Fedora 12 and unconfined_u sshdfilter

David Highley dhighley at highley-recommended.com
Tue Dec 15 00:21:41 UTC 2009


"Dominick Grift wrote:"
> 
> 
> --===============1862406356==
> Content-Type: multipart/signed; micalg=pgp-sha1;
> 	protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S"
> Content-Disposition: inline
> 
> 
> --AhhlLboLdkugWU4S
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
> 
> On Mon, Dec 14, 2009 at 10:25:08AM -0800, David Highley wrote:
> > "Dominick Grift wrote:"
> > >=20
> > >=20
> > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D
> > > Content-Type: multipart/signed; micalg=3Dpgp-sha1;
> > > 	protocol=3D"application/pgp-signature"; boundary=3D"uAKRQypu60I7Lcqm"
> > > Content-Disposition: inline
> > >=20
> > >=20
> > > --uAKRQypu60I7Lcqm
> > > Content-Type: text/plain; charset=3Dutf-8
> > > Content-Disposition: inline
> > > Content-Transfer-Encoding: quoted-printable
> > >=20
> > > On Mon, Dec 07, 2009 at 12:01:09PM +0000, Moray Henderson (ICT) wrote:
> > > > James Carter wrote:
> > > > >Dan's example used Refpolicy interfaces.  Interfaces are very useful=
>  and
> > > > >provide a better layer of abstraction, but they are just m4 macros,
> > > > >which have always been used in SELinux policy.
> > > > >
> > > > >Interfaces should be used as much as possible, but it is not true th=
> at
> > > > >you can't mix the old and new ways.
> > > >=3D20
> > > > Mixing the plain rules and the m4 macros didn't work when I tried it =
> - bu=3D
> > > t perhaps I just wasn=3DE2=3D80=3D99t writing it right.  Is there a Ref=
> policy tut=3D
> > > orial anywhere?
> > >=20
> > > I spend a little time today writing about the policy structure in Fedor=
> a. M=3D
> > > aybe it can help you or others:
> > >=20
> > > http://82.197.205.60/~dgrift/stuff/Managing_a_SELinux_environment_with_=
> Fedo=3D
> > > ra_12.pdf
> >=20
> >=20
> > Still have not mastered this one yet. Here is the policy file created by
> > grep of /var/log/audit/audit.log file piped to audit2allow:
> >=20
> > module mysshdfilter 1.0;
> >=20
> > require {
> > 	type var_run_t;
> > 	type iptables_exec_t;
> > 	type bin_t;
> > 	type sshd_t;
> > 	type iptables_t;
> > 	class lnk_file read;
> > 	class file { read getattr open execute execute_no_trans };
> > 	class fifo_file { read write ioctl getattr };
> > }
> >=20
> > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D iptables_t =3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D
> > allow iptables_t bin_t:lnk_file read;
> > allow iptables_t self:fifo_file { read write ioctl getattr };
> 
> echo "policy_module(newiptables, 1.0.0)" > newuiptables.te
> echo "optional_policy(\`" >> newiptables.te
> echo "gen_require(\'" >> newiptables.te
> echo "type iptables_t;" >> newiptables.te
> echo "')" >> newiptables.te
> echo "corecmd_read_bin_symlinks(iptables_t)" >> newiptables.te
> echo "allow iptables_t self:fifo_file rw_fifo_file_perms;" >> newiptables.te
> echo "')" >> newiptables.te
> 
> make -f /usr/share/selinux/devel/Makefile newiptables.pp
> sudo semodule -i newiptables.pp
> 
> >=20
> > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D
> > allow sshd_t iptables_exec_t:file { read execute open execute_no_trans };
> 
> echo "policy_module(newsshd, 1.0.0)" > newsshd.te
> echo "optional_policy(\`" >> newsshd.te
> echo "gen_require(\`" >> newsshd.te
> echo "type sshd_t;" >> newsshd.te
> echo "')" >> newsshd.te
> echo "iptables_domtrans(sshd_t)" >> newsshd.te
> echo "')" >> newsshd.te
> 
> make -f /usr/share/selinux/devel/Makefile newsshd.pp
> sudo semodule -i newsshd.pp
> 
> > allow sshd_t var_run_t:file getattr;
> 
> This one is a bit more complicated because i dont know for sure what create=
> d it (in what context runs sshdfilter?)
> >=20

I also ment to ask if all three policy; mysshdfilter.pp, newiptables.pp,
and newsshd.pp; changes are needed?

<trimmed audit log entries>

> >=20
> > > >=3D20
> > > >=3D20
> > > > Moray.
> > > > "To err is human.  To purr, feline"
> > > >=3D20
> > > >=3D20
> > > > --
> > > > fedora-selinux-list mailing list
> > > > fedora-selinux-list at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > >=20
> > > --uAKRQypu60I7Lcqm
> > > Content-Type: application/pgp-signature
> > > Content-Disposition: inline
> > >=20
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.10 (GNU/Linux)
> > >=20
> > > iEYEARECAAYFAksdZWwACgkQMlxVo39jgT/olgCgwo9wvxeAyJG/gm4dEYHBIpGf
> > > TNEAn2bFoQZeg8+gaYPIDuB0wxuu6N8F
> > > =3DtNuu
> > > -----END PGP SIGNATURE-----
> > >=20
> > > --uAKRQypu60I7Lcqm--
> > >=20
> > >=20
> > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D
> > > Content-Type: text/plain; charset=3D"us-ascii"
> > > MIME-Version: 1.0
> > > Content-Transfer-Encoding: 7bit
> > > Content-Disposition: inline
> > >=20
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D--
> > >=20
> >=20
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> --AhhlLboLdkugWU4S
> Content-Type: application/pgp-signature
> Content-Disposition: inline
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iEYEARECAAYFAksmrEAACgkQMlxVo39jgT/UPwCfexQ3gHxMcD3IFrFCeLSmqrQK
> 1wQAn1TK0UM7xl0MqMFwQbeBb6qr+cst
> =b5GU
> -----END PGP SIGNATURE-----
> 
> --AhhlLboLdkugWU4S--
> 
> 
> --===============1862406356==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> --===============1862406356==--
> 




More information about the fedora-selinux-list mailing list