Fedora 12 and unconfined_u sshdfilter

Fri Dec 4 09:57:53 UTC 2009

David Highley wrote:
>"Daniel J Walsh wrote:"
>>
>> On 12/03/2009 12:33 AM, David Highley wrote:
>> > I'm trying to get sshdfilter a Perl wrapper around sshd to work in
>> > Fedora 12. The script needs to be able to call iptables to drop in
new
>> > rejection rules detected hacking connections. I used "semanage
>fcontext
>> > -a -t sshd_exec_t" which gave it the same context as sshd. I have
not
>> > been able to change the unconfined_u to system_u:
>> > lz -Z /usr/sbin/sshdfilter unconfined_u:object_r:sshd_exec_t:s0
>> >
>> > I was getting avc errors so I created an allow policy:
>> > module mysshdfilter 1.0;
>> >
>> > require {
>> >          type iptables_exec_t;
>> >          type iptables_t;
>> >          type sshd_t;
>> >          class file execute;
>> >          class fifo_file read;
>> > }
>> >
>> > #============= iptables_t ==============
>> > allow iptables_t self:fifo_file read;
>> >
>> > #============= sshd_t ==============
>> > allow sshd_t iptables_exec_t:file execute;
>> >
>> >
>> > Now I'm getting:
>> > time->Wed Dec  2 21:07:04 2009
>> > type=USER_ROLE_CHANGE msg=audit(1259816824.474:201): user pid=3664
>uid=0
>> > auid=0 ses=12 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
>msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-
>s0:c0.c1023 selected-context=?: exe= "/usr/sbin/sshd" hostname=? addr=?
>terminal=? res=failed'
>> >
>> > --
>> > fedora-selinux-list mailing list
>> > fedora-selinux-list at redhat.com
>> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> >
>> >
>> You probably want
>>
>> iptables_domtrans(sshd_t)
>
>I tried adding this statement to the file, but checkmodule gave syntax
>error. I tried searching through the selinux files but did not find an
>example of how to use the above statement.
>
>>
>> The ROLE_CHANGE is not an SELinux error, it is just an audit message.
>>
>> I will add the fifo_file rule to iptables policy
>>
>> Fixed in selinux-policy-3.6.32-54.fc12
>>
>> If you want to get real crazy you could write policy for
>> /usr/sbin/sshdfilter
>>
>>
>> policy_module(sshdfilter, 1.0)
>>
>> ssh_server_template(sshdfilter)
>> iptables_domtrans(sshdfilter_t)

Your original policy "module mysshdfilter 1.0;" is written in the
old-fashioned way: requirements declaration followed by allow rules.
This is how I write my policy, too.

Daniel's example uses the new way - a whole new policy programming
language which needs to be pre-processed and compiled.  You can't mix
the old and new ways.

To compile with the new way (on EL5 - hopefully Fedora 12 is similar)
you need the selinux-policy-devel package.  Simply use the checkmodule
command to build a .mod module file from the .te file, and then the
semanage_module command to combine the .mod file with any .fc file to
produce the loadable .pp module file which you can load with semodule.
You can also have a .if file, but I'm not sure where that fits in to
things yet.

checkmodule [ -M ] -m mysshdfilter.te -o mysshdfilter.mod
semanage_module -m mysshdfilter.mod -o rsyslogd.pp [ -f mysshdfilter.fc
]
semodule -i mysshdfilter.pp

Which leads me to a question I have been meaning to ask for a while now:
if I compile my policy the old way, I get a module of a certain size.
If I build exactly the same policy using the m4 macros and examine the
pre-processed files, there is a whole lot of extra stuff that has been
added.  What is all that?  What is the advantage of having it added to
each module?

Moray.
"To err is human.  To purr, feline"