Fedora 12 and unconfined_u sshdfilter

Dominick Grift domg472 at gmail.com
Tue Dec 15 08:52:28 UTC 2009 

On Mon, Dec 14, 2009 at 04:50:15PM -0800, David Highley wrote:
> "David Highley wrote:"
> > 
> > "Dominick Grift wrote:"
> > > 
> > > 
> > > --===============1862406356==
> > > Content-Type: multipart/signed; micalg=pgp-sha1;
> > > 	protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S"
> > > Content-Disposition: inline
> > > 
> > > 
> > > --AhhlLboLdkugWU4S
> > > Content-Type: text/plain; charset=us-ascii
> > > Content-Disposition: inline
> > > Content-Transfer-Encoding: quoted-printable
> > > 
> > > On Mon, Dec 14, 2009 at 10:25:08AM -0800, David Highley wrote:
> > > > "Dominick Grift wrote:"
> > > > >=20
> > > > >=20
> > > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D
> > > > > Content-Type: multipart/signed; micalg=3Dpgp-sha1;
> > > > > 	protocol=3D"application/pgp-signature"; boundary=3D"uAKRQypu60I7Lcqm"
> > > > > Content-Disposition: inline
> > > > >=20
> > > > >=20
> > > > > --uAKRQypu60I7Lcqm
> > > > > Content-Type: text/plain; charset=3Dutf-8
> > > > > Content-Disposition: inline
> > > > > Content-Transfer-Encoding: quoted-printable
> > > > >=20
> > > > > On Mon, Dec 07, 2009 at 12:01:09PM +0000, Moray Henderson (ICT) wrote:
> > > > > > James Carter wrote:
> > > > > > >Dan's example used Refpolicy interfaces.  Interfaces are very useful=
> > >  and
> > > > > > >provide a better layer of abstraction, but they are just m4 macros,
> > > > > > >which have always been used in SELinux policy.
> > > > > > >
> > > > > > >Interfaces should be used as much as possible, but it is not true th=
> > > at
> > > > > > >you can't mix the old and new ways.
> > > > > >=3D20
> > > > > > Mixing the plain rules and the m4 macros didn't work when I tried it =
> > > - bu=3D
> > > > > t perhaps I just wasn=3DE2=3D80=3D99t writing it right.  Is there a Ref=
> > > policy tut=3D
> > > > > orial anywhere?
> > > > >=20
> > > > > I spend a little time today writing about the policy structure in Fedor=
> > > a. M=3D
> > > > > aybe it can help you or others:
> > > > >=20
> > > > > http://82.197.205.60/~dgrift/stuff/Managing_a_SELinux_environment_with_=
> > > Fedo=3D
> > > > > ra_12.pdf
> > > >=20
> > > >=20
> > > > Still have not mastered this one yet. Here is the policy file created by
> > > > grep of /var/log/audit/audit.log file piped to audit2allow:
> > > >=20
> > > > module mysshdfilter 1.0;
> > > >=20
> > > > require {
> > > > 	type var_run_t;
> > > > 	type iptables_exec_t;
> > > > 	type bin_t;
> > > > 	type sshd_t;
> > > > 	type iptables_t;
> > > > 	class lnk_file read;
> > > > 	class file { read getattr open execute execute_no_trans };
> > > > 	class fifo_file { read write ioctl getattr };
> > > > }
> > > >=20
> > > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D iptables_t =3D=3D=3D=3D=3D=3D=3D=
> > > =3D=3D=3D=3D=3D=3D=3D
> > > > allow iptables_t bin_t:lnk_file read;
> > > > allow iptables_t self:fifo_file { read write ioctl getattr };
> > > 
> > > echo "policy_module(newiptables, 1.0.0)" > newuiptables.te
> > > echo "optional_policy(\`" >> newiptables.te
> > > echo "gen_require(\'" >> newiptables.te
> > > echo "type iptables_t;" >> newiptables.te
> > > echo "')" >> newiptables.te
> > > echo "corecmd_read_bin_symlinks(iptables_t)" >> newiptables.te
> > > echo "allow iptables_t self:fifo_file rw_fifo_file_perms;" >> newiptables.te
> > > echo "')" >> newiptables.te
> > > 
> > > make -f /usr/share/selinux/devel/Makefile newiptables.pp
> 
> Running the make for the above file ended up in an infinit loop
> outputing:
> myiptables.te:2: Warning: deprecated use of module name () as first
> parameter of optional_policy() block.

