-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Guys,
First of all thanks for being so prompt with the answers on this list.
Now I am trying to restrict eggdrop to listen only a specific port for
the telnet support. I thought about using portcon and friends but I keep
getting the error bellow:
lrfurtado:~/selinux/eggdrop# make
Compiling default eggdrop module
echo "ifdef(\`""eggdrop""_per_role_template',\`" >
tmp/eggdrop.mod.role
m4 -D enable_mcs -D distro_debian -D direct_sysadm_daemon -D
hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D
mcs_num_cats=1024 /usr/share/selinux/default/include/rolemap | gawk
'/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $3 "; role "
$1
";)\neggdrop_per_role_template(" $2 "," $3 "," $1
")" }' >>
tmp/eggdrop.mod.role
echo "')"
> tmp/eggdrop.mod.role
echo
"ifdef(\`""eggdrop""_per_userdomain_template',\`"
>>
tmp/eggdrop.mod.role
echo "errprint(\`Warning: per_userdomain_templates have been renamed to
per_role_templates
(""eggdrop""_per_userdomain_template)'__endline__)"
> tmp/eggdrop.mod.role
m4 -D enable_mcs -D distro_debian -D
direct_sysadm_daemon -D
hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D
mcs_num_cats=1024 /usr/share/selinux/default/include/rolemap | gawk
'/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $3 "; role "
$1
";)\neggdrop_per_userdomain_template(" $2 "," $3 "," $1
")" }' >>
tmp/eggdrop.mod.role
echo "')"
> tmp/eggdrop.mod.role
m4 -D
enable_mcs -D distro_debian -D direct_sysadm_daemon -D
hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D
mcs_num_cats=1024 -s
/usr/share/selinux/default/include/support/all_perms.spt
/usr/share/selinux/default/include/support/file_patterns.spt
/usr/share/selinux/default/include/support/ipc_patterns.spt
/usr/share/selinux/default/include/support/loadable_module.spt
/usr/share/selinux/default/include/support/misc_macros.spt
/usr/share/selinux/default/include/support/misc_patterns.spt
/usr/share/selinux/default/include/support/mls_mcs_macros.spt
/usr/share/selinux/default/include/support/obj_perm_sets.spt
tmp/all_interfaces.conf eggdrop.te tmp/eggdrop.mod.role > tmp/eggdrop.tmp
/usr/bin/checkmodule -M -m tmp/eggdrop.tmp -o tmp/eggdrop.mod
/usr/bin/checkmodule: loading policy configuration from tmp/eggdrop.tmp
eggdrop.te":39:ERROR 'syntax error' at token 'portcon' on line 4063:
type eggdrop_server_packet_t, packet_type, server_packet_type;
portcon tcp 3333 system_u:object_r:eggdrop_telnet_port_t:s0
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/eggdrop.mod] Error 1
lrfurtado:~/selinux/eggdrop# vi
I tried using portcon like it's used on corenetwork.te
policy_module(eggdrop, 1.0.0)
########################################
#
# Declarations
#
gen_require(`
type unconfined_t;
role unconfined_r;
role object_r;
attribute packet_type;
attribute port_type;
attribute client_packet_type;
attribute server_packet_type;
')
type eggdrop_t;
type eggdrop_exec_t;
type eggdrop_home_t;
type eggdrop_tty_device_t;
type eggdrop_devpts_t;
role unconfined_r types eggdrop_t;
role object_r types eggdrop_exec_t;
application_domain(eggdrop_t, eggdrop_exec_t)
type eggdrop_conf_t;
files_config_file(eggdrop_conf_t)
allow eggdrop_t eggdrop_conf_t:dir list_dir_perms;
read_files_pattern(eggdrop_t,eggdrop_conf_t,eggdrop_conf_t)
