Fedora 12 and unconfined_u sshdfilter

Dominick Grift domg472 at gmail.com
Tue Dec 15 08:55:59 UTC 2009 

On Mon, Dec 14, 2009 at 04:21:41PM -0800, David Highley wrote:
> "Dominick Grift wrote:"
> > 
> > 
> > --===============1862406356==
> > Content-Type: multipart/signed; micalg=pgp-sha1;
> > 	protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S"
> > Content-Disposition: inline
> > 
> > 
> > --AhhlLboLdkugWU4S
> > Content-Type: text/plain; charset=us-ascii
> > Content-Disposition: inline
> > Content-Transfer-Encoding: quoted-printable
> > 
> > On Mon, Dec 14, 2009 at 10:25:08AM -0800, David Highley wrote:
> > > "Dominick Grift wrote:"
> > > >=20
> > > >=20
> > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D
> > > > Content-Type: multipart/signed; micalg=3Dpgp-sha1;
> > > > 	protocol=3D"application/pgp-signature"; boundary=3D"uAKRQypu60I7Lcqm"
> > > > Content-Disposition: inline
> > > >=20
> > > >=20
> > > > --uAKRQypu60I7Lcqm
> > > > Content-Type: text/plain; charset=3Dutf-8
> > > > Content-Disposition: inline
> > > > Content-Transfer-Encoding: quoted-printable
> > > >=20
> > > > On Mon, Dec 07, 2009 at 12:01:09PM +0000, Moray Henderson (ICT) wrote:
> > > > > James Carter wrote:
> > > > > >Dan's example used Refpolicy interfaces.  Interfaces are very useful=
> >  and
> > > > > >provide a better layer of abstraction, but they are just m4 macros,
> > > > > >which have always been used in SELinux policy.
> > > > > >
> > > > > >Interfaces should be used as much as possible, but it is not true th=
> > at
> > > > > >you can't mix the old and new ways.
> > > > >=3D20
> > > > > Mixing the plain rules and the m4 macros didn't work when I tried it =
> > - bu=3D
> > > > t perhaps I just wasn=3DE2=3D80=3D99t writing it right.  Is there a Ref=
> > policy tut=3D
> > > > orial anywhere?
> > > >=20
> > > > I spend a little time today writing about the policy structure in Fedor=
> > a. M=3D
> > > > aybe it can help you or others:
> > > >=20
> > > > http://82.197.205.60/~dgrift/stuff/Managing_a_SELinux_environment_with_=
> > Fedo=3D
> > > > ra_12.pdf
> > >=20
> > >=20
> > > Still have not mastered this one yet. Here is the policy file created by
> > > grep of /var/log/audit/audit.log file piped to audit2allow:
> > >=20
> > > module mysshdfilter 1.0;
> > >=20
> > > require {
> > > 	type var_run_t;
> > > 	type iptables_exec_t;
> > > 	type bin_t;
> > > 	type sshd_t;
> > > 	type iptables_t;
> > > 	class lnk_file read;
> > > 	class file { read getattr open execute execute_no_trans };
> > > 	class fifo_file { read write ioctl getattr };
> > > }
> > >=20
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D iptables_t =3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D
> > > allow iptables_t bin_t:lnk_file read;
> > > allow iptables_t self:fifo_file { read write ioctl getattr };
> > 
> > echo "policy_module(newiptables, 1.0.0)" > newuiptables.te
> > echo "optional_policy(\`" >> newiptables.te
> > echo "gen_require(\'" >> newiptables.te
> > echo "type iptables_t;" >> newiptables.te
> > echo "')" >> newiptables.te
> > echo "corecmd_read_bin_symlinks(iptables_t)" >> newiptables.te
> > echo "allow iptables_t self:fifo_file rw_fifo_file_perms;" >> newiptables.te
> > echo "')" >> newiptables.te
> > 
> > make -f /usr/share/selinux/devel/Makefile newiptables.pp
> > sudo semodule -i newiptables.pp
> > 
> > >=20
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D
> > > allow sshd_t iptables_exec_t:file { read execute open execute_no_trans };
> > 
> > echo "policy_module(newsshd, 1.0.0)" > newsshd.te
> > echo "optional_policy(\`" >> newsshd.te
> > echo "gen_require(\`" >> newsshd.te
> > echo "type sshd_t;" >> newsshd.te
> > echo "')" >> newsshd.te
> > echo "iptables_domtrans(sshd_t)" >> newsshd.te
> > echo "')" >> newsshd.te
> > 
> > make -f /usr/share/selinux/devel/Makefile newsshd.pp
> > sudo semodule -i newsshd.pp
> > 
> > > allow sshd_t var_run_t:file getattr;
> > 
> > This one is a bit more complicated because i dont know for sure what create=
> > d it (in what context runs sshdfilter?)
> > >=20

The two policy modules above try to fix the avc denials above. if you do not have mysshdfilter.pp installed then there is no need to install it now. But we do need to find a solution for the remaining avc denial that either of the two enclosed policy modules above do not fix.
> 
> I also ment to ask if all three policy; mysshdfilter.pp, newiptables.pp,
> and newsshd.pp; changes are needed?
> 
> <trimmed audit log entries>
> 
> > >=20
> > > > >=3D20
> > > > >=3D20
> > > > > Moray.
> > > > > "To err is human.  To purr, feline"
> > > > >=3D20
> > > > >=3D20
> > > > > --
> > > > > fedora-selinux-list mailing list
> > > > > fedora-selinux-list at redhat.com
> > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > >=20
> > > > --uAKRQypu60I7Lcqm
> > > > Content-Type: application/pgp-signature
> > > > Content-Disposition: inline
> > > >=20
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: GnuPG v1.4.10 (GNU/Linux)
> > > >=20
> > > > iEYEARECAAYFAksdZWwACgkQMlxVo39jgT/olgCgwo9wvxeAyJG/gm4dEYHBIpGf
> > > > TNEAn2bFoQZeg8+gaYPIDuB0wxuu6N8F
> > > > =3DtNuu
> > > > -----END PGP SIGNATURE-----
> > > >=20
> > > > --uAKRQypu60I7Lcqm--
> > > >=20
> > > >=20
> > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D
> > > > Content-Type: text/plain; charset=3D"us-ascii"
> > > > MIME-Version: 1.0
> > > > Content-Transfer-Encoding: 7bit
> > > > Content-Disposition: inline
> > > >=20
> > > > --
> > > > fedora-selinux-list mailing list
> > > > fedora-selinux-list at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0725889959=3D=3D--
> > > >=20
> > >=20
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > 
> > --AhhlLboLdkugWU4S
> > Content-Type: application/pgp-signature
> > Content-Disposition: inline
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.10 (GNU/Linux)
> > 
> > iEYEARECAAYFAksmrEAACgkQMlxVo39jgT/UPwCfexQ3gHxMcD3IFrFCeLSmqrQK
> > 1wQAn1TK0UM7xl0MqMFwQbeBb6qr+cst
> > =b5GU
> > -----END PGP SIGNATURE-----
> > 
> > --AhhlLboLdkugWU4S--
> > 
> > 
> > --===============1862406356==
> > Content-Type: text/plain; charset="us-ascii"
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> > 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > --===============1862406356==--
> > 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091215/bc36cacd/attachment.sig>

More information about the fedora-selinux-list mailing list