Theres a syntax error or two:

> > > echo "policy_module(newiptables, 1.0.0)" > newuiptables.te
echo "policy_module(newiptables, 1.0.0)" > newiptables.te

> > > echo "gen_require(\'" >> newiptables.te
echo "gen_require(\`" >> newiptables.te 

> 
> > > sudo semodule -i newiptables.pp
> > > 
> > > >=20
> > > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D=
> > > =3D=3D=3D=3D=3D=3D
> > > > allow sshd_t iptables_exec_t:file { read execute open execute_no_trans };
> > > 
> > > echo "policy_module(newsshd, 1.0.0)" > newsshd.te
> > > echo "optional_policy(\`" >> newsshd.te
> > > echo "gen_require(\`" >> newsshd.te
> > > echo "type sshd_t;" >> newsshd.te
> > > echo "')" >> newsshd.te
> > > echo "iptables_domtrans(sshd_t)" >> newsshd.te
> > > echo "')" >> newsshd.te
> > > 
> > > make -f /usr/share/selinux/devel/Makefile newsshd.pp
> > > sudo semodule -i newsshd.pp
> > > 
> > > > allow sshd_t var_run_t:file getattr;
> > > 
> > > This one is a bit more complicated because i dont know for sure what create=
> > > d it (in what context runs sshdfilter?)
> > > >=20
> > 
> > I also ment to ask if all three policy; mysshdfilter.pp, newiptables.pp,
> > and newsshd.pp; changes are needed?
> > 
> > <trimmed audit log entries>
> > 
> > > >=20
> > > > > >=3D20
> > > > > >=3D20
> > > > > > Moray.
> > > > > > "To err is human.  To purr, feline"
> > > > > >=3D20
> > > > > >=3D20
> > > > > > --
> > > > > > fedora-selinux-list mailing list
> > > > > > fedora-selinux-list at redhat.com
> > > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > > >=20
> > > > > --uAKRQypu60I7Lcqm
> > > > > Content-Type: application/pgp-signature
> > > > > Content-Disposition: inline
> > > > >=20
> > > > > -----BEGIN PGP SIGNATURE-----
> > > > > Version: GnuPG v1.4.10 (GNU/Linux)
> > > > >=20
> > > > > iEYEARECAAYFAksdZWwACgkQMlxVo39jgT/olgCgwo9wvxeAyJG/gm4dEYHBIpGf
> > > > > TNEAn2bFoQZeg8+gaYPIDuB0wxuu6N8F
> > > > > =3DtNuu
> > > > > -----END PGP SIGNATURE-----
> > > > >=20
> > > > > --uAKRQypu60I7Lcqm--
> > > > >=20
> > > > >=20
> > > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D
> > > > > Content-Type: text/plain; charset=3D"us-ascii"
> > > > > MIME-Version: 1.0
> > > > > Content-Transfer-Encoding: 7bit
> > > > > Content-Disposition: inline
> > > > >=20
> > > > > --
> > > > > fedora-selinux-list mailing list
> > > > > fedora-selinux-list at redhat.com
> > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D--
> > > > >=20
> > > >=20
> > > > --
> > > > fedora-selinux-list mailing list
> > > > fedora-selinux-list at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > 
> > > --AhhlLboLdkugWU4S
> > > Content-Type: application/pgp-signature
> > > Content-Disposition: inline
> > > 
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.10 (GNU/Linux)
> > > 
> > > iEYEARECAAYFAksmrEAACgkQMlxVo39jgT/UPwCfexQ3gHxMcD3IFrFCeLSmqrQK
> > > 1wQAn1TK0UM7xl0MqMFwQbeBb6qr+cst
> > > =b5GU
> > > -----END PGP SIGNATURE-----
> > > 
> > > --AhhlLboLdkugWU4S--
> > > 
> > > 
> > > --===============1862406356==
> > > Content-Type: text/plain; charset="us-ascii"
> > > MIME-Version: 1.0
> > > Content-Transfer-Encoding: 7bit
> > > Content-Disposition: inline
> > > 
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > --===============1862406356==--
> > > 
> > 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091215/7186c3e1/attachment.sig>

More information about the fedora-selinux-list mailing list