-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Group,
Does eggdrop has a selinux policy module? if so starting on which fedora version?
I am looking to get the sources for it , build / install it on my Debian installation which doesn't seem to have a module for it.
Best Regards. Luciano
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/25/2011 07:09 PM, Luciano Furtado wrote:
Hi Group,
Does eggdrop has a selinux policy module? if so starting on which fedora version?
Nope, i made one years ago but looks like i never submitted it upstream. Google knows nothing about it. I also do not have it anymore.
I am looking to get the sources for it , build / install it on my Debian installation which doesn't seem to have a module for it.
Best Regards. Luciano
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/25/2011 07:09 PM, Luciano Furtado wrote:
Hi Group,
Does eggdrop has a selinux policy module? if so starting on which fedora version?
The only reference that i could find to it was:
"You can find a copy of my irssi policy here http://pastebin.ca/768256?srch=irssi_exec_t it also includes policy for eggdrop and manual pages"
- From my 2008 article "http://domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html"
Unfortunately seems "pastebin.ca" no longer exists. I can no longer access the site.
I am looking to get the sources for it , build / install it on my Debian installation which doesn't seem to have a module for it.
Best Regards. Luciano
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Thanks Dominick,
I will use this as an exercise on how to create a new policy module. I hope you guys can tolerate my newbie questions for a while.
Best Regards. Luciano
On 11-03-25 14:29, Dominick Grift wrote:
On 03/25/2011 07:09 PM, Luciano Furtado wrote:
Hi Group,
Does eggdrop has a selinux policy module? if so starting on which fedora version?
The only reference that i could find to it was:
"You can find a copy of my irssi policy here http://pastebin.ca/768256?srch=irssi_exec_t it also includes policy for eggdrop and manual pages"
- From my 2008 article
"http://domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html"
Unfortunately seems "pastebin.ca" no longer exists. I can no longer access the site.
I am looking to get the sources for it , build / install it on my Debian installation which doesn't seem to have a module for it.
Best Regards. Luciano
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/25/2011 08:16 PM, Luciano Furtado wrote:
Thanks Dominick,
I will use this as an exercise on how to create a new policy module. I hope you guys can tolerate my newbie questions for a while.
I created some screen casts and put them on youtube that show some of this:
Write a policy module part 1 to 4 (on fedora):
part 1: http://www.youtube.com/watch?v=s4EyoW_7riQ part 2: http://www.youtube.com/watch?v=G5gUt1-ttGg part 3: http://www.youtube.com/watch?v=nbFnchVAgYs part 4: http://www.youtube.com/watch?v=rUGBgzTr92A
Some other examples:
part 1: http://www.youtube.com/watch?v=sBI50O84NLo part 2: http://www.youtube.com/watch?v=ATTJ5xUKH1E part 3: http://www.youtube.com/watch?v=e3cQNi3bi70
may or may not be helpful.
Best Regards. Luciano
On 11-03-25 14:29, Dominick Grift wrote:
On 03/25/2011 07:09 PM, Luciano Furtado wrote:
Hi Group,
Does eggdrop has a selinux policy module? if so starting on which fedora version?
The only reference that i could find to it was:
"You can find a copy of my irssi policy here http://pastebin.ca/768256?srch=irssi_exec_t it also includes policy for eggdrop and manual pages"
- From my 2008 article
"http://domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html"
Unfortunately seems "pastebin.ca" no longer exists. I can no longer access the site.
I am looking to get the sources for it , build / install it on my Debian installation which doesn't seem to have a module for it.
Best Regards. Luciano
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi guys,
I started creating my policy module for the eggdrop irc bot. I am getting stuck on simple task. I want to add a transition from unconfined_t to eggdrop_t when I run a eggdrop_exec_t file.
This is what I have:
policy_module(eggdrop, 1.0.0)
######################################## ## Declarations#gen_require(` type unconfined_t; ') type eggdrop_t; type eggdrop_exec_t;
application_executable_file(eggdrop_exec_t)
type eggdrop_conf_t; files_config_file(eggdrop_conf_t)
corenet_tcp_connect_ircd_port(eggdrop_t) corenet_tcp_sendrecv_ircd_port(eggdrop_t)
domain_auto_trans(unconfined_t,eggdrop_exec_t,eggdrop_t)
This is what I get when I try to load this policy module:
lrfurtado:~/selinux/eggdrop# make load Loading default modules: eggdrop /usr/sbin/semodule -i eggdrop.pp libsepol.check_assertion_helper: neverallow violated by allow unconfined_t eggdrop_t:process { transition }; libsemanage.semanage_expand_sandbox: Expand module failed /usr/sbin/semodule: Failed! make: *** [tmp/loaded] Error 1 lrfurtado:~/selinux/eggdrop#
What's the proper way of accomplishing this?
