Partitions Mounted by fstab
Stephen Smalley
sds at tycho.nsa.gov
Thu Mar 6 15:23:53 UTC 2008
On Thu, 2008-03-06 at 14:45 +0000, Arthur Dent wrote:
> Hi Stephen,
>
> Yes, I know it's a bit off-topic for this list (well totally OT really)
> but why does clamd bind to a different port each time? Is that normal
> behaviour for clamd or have I got something borked in my setup?
Some daemons scan for any available port within a given range, and take
the first one available, for transient ports used for data transfer (vs.
well-known ports).
> Anyway it works (I think)!
>
> Thanks very much for all the help and support so far. Now that I have
> discovered audit2allow there's no stopping me!...
>
> I have no idea what most of the things are for, but if I'm careful about
> watching where the denials take place, is it usually safe to trust
> audit2allow to create policies for me?
audit2allow just turns every denial into an allow rule. So it can't for
example tell you that the real reason you had a denial was because you
had a mislabeled file. Your /mnt/backup situation is an example where
audit2allow would have given you the wrong solution - allowing access to
the default type of /mnt rather than properly configuring your policy to
label /mnt/backup with a suitable type.
setroubleshoot tries to give you more help via a heuristics-based set of
plugins, but it doesn't really have a semantic understanding of the
policy, so it too is limited in what it can achieve. But setroubleshoot
can sometimes tell you that a file is mislabeled or that you just need
to enable some policy boolean.
There is ongoing work in policy tools to bridge the semantic gap.
> After much watching and tail -f ing of logs, here is what I have ended
> up with...
>
>
> ##########################################
> # cat myclamd.te
> policy_module(myclamd, 1.2)
> require {
> type clamscan_t;
> type clamd_t;
> class tcp_socket { write create connect };
> type var_run_t;
> type user_home_t;
> class sock_file write;
> class file append;
>
> }
>
> #============= clamd_t ==============
> corenet_tcp_bind_generic_port(clamd_t)
>
> #============= clamscan_t ==============
> allow clamscan_t self:tcp_socket { write create connect };
> allow clamscan_t user_home_t:file append;
What file in your home directory is clamscan appending to?
Maybe we can put it into a distinct type and protect the rest of your
files?
> allow clamscan_t var_run_t:sock_file write;
This suggests that something is creating a socket under /var/run without
properly putting it into a distinct type.
> corenet_tcp_connect_generic_port(clamscan_t)
> mta_read_queue(clamscan_t)
> procmail_rw_tmp_files(clamscan_t)
> userdom_read_generic_user_home_content_files(clamscan_t)
> ##########################################
>
>
> It's still Greek to me. I hope I haven't compromised my system in any way...
You can't make your system weaker than it was without SELinux in this
manner, since all you are doing is loosening the SELinux restrictions -
the usual DAC restrictions still apply. So all you are doing is
altering the extent to which SELinux is protecting you.
> I have just typed "setenforce 1" - Yay! (Expect to hear back from me
> with tales of woe when it won't work anymore!...
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list