read_lnk_files_pattern(eggdrop_t,eggdrop_conf_t,eggdrop_conf_t)
corenet_tcp_bind_all_nodes(eggdrop_t);
corenet_tcp_connect_all_ports(eggdrop_t)
corenet_tcp_sendrecv_all_ports(eggdrop_t)
type eggdrop_telnet_port_t, port_type;
type eggdrop_client_packet_t, packet_type, client_packet_type;
type eggdrop_server_packet_t, packet_type, server_packet_type;
portcon tcp 3333 gen_context(system_u:object_r:eggdrop_telnet_port_t,s0)
unconfined_run_to(eggdrop_t, eggdrop_exec_t)
libs_use_ld_so(eggdrop_t)
libs_use_shared_libs(eggdrop_t)
miscfiles_read_localization(eggdrop_t)
files_search_usr(eggdrop_t)
files_read_usr_files(eggdrop_t)
files_search_tmp(eggdrop_t)
files_manage_generic_tmp_dirs(eggdrop_t)
files_manage_generic_tmp_files(eggdrop_t)
files_search_home(eggdrop_t)
corecmd_search_bin(eggdrop_t)
files_home_filetrans(eggdrop_t, eggdrop_home_t, file);
fs_associate(eggdrop_home_t)
manage_files_pattern(eggdrop_t,eggdrop_home_t,eggdrop_home_t)
manage_files_pattern(unconfined_t, eggdrop_home_t, eggdrop_home_t)
auth_use_nsswitch(eggdrop_t)
allow eggdrop_t self:fifo_file write;
allow eggdrop_t self:fifo_file read;
On 11-03-30 07:52, Dominick Grift wrote:
On 03/30/2011 01:46 PM, Luciano Furtado wrote:
> On 11-03-28 05:06, Dominick Grift wrote:
>> On 03/28/2011 02:32 AM, Luciano Furtado wrote:
>>> Hi guys,
>>> I started creating my policy module for the eggdrop irc bot. I am
>>> getting stuck on simple task. I want to add a transition from
>>> unconfined_t to eggdrop_t when I run a eggdrop_exec_t file.
>>> This is what I have:
>>> policy_module(eggdrop, 1.0.0)
>>> ########################################
>>> ## Declarations#gen_require(`
>>> type unconfined_t;
>>> ')
>>> type eggdrop_t;
>>> type eggdrop_exec_t;
>>> application_executable_file(eggdrop_exec_t)
>> This is not required, it is in "application_domain() which you should
>> call. lack of application_domain(eggdrop_t, eggdrop_exec_t) is whats
>> causing the constraint violation.
>> Also allow the unconfined_r role the eggdrop_t domain:
>> role unconfined_r types eggdrop_t;
>> (you also will need to require "role unconfined_r;")
>>> type eggdrop_conf_t;
>>> files_config_file(eggdrop_conf_t)
>>> corenet_tcp_connect_ircd_port(eggdrop_t)
>>> corenet_tcp_sendrecv_ircd_port(eggdrop_t)
>>> domain_auto_trans(unconfined_t,eggdrop_exec_t,eggdrop_t)
>> Better use domtrans_pattern() instead of domain_auto_trans. It better
>> fits the requirements:
>> domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t)
>> so a basic standard template to start is:
>> ----------->8--------------
>> policy_module(eggdrop, 1.0.0)
>> gen_require(`
>> type unconfined_t;
>> role unconfined_r;
>> ')
>> type eggdrop_t;
>> type eggdrop_exec_t;
>> application_domain(eggdrop_t, eggdrop_exec_t)
>> role unconfined_r types eggdrop_t;
>> type eggdrop_etc_t;
>> files_config_file(eggdrop_etc_t)
>> domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t
>> -------------8<------------
>>> This is what I get when I try to load this policy module:
>>> lrfurtado:~/selinux/eggdrop# make load
>>> Loading default modules: eggdrop
>>> /usr/sbin/semodule -i eggdrop.pp
>>> libsepol.check_assertion_helper: neverallow violated by allow
>>> unconfined_t eggdrop_t:process { transition };
>>> libsemanage.semanage_expand_sandbox: Expand module failed
>>> /usr/sbin/semodule: Failed!
>>> make: *** [tmp/loaded] Error 1
>>> lrfurtado:~/selinux/eggdrop#
>>> What's the proper way of accomplishing this?
>>> On 11-03-25 15:24, Dominick Grift wrote:
>>>> On 03/25/2011 08:16 PM, Luciano Furtado wrote:
>>>>> Thanks Dominick,
>>>>> I will use this as an exercise on how to create a new policy module.
I
>>>>> hope you guys can tolerate my newbie questions for a while.
>>>> I created some screen casts and put them on youtube that show some of
this:
>>>> Write a policy module part 1 to 4 (on fedora):
>>>> part 1:
http://www.youtube.com/watch?v=s4EyoW_7riQ
>>>> part 2:
http://www.youtube.com/watch?v=G5gUt1-ttGg
>>>> part 3:
http://www.youtube.com/watch?v=nbFnchVAgYs
>>>> part 4:
http://www.youtube.com/watch?v=rUGBgzTr92A
>>>> Some other examples:
>>>> part 1:
http://www.youtube.com/watch?v=sBI50O84NLo
>>>> part 2:
http://www.youtube.com/watch?v=ATTJ5xUKH1E
>>>> part 3:
http://www.youtube.com/watch?v=e3cQNi3bi70
>>>> may or may not be helpful.
>>>>> Best Regards.
>>>>> Luciano
>>>>> On 11-03-25 14:29, Dominick Grift wrote:
>>>>>> On 03/25/2011 07:09 PM, Luciano Furtado wrote:
>>>>>>> Hi Group,
>>>>>>> Does eggdrop has a selinux policy module? if so starting on
which fedora
>>>>>>> version?
>>>>>> The only reference that i could find to it was:
>>>>>> "You can find a copy of my irssi policy here
>>>>>>
http://pastebin.ca/768256?srch=irssi_exec_t it also includes
policy for
>>>>>> eggdrop and manual pages"
>>>>>> - From my 2008 article
>>>>>>
"http://domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html"
>>>>>> Unfortunately seems "pastebin.ca" no longer exists. I
can no longer
>>>>>> access the site.
>>>>>>> I am looking to get the sources for it , build / install it
on my Debian
>>>>>>> installation which doesn't seem to have a module for it.
>>>>>>> Best Regards.
>>>>>>> Luciano
> On my policy right now I have this which I think would allow eggdrop to
> sendrecv packet to any host/port combination
> corenet_tcp_sendrecv_all_ports(eggdrop_t)
> If wanted to limit eggdrop to talk only to specific host/port would it
> possible to use iptables to label the packets to to something like
> eggdrop_packet_t and them add a rule like this.
> corenet_tcp_recvfrom_labeled(eggdrop_t, eggdrop_packet_t)
> Is this the right approach to accomplish this.
I am not into the selinux networking controls but dwalsh recently
published an article that may or may not inspire you:
http://www.linux.com/learn/tutorials/421152-using-selinux-and-iptables-to...
> My WIP policy is locate at
http://lrfurtado.vps.bitfolk.com/eggdrop/
I probably would have done it differently, but if it works; it works.
> Best Regards.
> Luciano
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNl3zxAAoJEEJ82UW2Ovvt73cH/0Xj5t4DSD1159X7NspWH990
ELWFQqJvan9Si7VA+QcEGp4nMNZpn9fCqzBAKt6yoKdQ8ETeLOQTi+42m8boGa44
cy9QksT85XoDOFWTUfA/F/vZn8QUHwv7NcM9H4on6XxYtHPQCSwgeNaowVmraVhm
npc+vdKHMdHflsNDF+1D63vXnOCPX3nPYOdke4VkhsWoClP1hhto4ft2EimbwWEZ
SHMkJ3SVpi6do6vbIxPCgjHGBEDoF5RWKq/3xuv27dqHvEg6kNOOc8gCrAwRYd71
CycZqOlRh7cQcgvpFL7zvIsqDuq1t3Qaxq3UZKTdV/AFUDkY4ueRvWw7e73dW3c=
=ambT
-----END PGP SIGNATURE-----