On 11-03-25 15:24, Dominick Grift wrote:
On 03/25/2011 08:16 PM, Luciano Furtado wrote:
Thanks Dominick,
I will use this as an exercise on how to create a new policy module. I hope you guys can tolerate my newbie questions for a while.
I created some screen casts and put them on youtube that show some of this:
Write a policy module part 1 to 4 (on fedora):
part 1: http://www.youtube.com/watch?v=s4EyoW_7riQ part 2: http://www.youtube.com/watch?v=G5gUt1-ttGg part 3: http://www.youtube.com/watch?v=nbFnchVAgYs part 4: http://www.youtube.com/watch?v=rUGBgzTr92A
Some other examples:
part 1: http://www.youtube.com/watch?v=sBI50O84NLo part 2: http://www.youtube.com/watch?v=ATTJ5xUKH1E part 3: http://www.youtube.com/watch?v=e3cQNi3bi70
may or may not be helpful.
Best Regards. Luciano
On 11-03-25 14:29, Dominick Grift wrote:
On 03/25/2011 07:09 PM, Luciano Furtado wrote:
Hi Group,
Does eggdrop has a selinux policy module? if so starting on which fedora version?
The only reference that i could find to it was:
"You can find a copy of my irssi policy here http://pastebin.ca/768256?srch=irssi_exec_t it also includes policy for eggdrop and manual pages"
- From my 2008 article
"http://domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html"
Unfortunately seems "pastebin.ca" no longer exists. I can no longer access the site.
I am looking to get the sources for it , build / install it on my Debian installation which doesn't seem to have a module for it.
Best Regards. Luciano
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/28/2011 02:32 AM, Luciano Furtado wrote:
Hi guys,
I started creating my policy module for the eggdrop irc bot. I am getting stuck on simple task. I want to add a transition from unconfined_t to eggdrop_t when I run a eggdrop_exec_t file.
This is what I have:
policy_module(eggdrop, 1.0.0)
######################################## ## Declarations#gen_require(` type unconfined_t; ') type eggdrop_t; type eggdrop_exec_t;
application_executable_file(eggdrop_exec_t)
This is not required, it is in "application_domain() which you should call. lack of application_domain(eggdrop_t, eggdrop_exec_t) is whats causing the constraint violation.
Also allow the unconfined_r role the eggdrop_t domain:
role unconfined_r types eggdrop_t;
(you also will need to require "role unconfined_r;")
type eggdrop_conf_t; files_config_file(eggdrop_conf_t)
corenet_tcp_connect_ircd_port(eggdrop_t) corenet_tcp_sendrecv_ircd_port(eggdrop_t)
domain_auto_trans(unconfined_t,eggdrop_exec_t,eggdrop_t)
Better use domtrans_pattern() instead of domain_auto_trans. It better fits the requirements:
domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t)
so a basic standard template to start is:
- ----------->8--------------
policy_module(eggdrop, 1.0.0)
gen_require(` type unconfined_t; role unconfined_r; ')
type eggdrop_t; type eggdrop_exec_t; application_domain(eggdrop_t, eggdrop_exec_t) role unconfined_r types eggdrop_t;
type eggdrop_etc_t; files_config_file(eggdrop_etc_t)
domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t
- -------------8<------------
This is what I get when I try to load this policy module:
lrfurtado:~/selinux/eggdrop# make load Loading default modules: eggdrop /usr/sbin/semodule -i eggdrop.pp libsepol.check_assertion_helper: neverallow violated by allow unconfined_t eggdrop_t:process { transition }; libsemanage.semanage_expand_sandbox: Expand module failed /usr/sbin/semodule: Failed! make: *** [tmp/loaded] Error 1 lrfurtado:~/selinux/eggdrop#
What's the proper way of accomplishing this?
On 11-03-25 15:24, Dominick Grift wrote:
On 03/25/2011 08:16 PM, Luciano Furtado wrote:
Thanks Dominick,
I will use this as an exercise on how to create a new policy module. I hope you guys can tolerate my newbie questions for a while.
