On 06/30/2010 06:35 PM, Mr Dash Four wrote: > >>> Well, I do not wish to keep the tcp/22 as part of the policy (if left, >>> it creates a loophole!). I tried "semanage port -m -t ssh_port_t -p tcp >>> 222" (to modify it), but got "/usr/sbin/semanage: Port tcp/222 is not >>> defined". I then added tcp/222 as you suggested and then tried to >>> execute "semanage port -d -t ssh_port_t -p tcp 22" to remove the tcp/22 >>> part, but got this: "/usr/sbin/semanage: Port tcp/22 is defined in >>> policy, cannot be deleted". What does that mean exactly? >>> >> >> It means that the corenetwork module (which is compiled into the base >> module) has a port object context specification for type ssh_port_t -- >> tcp:22 >> >> So you would have edit that in the main selinux-policy package. >> > How do I do that? I looked at /usr/share/selinux/targeted, but could not > see anything, which could be edited. You would need to edit the source, and rebuild modified selinux-policy packages. The port declaration is located in policy/modules/kernel/corenetwork.te.in. In the following example it is on line 192: http://oss.tresys.com/projects/refpolicy/browser/policy/modules/kernel/corenetwork.te.in To modify it you would: download the selinux-policy.src.rpm corresponding to the version you have installed. extract the source rpm. extract the serefpolicy.tgz that is included in the source rpm. apply the "*.patch" that is included in the source rpm make your modifications edit the selinux-policy.spec that is included with the source rpm. Remove any reference to the patch. You have just applied it. repackage the serefpolicy directory (create the same serefpolicy.tgz but this time with patch applied and modification applied) copy the contents to ~/rpmbuild/SOURCES/ (exclude the patch since it is already applied) copy the selinux-policy.spec to ~/rpmbuild/SPECS run: rpmbuild -ba ~/rpmbuild/SPECS/selinux-policy.spec install the modified/created selinux-policy and selinux-policy-targeted rpms. >>> type=1400 audit(1277908958.656.4): avc: denied { read } for pid=906 >>> comm="rsyslogd" name="log" dev=dm-0 ino=16386 >>> scontext=system_u:system_r:syslogd_t:s0 >>> tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file >>> >>> There is a similar one with "mingetty" as well, but >>> scontext=system_u:system_r:getty_t:s0 >>> >> >> This symlink is mislabeled. What/who created it? if you , yourself >> created it, then you may be able to make things work by labeling the >> symlink type bin_t or type var_log_t, provided that the source of the >> interaction (in this case syslogd_t and getty_t) have access to the >> target of the symlink. >> > I did create it - it was done during the image build (it is empty, but > it links to a separate/secure partition on the target machine). > Relabelling worked though, I had to link the actual partition in order > to make it work!
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
