eggdrop policy module
Luciano Furtado
lrfurtado at yahoo.com.br
Sat Apr 2 21:23:35 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am able to assign a port number to eggdrop_telnet_port_t with the
folowing command:
lrfurtado:~/selinux/eggdrop# semanage port -a -t eggdrop_telnet_port_t
- -p tcp 3333
lrfurtado:~/selinux/eggdrop# semanage port -l | grep eggdrop
eggdrop_telnet_port_t tcp 3333
lrfurtado:~/selinux/eggdrop#
My question is , if for some reason I can't have portcon on my module,
how do I define a default port number for eggdrop_telnet_port_t from
inside my module.
Best Regards.
Luciano
On 11-04-02 15:45, Luciano Furtado wrote:
> Hi Guys,
>
> First of all thanks for being so prompt with the answers on this list.
> Now I am trying to restrict eggdrop to listen only a specific port for
> the telnet support. I thought about using portcon and friends but I keep
> getting the error bellow:
>
> lrfurtado:~/selinux/eggdrop# make
> Compiling default eggdrop module
> echo "ifdef(\`""eggdrop""_per_role_template',\`" > tmp/eggdrop.mod.role
> m4 -D enable_mcs -D distro_debian -D direct_sysadm_daemon -D
> hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D
> mcs_num_cats=1024 /usr/share/selinux/default/include/rolemap | gawk
> '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $3 "; role " $1
> ";)\neggdrop_per_role_template(" $2 "," $3 "," $1 ")" }' >>
> tmp/eggdrop.mod.role
> echo "')" >> tmp/eggdrop.mod.role
> echo "ifdef(\`""eggdrop""_per_userdomain_template',\`" >>
> tmp/eggdrop.mod.role
> echo "errprint(\`Warning: per_userdomain_templates have been renamed to
> per_role_templates (""eggdrop""_per_userdomain_template)'__endline__)"
>>> tmp/eggdrop.mod.role
> m4 -D enable_mcs -D distro_debian -D direct_sysadm_daemon -D
> hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D
> mcs_num_cats=1024 /usr/share/selinux/default/include/rolemap | gawk
> '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $3 "; role " $1
> ";)\neggdrop_per_userdomain_template(" $2 "," $3 "," $1 ")" }' >>
> tmp/eggdrop.mod.role
> echo "')" >> tmp/eggdrop.mod.role
> m4 -D enable_mcs -D distro_debian -D direct_sysadm_daemon -D
> hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D
> mcs_num_cats=1024 -s
> /usr/share/selinux/default/include/support/all_perms.spt
> /usr/share/selinux/default/include/support/file_patterns.spt
> /usr/share/selinux/default/include/support/ipc_patterns.spt
> /usr/share/selinux/default/include/support/loadable_module.spt
> /usr/share/selinux/default/include/support/misc_macros.spt
> /usr/share/selinux/default/include/support/misc_patterns.spt
> /usr/share/selinux/default/include/support/mls_mcs_macros.spt
> /usr/share/selinux/default/include/support/obj_perm_sets.spt
> tmp/all_interfaces.conf eggdrop.te tmp/eggdrop.mod.role > tmp/eggdrop.tmp
> /usr/bin/checkmodule -M -m tmp/eggdrop.tmp -o tmp/eggdrop.mod
> /usr/bin/checkmodule: loading policy configuration from tmp/eggdrop.tmp
> eggdrop.te":39:ERROR 'syntax error' at token 'portcon' on line 4063:
> type eggdrop_server_packet_t, packet_type, server_packet_type;
> portcon tcp 3333 system_u:object_r:eggdrop_telnet_port_t:s0
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/eggdrop.mod] Error 1
> lrfurtado:~/selinux/eggdrop# vi
>
>
>
>
>
> I tried using portcon like it's used on corenetwork.te
>
>
>
>
> policy_module(eggdrop, 1.0.0)
>
> ########################################
> #
> # Declarations
> #
> gen_require(`
> type unconfined_t;
> role unconfined_r;
> role object_r;
> attribute packet_type;
> attribute port_type;
> attribute client_packet_type;
> attribute server_packet_type;
> ')
>
> type eggdrop_t;
> type eggdrop_exec_t;
> type eggdrop_home_t;
> type eggdrop_tty_device_t;
> type eggdrop_devpts_t;
> role unconfined_r types eggdrop_t;
> role object_r types eggdrop_exec_t;
>
>
> application_domain(eggdrop_t, eggdrop_exec_t)
> type eggdrop_conf_t;
> files_config_file(eggdrop_conf_t)
> allow eggdrop_t eggdrop_conf_t:dir list_dir_perms;
> read_files_pattern(eggdrop_t,eggdrop_conf_t,eggdrop_conf_t)
> read_lnk_files_pattern(eggdrop_t,eggdrop_conf_t,eggdrop_conf_t)
> corenet_tcp_bind_all_nodes(eggdrop_t);
> corenet_tcp_connect_all_ports(eggdrop_t)
> corenet_tcp_sendrecv_all_ports(eggdrop_t)
>
> type eggdrop_telnet_port_t, port_type;
> type eggdrop_client_packet_t, packet_type, client_packet_type;
> type eggdrop_server_packet_t, packet_type, server_packet_type;
> portcon tcp 3333 gen_context(system_u:object_r:eggdrop_telnet_port_t,s0)
>
> unconfined_run_to(eggdrop_t, eggdrop_exec_t)
>
> libs_use_ld_so(eggdrop_t)
> libs_use_shared_libs(eggdrop_t)
> miscfiles_read_localization(eggdrop_t)
> files_search_usr(eggdrop_t)
> files_read_usr_files(eggdrop_t)
> files_search_tmp(eggdrop_t)
> files_manage_generic_tmp_dirs(eggdrop_t)
> files_manage_generic_tmp_files(eggdrop_t)
> files_search_home(eggdrop_t)
> corecmd_search_bin(eggdrop_t)
>
> files_home_filetrans(eggdrop_t, eggdrop_home_t, file);
> fs_associate(eggdrop_home_t)
> manage_files_pattern(eggdrop_t,eggdrop_home_t,eggdrop_home_t)
> manage_files_pattern(unconfined_t, eggdrop_home_t, eggdrop_home_t)
>
> auth_use_nsswitch(eggdrop_t)
>
> allow eggdrop_t self:fifo_file write;
> allow eggdrop_t self:fifo_file read;
>
>
>
>
>
>
>
> On 11-03-30 07:52, Dominick Grift wrote:
>> On 03/30/2011 01:46 PM, Luciano Furtado wrote:
>>> On 11-03-28 05:06, Dominick Grift wrote:
>>>> On 03/28/2011 02:32 AM, Luciano Furtado wrote:
>
>>>>> Hi guys,
>
>>>>> I started creating my policy module for the eggdrop irc bot. I am
>>>>> getting stuck on simple task. I want to add a transition from
>>>>> unconfined_t to eggdrop_t when I run a eggdrop_exec_t file.
>
>>>>> This is what I have:
>
>>>>> policy_module(eggdrop, 1.0.0)
>
>>>>> ########################################
>>>>> ## Declarations#gen_require(`
>>>>> type unconfined_t;
>>>>> ')
>>>>> type eggdrop_t;
>>>>> type eggdrop_exec_t;
>
>>>>> application_executable_file(eggdrop_exec_t)
>
>>>> This is not required, it is in "application_domain() which you should
>>>> call. lack of application_domain(eggdrop_t, eggdrop_exec_t) is whats
>>>> causing the constraint violation.
>
>>>> Also allow the unconfined_r role the eggdrop_t domain:
>
>>>> role unconfined_r types eggdrop_t;
>
>>>> (you also will need to require "role unconfined_r;")
>
>
>>>>> type eggdrop_conf_t;
>>>>> files_config_file(eggdrop_conf_t)
>
>>>>> corenet_tcp_connect_ircd_port(eggdrop_t)
>>>>> corenet_tcp_sendrecv_ircd_port(eggdrop_t)
>
>>>>> domain_auto_trans(unconfined_t,eggdrop_exec_t,eggdrop_t)
>
>>>> Better use domtrans_pattern() instead of domain_auto_trans. It better
>>>> fits the requirements:
>
>>>> domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t)
>
>
>>>> so a basic standard template to start is:
>
>>>> ----------->8--------------
>
>>>> policy_module(eggdrop, 1.0.0)
>
>>>> gen_require(`
>>>> type unconfined_t;
>>>> role unconfined_r;
>>>> ')
>
>>>> type eggdrop_t;
>>>> type eggdrop_exec_t;
>>>> application_domain(eggdrop_t, eggdrop_exec_t)
>>>> role unconfined_r types eggdrop_t;
>
>>>> type eggdrop_etc_t;
>>>> files_config_file(eggdrop_etc_t)
>
>>>> domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t
>
>>>> -------------8<------------
>
>
>
>
>>>>> This is what I get when I try to load this policy module:
>
>
>>>>> lrfurtado:~/selinux/eggdrop# make load
>>>>> Loading default modules: eggdrop
>>>>> /usr/sbin/semodule -i eggdrop.pp
>>>>> libsepol.check_assertion_helper: neverallow violated by allow
>>>>> unconfined_t eggdrop_t:process { transition };
>>>>> libsemanage.semanage_expand_sandbox: Expand module failed
>>>>> /usr/sbin/semodule: Failed!
>>>>> make: *** [tmp/loaded] Error 1
>>>>> lrfurtado:~/selinux/eggdrop#
>
>
>>>>> What's the proper way of accomplishing this?
>
>
>
>>>>> On 11-03-25 15:24, Dominick Grift wrote:
>>>>>> On 03/25/2011 08:16 PM, Luciano Furtado wrote:
>>>>>>> Thanks Dominick,
>
>>>>>>> I will use this as an exercise on how to create a new policy module. I
>>>>>>> hope you guys can tolerate my newbie questions for a while.
>
>>>>>> I created some screen casts and put them on youtube that show some of this:
>
>>>>>> Write a policy module part 1 to 4 (on fedora):
>
>>>>>> part 1: http://www.youtube.com/watch?v=s4EyoW_7riQ
>>>>>> part 2: http://www.youtube.com/watch?v=G5gUt1-ttGg
>>>>>> part 3: http://www.youtube.com/watch?v=nbFnchVAgYs
>>>>>> part 4: http://www.youtube.com/watch?v=rUGBgzTr92A
>
>>>>>> Some other examples:
>
>>>>>> part 1: http://www.youtube.com/watch?v=sBI50O84NLo
>>>>>> part 2: http://www.youtube.com/watch?v=ATTJ5xUKH1E
>>>>>> part 3: http://www.youtube.com/watch?v=e3cQNi3bi70
>
>>>>>> may or may not be helpful.
>
>>>>>>> Best Regards.
>>>>>>> Luciano
>
>
>>>>>>> On 11-03-25 14:29, Dominick Grift wrote:
>>>>>>>> On 03/25/2011 07:09 PM, Luciano Furtado wrote:
>>>>>>>>> Hi Group,
>
>>>>>>>>> Does eggdrop has a selinux policy module? if so starting on which fedora
>>>>>>>>> version?
>
>
>>>>>>>> The only reference that i could find to it was:
>
>>>>>>>> "You can find a copy of my irssi policy here
>>>>>>>> http://pastebin.ca/768256?srch=irssi_exec_t it also includes policy for
>>>>>>>> eggdrop and manual pages"
>
>>>>>>>> - From my 2008 article
>>>>>>>> "http://domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html"
>
>>>>>>>> Unfortunately seems "pastebin.ca" no longer exists. I can no longer
>>>>>>>> access the site.
>
>
>>>>>>>>> I am looking to get the sources for it , build / install it on my Debian
>>>>>>>>> installation which doesn't seem to have a module for it.
>
>
>>>>>>>>> Best Regards.
>>>>>>>>> Luciano
>
>
>
>
>>> On my policy right now I have this which I think would allow eggdrop to
>>> sendrecv packet to any host/port combination
>
>>> corenet_tcp_sendrecv_all_ports(eggdrop_t)
>
>
>>> If wanted to limit eggdrop to talk only to specific host/port would it
>>> possible to use iptables to label the packets to to something like
>>> eggdrop_packet_t and them add a rule like this.
>
>>> corenet_tcp_recvfrom_labeled(eggdrop_t, eggdrop_packet_t)
>
>
>>> Is this the right approach to accomplish this.
>
>> I am not into the selinux networking controls but dwalsh recently
>> published an article that may or may not inspire you:
>
>> http://www.linux.com/learn/tutorials/421152-using-selinux-and-iptables-together
>
>
>>> My WIP policy is locate at http://lrfurtado.vps.bitfolk.com/eggdrop/
>
>> I probably would have done it differently, but if it works; it works.
>
>
>
>
>>> Best Regards.
>>> Luciano
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNl5PXAAoJEEJ82UW2OvvtEQoIAK9HXc0NhzHk45uZlOw0Qur5
z980sXXGw098k0CCyAV9ST3uzQ/eUJgCn8/geLuaeuKxfabErgGo0QFQOZDmQa6m
aVl0/l6T6hJWbTt1O1JmIFPAb6MZYrFYiA/HCkAMhysDjpVlxk9rcyMM1G2tIh2o
MRX3P9skuhve3TYuqDU1SxBCu/ljZ4sZncZvpbT3VQgc35OMuAZUoLou7Uj/c9uL
Q6j3CkV72ZZDxIAIIxxe12fv5UGZahc8PbKcBIqkVrJ94/SI/++gzCeVKaN2f+PP
O4eUbbD8C6cRl0y2XANISiERDILjfbKAOIbhHOav1KGZe3FPHP6wW3d3uIIKTRI=
=NnJu
-----END PGP SIGNATURE-----
More information about the selinux
mailing list