Need new secret sauce

Dominick Grift domg472 at gmail.com
Fri May 7 13:36:40 UTC 2010 

On Fri, May 07, 2010 at 06:31:52AM -0700, David Highley wrote:
> "Dominick Grift wrote:"
> > 
> > On Thu, May 06, 2010 at 08:35:25PM -0700, David Highley wrote:
> > > Did the usual dance after selinux policy seemed to get wiped out. Does
> > > not appear to be working. I also did an semodule -r mysshdfilter just to
> > > make sure there was not some thing fouled up.
> > >=20
> > > grep sshdfilter /var/log/audit/audit.log | tail -2 | audit2allow -M
> > > mysshdfilter
> > >=20
> > > semodule -i mysshdfilter.pp
> > >=20
> > >=20
> > > type=3DSYSCALL msg=3Daudit(1273152205.754:30341): arch=3Dc000003e syscall=
> > =3D2
> > > success=3Dno exit=3D-13 a0=3D1f16088 a1=3D241 a2=3D1b6 a3=3D7f26f5e60920 =
> > items=3D0
> > > ppid=3D24925 pid=3D24926 auid=3D1000 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fs=
> > uid=3D0 egid=3D0
> > > sgid=3D0 fsgid=3D0 tty=3D(none) ses=3D731 comm=3D"sshdfilter" exe=3D"/usr=
> > /bin/perl"
> > > subj=3Dunconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=3D(null)
> > > type=3DAVC msg=3Daudit(1273152205.754:30341): avc:  denied  { write } for
> > > pid=3D24926 comm=3D"sshdfilter" name=3D"sshdfilter.pid.SSHD" dev=3Ddm-0 i=
> > no=3D539
> > > scontext=3Dunconfined_u:system_r:sshd_t:s0-s0:c0.c1023
> > > tcontext=3Dsystem_u:object_r:var_run_t:s0 tclass=3Dfile
> > 
> > 
> > Looks like this app may need policy. I could not find a sshdfilter package =
> > in the regular fedora repositories though.
> > 
> > The fact of the matter is that /var/run/sshdfilter.pid.SSHD somehow is misl=
> > abeled, and that sshd_t cannot access the mislabeled pid file.
> > 
> > In some cases using audit2allow to allow stuff is a bad idea. This is one s=
> > uch example.
> > 
> > The problem needs to be solved at it core. We need to figure out why and wh=
> > en the pid was mislabeled and make sure it instead gets a proper label.
> 
> Yes, it would be nice to have this application show up as a standard
> package. It makes it easy to tighten up outside secure shell access. The
> software comes from http://www.cs.liv.ac.uk/~greg/sshdfilter/
> 
> It is a Perl script and a configuration file. It wraps around sshd to
> give you the ability to deny access to login accounts, it detects ping
> probes and break in attempts and dynamically creates iptable rules to
> block sites. It ages the rules and drops them back out after
> configurable time periods.

Can you enclose a list of the files this package includes and their location on the file system?
If it wraps around sshd then you could probably label the sshdfilter executable file with the sshd executable file type and then extend the sshd_t domain to allow it the access it needs and define type transitions where required.

> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100507/be081c40/attachment.bin

More information about the selinux mailing list