alert.
>>>
>>
>> This will require a patch (need more info : avc denials of this event)
>>
> I will post it separately as when I run the image with qemu cutting and
> pasting is not as straightforward.
>
>>> What documentation source would you recommend for this kind of job? As
>>> all alterations will be done through the kickstart file I am going to
>>> use command line tools only - no GUI!
>>>
>>
>> www.selinuxbyexample.com
>>
>> By the best doc, uptodate and all, is the source policy. writing policy
>> isnt so hard but theres a lot of it usually. and if you focus on the
>> amount of rules then its easy to think that stuff is complex.
>>
>> If you take away all the types, then it boils down to the core, which
>> are type statements, classes, attributes, types, interfaces, templates,
>> permissions, permission sets, and a few mpre of those things. You can
>> learn all about those by just studying the source policy.
>> www.selinuxproject.org also has some nice docs.
>>
> Noted, many thanks!
>
> I am really liking this - today tried to execute "semodule -lv >
> loaded_modules.txt" (as root and pwd -> /root) and instantly got an
> alert - semodule was prevented from creating that file! Lovely stuff!
Exactly my thought.
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