I created some screen casts and put them on youtube that show some of this:
Write a policy module part 1 to 4 (on fedora):
part 1: http://www.youtube.com/watch?v=s4EyoW_7riQ part 2: http://www.youtube.com/watch?v=G5gUt1-ttGg part 3: http://www.youtube.com/watch?v=nbFnchVAgYs part 4: http://www.youtube.com/watch?v=rUGBgzTr92A
Some other examples:
part 1: http://www.youtube.com/watch?v=sBI50O84NLo part 2: http://www.youtube.com/watch?v=ATTJ5xUKH1E part 3: http://www.youtube.com/watch?v=e3cQNi3bi70
may or may not be helpful.
Best Regards. Luciano
On 11-03-25 14:29, Dominick Grift wrote:
On 03/25/2011 07:09 PM, Luciano Furtado wrote:
Hi Group,
Does eggdrop has a selinux policy module? if so starting on which fedora version?
The only reference that i could find to it was:
"You can find a copy of my irssi policy here http://pastebin.ca/768256?srch=irssi_exec_t it also includes policy for eggdrop and manual pages"
- From my 2008 article
"http://domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html"
Unfortunately seems "pastebin.ca" no longer exists. I can no longer access the site.
I am looking to get the sources for it , build / install it on my Debian installation which doesn't seem to have a module for it.
Best Regards. Luciano
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11-03-28 05:06, Dominick Grift wrote:
On 03/28/2011 02:32 AM, Luciano Furtado wrote:
Hi guys,
I started creating my policy module for the eggdrop irc bot. I am getting stuck on simple task. I want to add a transition from unconfined_t to eggdrop_t when I run a eggdrop_exec_t file.
This is what I have:
policy_module(eggdrop, 1.0.0)
######################################## ## Declarations#gen_require(` type unconfined_t; ') type eggdrop_t; type eggdrop_exec_t;
application_executable_file(eggdrop_exec_t)
This is not required, it is in "application_domain() which you should call. lack of application_domain(eggdrop_t, eggdrop_exec_t) is whats causing the constraint violation.
Also allow the unconfined_r role the eggdrop_t domain:
role unconfined_r types eggdrop_t;
(you also will need to require "role unconfined_r;")
type eggdrop_conf_t; files_config_file(eggdrop_conf_t)
corenet_tcp_connect_ircd_port(eggdrop_t) corenet_tcp_sendrecv_ircd_port(eggdrop_t)
domain_auto_trans(unconfined_t,eggdrop_exec_t,eggdrop_t)
Better use domtrans_pattern() instead of domain_auto_trans. It better fits the requirements:
domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t)
so a basic standard template to start is:
----------->8--------------
policy_module(eggdrop, 1.0.0)
gen_require(` type unconfined_t; role unconfined_r; ')
type eggdrop_t; type eggdrop_exec_t; application_domain(eggdrop_t, eggdrop_exec_t) role unconfined_r types eggdrop_t;
type eggdrop_etc_t; files_config_file(eggdrop_etc_t)
domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t
-------------8<------------
This is what I get when I try to load this policy module:
lrfurtado:~/selinux/eggdrop# make load Loading default modules: eggdrop /usr/sbin/semodule -i eggdrop.pp libsepol.check_assertion_helper: neverallow violated by allow unconfined_t eggdrop_t:process { transition }; libsemanage.semanage_expand_sandbox: Expand module failed /usr/sbin/semodule: Failed! make: *** [tmp/loaded] Error 1 lrfurtado:~/selinux/eggdrop#
What's the proper way of accomplishing this?
On 11-03-25 15:24, Dominick Grift wrote:
On 03/25/2011 08:16 PM, Luciano Furtado wrote:
Thanks Dominick,
I will use this as an exercise on how to create a new policy module. I hope you guys can tolerate my newbie questions for a while.
I created some screen casts and put them on youtube that show some of this:
Write a policy module part 1 to 4 (on fedora):
part 1: http://www.youtube.com/watch?v=s4EyoW_7riQ part 2: http://www.youtube.com/watch?v=G5gUt1-ttGg part 3: http://www.youtube.com/watch?v=nbFnchVAgYs part 4: http://www.youtube.com/watch?v=rUGBgzTr92A
Some other examples:
part 1: http://www.youtube.com/watch?v=sBI50O84NLo part 2: http://www.youtube.com/watch?v=ATTJ5xUKH1E part 3: http://www.youtube.com/watch?v=e3cQNi3bi70
may or may not be helpful.
Best Regards. Luciano
On 11-03-25 14:29, Dominick Grift wrote:
On 03/25/2011 07:09 PM, Luciano Furtado wrote:
Hi Group,
Does eggdrop has a selinux policy module? if so starting on which fedora version?
The only reference that i could find to it was:
"You can find a copy of my irssi policy here http://pastebin.ca/768256?srch=irssi_exec_t it also includes policy for eggdrop and manual pages"
- From my 2008 article
"http://domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html"
Unfortunately seems "pastebin.ca" no longer exists. I can no longer access the site.
I am looking to get the sources for it , build / install it on my Debian installation which doesn't seem to have a module for it.
Best Regards. Luciano
On my policy right now I have this which I think would allow eggdrop to sendrecv packet to any host/port combination
corenet_tcp_sendrecv_all_ports(eggdrop_t)
If wanted to limit eggdrop to talk only to specific host/port would it possible to use iptables to label the packets to to something like eggdrop_packet_t and them add a rule like this.
corenet_tcp_recvfrom_labeled(eggdrop_t, eggdrop_packet_t)
Is this the right approach to accomplish this.
My WIP policy is locate at http://lrfurtado.vps.bitfolk.com/eggdrop/
Best Regards. Luciano
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/30/2011 01:46 PM, Luciano Furtado wrote:
On 11-03-28 05:06, Dominick Grift wrote:
On 03/28/2011 02:32 AM, Luciano Furtado wrote:
Hi guys,
I started creating my policy module for the eggdrop irc bot. I am getting stuck on simple task. I want to add a transition from unconfined_t to eggdrop_t when I run a eggdrop_exec_t file.
This is what I have:
policy_module(eggdrop, 1.0.0)
######################################## ## Declarations#gen_require(` type unconfined_t; ') type eggdrop_t; type eggdrop_exec_t;
application_executable_file(eggdrop_exec_t)
This is not required, it is in "application_domain() which you should call. lack of application_domain(eggdrop_t, eggdrop_exec_t) is whats causing the constraint violation.
Also allow the unconfined_r role the eggdrop_t domain:
role unconfined_r types eggdrop_t;
(you also will need to require "role unconfined_r;")
type eggdrop_conf_t; files_config_file(eggdrop_conf_t)
corenet_tcp_connect_ircd_port(eggdrop_t) corenet_tcp_sendrecv_ircd_port(eggdrop_t)
domain_auto_trans(unconfined_t,eggdrop_exec_t,eggdrop_t)
Better use domtrans_pattern() instead of domain_auto_trans. It better fits the requirements:
domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t)
so a basic standard template to start is:
----------->8--------------
policy_module(eggdrop, 1.0.0)
gen_require(` type unconfined_t; role unconfined_r; ')
type eggdrop_t; type eggdrop_exec_t; application_domain(eggdrop_t, eggdrop_exec_t) role unconfined_r types eggdrop_t;
type eggdrop_etc_t; files_config_file(eggdrop_etc_t)
domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t
-------------8<------------
This is what I get when I try to load this policy module:
lrfurtado:~/selinux/eggdrop# make load Loading default modules: eggdrop /usr/sbin/semodule -i eggdrop.pp libsepol.check_assertion_helper: neverallow violated by allow unconfined_t eggdrop_t:process { transition }; libsemanage.semanage_expand_sandbox: Expand module failed /usr/sbin/semodule: Failed! make: *** [tmp/loaded] Error 1 lrfurtado:~/selinux/eggdrop#
What's the proper way of accomplishing this?
On 11-03-25 15:24, Dominick Grift wrote:
On 03/25/2011 08:16 PM, Luciano Furtado wrote:
Thanks Dominick,
I will use this as an exercise on how to create a new policy module. I hope you guys can tolerate my newbie questions for a while.
I created some screen casts and put them on youtube that show some of this:
Write a policy module part 1 to 4 (on fedora):
part 1: http://www.youtube.com/watch?v=s4EyoW_7riQ part 2: http://www.youtube.com/watch?v=G5gUt1-ttGg part 3: http://www.youtube.com/watch?v=nbFnchVAgYs part 4: http://www.youtube.com/watch?v=rUGBgzTr92A
Some other examples:
part 1: http://www.youtube.com/watch?v=sBI50O84NLo part 2: http://www.youtube.com/watch?v=ATTJ5xUKH1E part 3: http://www.youtube.com/watch?v=e3cQNi3bi70
may or may not be helpful.
Best Regards. Luciano
On 11-03-25 14:29, Dominick Grift wrote:
On 03/25/2011 07:09 PM, Luciano Furtado wrote: > Hi Group,
> Does eggdrop has a selinux policy module? if so starting on which fedora > version?
The only reference that i could find to it was:
"You can find a copy of my irssi policy here http://pastebin.ca/768256?srch=irssi_exec_t it also includes policy for eggdrop and manual pages"
- From my 2008 article
"http://domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html"
Unfortunately seems "pastebin.ca" no longer exists. I can no longer access the site.
