You could try using the exist telnet policy in ref policy by chconing
your executable to telnetd_exec_t. However depending on what your
custom telnet daemon does you may still get AVCs.
Ted
On Thu, Jul 26, 2012 at 8:10 AM, Dave Stoner
<dave.stoner(a)northgate-is.com> wrote:
I apologise in advance for asking questions which I feel I should
have been
able to answer from sources on the internet. If you could possibly give me
some pointers on where to look it would be so much appreciated.
My system is centos 6.2 –
Linux MyHostName 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22
GMT 2011 x86_64 x86_64 x86_64 GNU/Linux
SELinux mode is set ‘enforced’.
I have a proprietary telnet daemon which upon a telnet to port 52000, is
started OK when SELinux is disabled. But when it is enabled the same telnet
results in /var/log/audit/audit.log showing:
type=USER_LOGIN msg=audit(1343048458.345:69): user pid=2536 uid=0 auid=799
ses=7 subj=system_u:system_r:inetd_t:s0-s0:c0.c1023 msg='op=login id=799
exe="/bin/login" hostname=0.0.0.0 addr=0.0.0.0 termi
nal=pts/2 res=success'
A normal telnet gives a message similar to above, my telnet adds the
following:
type=AVC msg=audit(1343048458.353:70): avc: denied { entrypoint } for
pid=2543 comm="login" path="/bin/bash" dev=sda2 ino=135083
scontext=unconfined_u:system_r:qmail_tcp_env_t:s0-s0:c0.c1023 tconte
xt=system_u:object_r:shell_exec_t:s0 tclass=file
I believe I can create a policy to overcome this using audit2allow, i.e. it
comes up with:
module mypola 1.0;
require {
type qmail_tcp_env_t;
type shell_exec_t;
class file entrypoint;
}
#============= qmail_tcp_env_t ==============
allow qmail_tcp_env_t shell_exec_t:file entrypoint;
But it seems to me what I ought to be doing is somehow to get my daemon to
run with a domain of ‘remote_logon_t’ as is used by the standard telnet
daemon, as here:
type=USER_LOGIN msg=audit(1343058924.928:212): user pid=3759 uid=0 auid=799
ses=29 subj=system_u:system_r:remote_login_t:s0-s0:c0.c1023 msg='op=login
id=799 exe="/bin/login" hostname=localhost addr=::
1 terminal=pts/2 res=success'
This is unfamiliar territory and any hints or pointers would really be
appreciated.
Dave.
Dave Stoner
Principal Systems Architect
Northgate Reality
Direct: +44 (0)1442 272071 - VPN: 872 2071
www.northgate-is.com/reality
________________________________
This email is sent on behalf of Northgate Information Solutions Limited and
its associated companies ("Northgate") and is strictly confidential and
intended solely for the addressee(s).
If you are not the intended recipient of this email you must: (i) not
disclose, copy or distribute its contents to any other person nor use its
contents in any way or you may be acting unlawfully; (ii) contact Northgate
immediately on +44 (0)1442 232424 quoting the name of the sender and the
addressee then delete it from your system.
Northgate has taken reasonable precautions to ensure that no viruses are
contained in this email, but does not accept any responsibility once this
email has been transmitted. You should scan attachments (if any) for
viruses.
Northgate Information Solutions Limited. Registered in England no. 06442582
- Northgate Information Solutions UK Limited. Registered in England no.
968498 - NorthgateArinso UK Limited. Registered in England no. 1587537 -
Moorepay Limited. Registered in England no. 891686 - First Business
Support Limited. Registered in England no. 3056267 - Registered Office:
Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead,
Hertfordshire HP2 4NW
Northgate Managed Services Limited (NI). Registered in Northern Ireland
no. NI032979 - LearnServe Limited (NI). Registered in Northern Ireland
no. NI043825 Registered Office: Hillview House, 61 Church Road,
Newtownabbey, Co. Antrim, BT36 7LQ
________________________________
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux