You could try using the exist telnet policy in ref policy by
chconing
your executable to telnetd_exec_t. However depending on what your
custom telnet daemon does you may still get AVCs.
Ted
On Thu, Jul 26, 2012 at 8:10 AM, Dave Stoner
<dave.stoner(a)northgate-is.com> wrote:
> I apologise in advance for asking questions which I feel I should have been
> able to answer from sources on the internet. If you could possibly give me
> some pointers on where to look it would be so much appreciated.
>
>
>
> My system is centos 6.2 –
>
> Linux MyHostName 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22
>
> GMT 2011 x86_64 x86_64 x86_64 GNU/Linux
>
>
>
> SELinux mode is set ‘enforced’.
>
>
>
> I have a proprietary telnet daemon which upon a telnet to port 52000, is
> started OK when SELinux is disabled. But when it is enabled the same telnet
> results in /var/log/audit/audit.log showing:
>
>
>
> type=USER_LOGIN msg=audit(1343048458.345:69): user pid=2536 uid=0 auid=799
> ses=7 subj=system_u:system_r:inetd_t:s0-s0:c0.c1023 msg='op=login id=799
> exe="/bin/login" hostname=0.0.0.0 addr=0.0.0.0 termi
>
> nal=pts/2 res=success'
>
>
>
> A normal telnet gives a message similar to above, my telnet adds the
> following:
>
>
>
> type=AVC msg=audit(1343048458.353:70): avc: denied { entrypoint } for
> pid=2543 comm="login" path="/bin/bash" dev=sda2 ino=135083
> scontext=unconfined_u:system_r:qmail_tcp_env_t:s0-s0:c0.c1023 tconte
>
> xt=system_u:object_r:shell_exec_t:s0 tclass=file
>
>
>
> I believe I can create a policy to overcome this using audit2allow, i.e. it
> comes up with:
>
>
>
> module mypola 1.0;
>
>
>
> require {
>
> type qmail_tcp_env_t;
>
> type shell_exec_t;
>
> class file entrypoint;
>
> }
>
>
>
> #============= qmail_tcp_env_t ==============
>
> allow qmail_tcp_env_t shell_exec_t:file entrypoint;
>
>
>
> But it seems to me what I ought to be doing is somehow to get my daemon to
> run with a domain of ‘remote_logon_t’ as is used by the standard telnet
> daemon, as here:
>
>
>
> type=USER_LOGIN msg=audit(1343058924.928:212): user pid=3759 uid=0 auid=799
> ses=29 subj=system_u:system_r:remote_login_t:s0-s0:c0.c1023 msg='op=login
> id=799 exe="/bin/login" hostname=localhost addr=::
>
> 1 terminal=pts/2 res=success'
>
>
>
> This is unfamiliar territory and any hints or pointers would really be
> appreciated.
>
>
>
> Dave.
>
>
>
>
>
> Dave Stoner
>
> Principal Systems Architect
> Northgate Reality
>
> Direct: +44 (0)1442 272071 - VPN: 872 2071
>
>
www.northgate-is.com/reality
>
>
>
>
> ________________________________
>
> This email is sent on behalf of Northgate Information Solutions Limited and
> its associated companies ("Northgate") and is strictly confidential and
> intended solely for the addressee(s).
>
> If you are not the intended recipient of this email you must: (i) not
> disclose, copy or distribute its contents to any other person nor use its
> contents in any way or you may be acting unlawfully; (ii) contact Northgate
> immediately on +44 (0)1442 232424 quoting the name of the sender and the
> addressee then delete it from your system.
>
> Northgate has taken reasonable precautions to ensure that no viruses are
> contained in this email, but does not accept any responsibility once this
> email has been transmitted. You should scan attachments (if any) for
> viruses.
>
> Northgate Information Solutions Limited. Registered in England no. 06442582
> - Northgate Information Solutions UK Limited. Registered in England no.
> 968498 - NorthgateArinso UK Limited. Registered in England no. 1587537 -
> Moorepay Limited. Registered in England no. 891686 - First Business
> Support Limited. Registered in England no. 3056267 - Registered Office:
> Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead,
> Hertfordshire HP2 4NW
>
> Northgate Managed Services Limited (NI). Registered in Northern Ireland
> no. NI032979 - LearnServe Limited (NI). Registered in Northern Ireland
> no. NI043825 Registered Office: Hillview House, 61 Church Road,
> Newtownabbey, Co. Antrim, BT36 7LQ
>
> ________________________________
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
There are details there how to obtain denials and make a custom policy.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore(a)internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore(a)fedoraproject.org