Re: HOWTO Logging tcp binding on permissive mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/25/2011 01:03 PM, François Chenais wrote:
> 2011/1/24 François Chenais <francois.chenais@xxxxxxxxx>
> 
>>
>>
>> 2011/1/24 Dominick Grift <domg472@xxxxxxxxx>
>>
>> On Mon, Jan 24, 2011 at 09:49:01AM +0100, François Chenais wrote:
>>>> Hello,
>>>>
>>>>
>>>> I would like to log process binding on tcp ports > 1023.
>>>
>>> something like this may work:
>>>
>>> mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0) gen_require(\`
>>> attribute domain, userdomain, port_type; ') auditallow { userdomain domain }
>>> port_type:tcp_socket name_bind;" > mytest.te; make -f
>>> /usr/share/selinux/devel/Makefile mytest.pp; sudo semodule -i mytest.pp
>>>
>>> Then any attempts to bind tcp_sockets to port_type ports by domain as well
>>> as userdomain will be logged in /var/log/audit/audit.log.
>>>
>>> Coool ! Thanks a lot, I'm trying it now ...
>>
>>
>>
> 
> It works fine.
> 
> 
> I've modified your exemple to permit a port list selection ::
> 
>  $ cat mytest.te
>  policy_module(mytest, 1.0.0)
> 
>  gen_require(` attribute domain, userdomain, port_type; ')
> 
>  type mytest_t;
>  domain_type(mytest_t)
> 
> auditallow { userdomain domain } mytest_t:tcp_socket name_bind;
> 
> 
> 
> Then run ::
> 
>     $ semanage port -a mytest_t -p tcp 1234
> 
> 
> Thanks you very much !

i am surprised if this would work.
port_types are not domain_types.

instead of:

domain_type(mytest_t)

use

corenet_port(mytest_t)

> 
> 
>>  You may, or may not, be able to do similar things by using the audit suite
>>> instead (man auditctl)
>>>
>>>
>> Yes but I can't find how to restrict the audit on a specific port number :/
>>
>>
>>    auditctl -d exit,always   -S bind  -k BIND
>>
>>
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0+vcUACgkQMlxVo39jgT/uCQCgiyrALSVDIxz4GVbjyHj0PjSH
W1gAmwScuRuBSvDRWmJCLEXK1MSlRzUT
=zGLj
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux