<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40" xmlns:ns0="urn:schemas-microsoft-com:office:smarttags"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Trebuchet MS","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'>I apologise in advance for asking questions which I feel I should have been able to answer from sources on the internet. If you could possibly give me some pointers on where to look it would be so much appreciated.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'>My system is centos 6.2 – <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'>Linux MyHostName 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'>GMT 2011 x86_64 x86_64 x86_64 GNU/Linux<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'>SELinux mode is set ‘enforced’.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'>I have a proprietary telnet daemon which upon a telnet to port 52000, is started OK when SELinux is disabled. But when it is enabled the same telnet results in /var/log/audit/audit.log showing:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'>type=USER_LOGIN msg=audit(1343048458.345:69): user pid=2536 uid=0 auid=799 ses=7 subj=system_u:system_r:inetd_t:s0-s0:c0.c1023 msg='op=login id=799 exe="/bin/login" hostname=0.0.0.0 addr=0.0.0.0 termi<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'>nal=pts/2 res=success'<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal><i><span style='font-size:8.0pt;font-family:"Courier New"'>A normal telnet gives a message similar to above, my telnet adds the following:<o:p></o:p></span></i></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'>type=AVC msg=audit(1343048458.353:70): avc: denied { entrypoint } for pid=2543 comm="login" path="/bin/bash" dev=sda2 ino=135083 scontext=unconfined_u:system_r:qmail_tcp_env_t:s0-s0:c0.c1023 tconte<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'>xt=system_u:object_r:shell_exec_t:s0 tclass=file<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'>I believe I can create a policy to overcome this using audit2allow, i.e. it comes up with:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'>module mypola 1.0;<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'>require {<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'> type qmail_tcp_env_t;<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'> type shell_exec_t;<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'> class file entrypoint;<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'>}<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'>#============= qmail_tcp_env_t ==============<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'>allow qmail_tcp_env_t shell_exec_t:file entrypoint;<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'>But it seems to me what I ought to be doing is somehow to get my daemon to run with a domain of ‘remote_logon_t’ as is used by the standard telnet daemon, as here:</span><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'>type=USER_LOGIN msg=audit(1343058924.928:212): user pid=3759 uid=0 auid=799 ses=29 subj=system_u:system_r:remote_login_t:s0-s0:c0.c1023 msg='op=login id=799 exe="/bin/login" hostname=localhost addr=::<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Courier New"'>1 terminal=pts/2 res=success'<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'>This is unfamiliar territory and any hints or pointers would really be appreciated.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'>Dave.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Trebuchet MS","sans-serif"'><o:p> </o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif"'><ns0:PersonName><span style='color:black'>Dave Stoner</span></ns0:PersonName></span></b><o:p></o:p></p></div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#777777'>Principal Systems Architect<br>Northgate Reality</span><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:silver'><br></span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'><br></span><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#777777'>Direct: +44 (0)1442 272071 - VPN: 872 2071<br></span><span lang=FR style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#4F0B7B'><br></span><span style='font-size:10.0pt;font-family:"Trebuchet MS","sans-serif";color:#4F0B7B'><a href="http://www.northgate-is.com/reality"><span style='color:blue'>www.northgate-is.com/reality</span></a></span> <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div>
<DIV
style="FONT-SIZE: 10pt; FONT-FAMILY: Verdana,Arial,Sans-Serif; TEXT-ALIGN: left"> <FONT
color=#408080>
<HR>
</FONT>
<P class=MsoNormal style="mso-layout-grid-align: none"><FONT face=Verdana><FONT
color=#408080><SPAN style="FONT-SIZE: 9pt; FONT-FAMILY: Arial"><SPAN
style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">This email is sent on behalf of
Northgate Information Solutions Limited and its associated companies
("Northgate") and is strictly confidential and intended solely for the
addressee(s). </SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 9pt; FONT-FAMILY: Arial"> </SPAN><SPAN
style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">If you are not the intended recipient
of this email you must: (i) not disclose, copy or distribute its contents to any
other person nor use its contents in any way or you may be acting
unlawfully; (ii) contact Northgate immediately on +44 (0)1442 232424
quoting the name of the sender and the addressee then delete it from your
system.</SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 9pt; FONT-FAMILY: Arial"> </SPAN><SPAN
style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">Northgate has taken reasonable
precautions to ensure that no viruses are contained in this email, but does not
accept any responsibility once this email has been transmitted. You should
scan attachments (if any) for viruses.</SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 9pt; FONT-FAMILY: Arial"> </SPAN><SPAN
style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">Northgate Information Solutions
Limited. Registered in <ST1:PLACE w:st="on"><ST1:COUNTRY-REGION
w:st="on">England</ST1:COUNTRY-REGION></ST1:PLACE> no. 06442582 -
Northgate Information Solutions UK Limited. Registered in
<ST1:COUNTRY-REGION w:st="on">England</ST1:COUNTRY-REGION> no. 968498 -
NorthgateArinso UK Limited. Registered in <ST1:PLACE
w:st="on"><ST1:COUNTRY-REGION w:st="on">England</ST1:COUNTRY-REGION></ST1:PLACE>
no. 1587537 - Moorepay Limited. Registered in
<ST1:COUNTRY-REGION w:st="on">England</ST1:COUNTRY-REGION> no. 891686 -
First Business Support Limited. Registered in England no. 3056267 -
Registered Office: Peoplebuilding 2, Peoplebuilding Estate, <ST1:STREET
w:st="on"><ST1:ADDRESS w:st="on">Maylands Avenue</ST1:ADDRESS></ST1:STREET>,
<ST1:PLACE w:st="on">Hemel Hempstead</ST1:PLACE>, Hertfordshire HP2 4NW
</SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 9pt; FONT-FAMILY: Arial"> </SPAN><SPAN
style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">Northgate Managed Services Limited
(NI). Registered in <ST1:COUNTRY-REGION w:st="on"><ST1:PLACE
w:st="on">Northern Ireland</ST1:PLACE></ST1:COUNTRY-REGION> no. NI032979
- LearnServe Limited (NI). Registered in <ST1:COUNTRY-REGION
w:st="on"><ST1:PLACE w:st="on">Northern Ireland</ST1:PLACE></ST1:COUNTRY-REGION>
no. NI043825 </SPAN><SPAN style="FONT-SIZE: 9pt; FONT-FAMILY: Arial">Registered
Office: Hillview House, 61 Church Road, Newtownabbey, Co. <ST1:PLACE
w:st="on"><ST1:CITY w:st="on">Antrim</ST1:CITY>, <ST1:POSTALCODE w:st="on">BT36
7LQ</ST1:POSTALCODE></ST1:PLACE> </SPAN></P>
<P class=MsoNormal
style="mso-layout-grid-align: none"></SPAN></FONT></FONT><FONT
face=Verdana><FONT color=#408080>
<HR>
</FONT></FONT>
<P></P>
<P></P></DIV>
</body></html>