Fedora 12 and unconfined_u sshdfilter
David Highley
dhighley at highley-recommended.com
Thu Dec 3 05:33:02 UTC 2009
I'm trying to get sshdfilter a Perl wrapper around sshd to work in
Fedora 12. The script needs to be able to call iptables to drop in new
rejection rules detected hacking connections. I used "semanage fcontext
-a -t sshd_exec_t" which gave it the same context as sshd. I have not
been able to change the unconfined_u to system_u:
lz -Z /usr/sbin/sshdfilter unconfined_u:object_r:sshd_exec_t:s0
I was getting avc errors so I created an allow policy:
module mysshdfilter 1.0;
require {
type iptables_exec_t;
type iptables_t;
type sshd_t;
class file execute;
class fifo_file read;
}
#============= iptables_t ==============
allow iptables_t self:fifo_file read;
#============= sshd_t ==============
allow sshd_t iptables_exec_t:file execute;
Now I'm getting:
time->Wed Dec 2 21:07:04 2009
type=USER_ROLE_CHANGE msg=audit(1259816824.474:201): user pid=3664 uid=0
auid=0 ses=12 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=?: exe= "/usr/sbin/sshd" hostname=? addr=? terminal=? res=failed'
More information about the fedora-selinux-list
mailing list