> I am looking to get the sources for it , build / install it on my Debian > installation which doesn't seem to have a module for it.
> Best Regards. > Luciano
On my policy right now I have this which I think would allow eggdrop to sendrecv packet to any host/port combination
corenet_tcp_sendrecv_all_ports(eggdrop_t)
If wanted to limit eggdrop to talk only to specific host/port would it possible to use iptables to label the packets to to something like eggdrop_packet_t and them add a rule like this.
corenet_tcp_recvfrom_labeled(eggdrop_t, eggdrop_packet_t)
Is this the right approach to accomplish this.
I am not into the selinux networking controls but dwalsh recently published an article that may or may not inspire you:
http://www.linux.com/learn/tutorials/421152-using-selinux-and-iptables-toget...
My WIP policy is locate at http://lrfurtado.vps.bitfolk.com/eggdrop/
I probably would have done it differently, but if it works; it works.
Best Regards. Luciano
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Guys,
First of all thanks for being so prompt with the answers on this list. Now I am trying to restrict eggdrop to listen only a specific port for the telnet support. I thought about using portcon and friends but I keep getting the error bellow:
lrfurtado:~/selinux/eggdrop# make Compiling default eggdrop module echo "ifdef(`""eggdrop""_per_role_template',`" > tmp/eggdrop.mod.role m4 -D enable_mcs -D distro_debian -D direct_sysadm_daemon -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 /usr/share/selinux/default/include/rolemap | gawk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $3 "; role " $1 ";)\neggdrop_per_role_template(" $2 "," $3 "," $1 ")" }' >> tmp/eggdrop.mod.role echo "')" >> tmp/eggdrop.mod.role echo "ifdef(`""eggdrop""_per_userdomain_template',`" >> tmp/eggdrop.mod.role echo "errprint(`Warning: per_userdomain_templates have been renamed to per_role_templates (""eggdrop""_per_userdomain_template)'__endline__)"
tmp/eggdrop.mod.role
m4 -D enable_mcs -D distro_debian -D direct_sysadm_daemon -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 /usr/share/selinux/default/include/rolemap | gawk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $3 "; role " $1 ";)\neggdrop_per_userdomain_template(" $2 "," $3 "," $1 ")" }' >> tmp/eggdrop.mod.role echo "')" >> tmp/eggdrop.mod.role m4 -D enable_mcs -D distro_debian -D direct_sysadm_daemon -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/default/include/support/all_perms.spt /usr/share/selinux/default/include/support/file_patterns.spt /usr/share/selinux/default/include/support/ipc_patterns.spt /usr/share/selinux/default/include/support/loadable_module.spt /usr/share/selinux/default/include/support/misc_macros.spt /usr/share/selinux/default/include/support/misc_patterns.spt /usr/share/selinux/default/include/support/mls_mcs_macros.spt /usr/share/selinux/default/include/support/obj_perm_sets.spt tmp/all_interfaces.conf eggdrop.te tmp/eggdrop.mod.role > tmp/eggdrop.tmp /usr/bin/checkmodule -M -m tmp/eggdrop.tmp -o tmp/eggdrop.mod /usr/bin/checkmodule: loading policy configuration from tmp/eggdrop.tmp eggdrop.te":39:ERROR 'syntax error' at token 'portcon' on line 4063: type eggdrop_server_packet_t, packet_type, server_packet_type; portcon tcp 3333 system_u:object_r:eggdrop_telnet_port_t:s0 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/eggdrop.mod] Error 1 lrfurtado:~/selinux/eggdrop# vi
I tried using portcon like it's used on corenetwork.te
policy_module(eggdrop, 1.0.0)
######################################## # # Declarations # gen_require(` type unconfined_t; role unconfined_r; role object_r; attribute packet_type; attribute port_type; attribute client_packet_type; attribute server_packet_type; ')
type eggdrop_t; type eggdrop_exec_t; type eggdrop_home_t; type eggdrop_tty_device_t; type eggdrop_devpts_t; role unconfined_r types eggdrop_t; role object_r types eggdrop_exec_t;
application_domain(eggdrop_t, eggdrop_exec_t) type eggdrop_conf_t; files_config_file(eggdrop_conf_t) allow eggdrop_t eggdrop_conf_t:dir list_dir_perms; read_files_pattern(eggdrop_t,eggdrop_conf_t,eggdrop_conf_t) read_lnk_files_pattern(eggdrop_t,eggdrop_conf_t,eggdrop_conf_t) corenet_tcp_bind_all_nodes(eggdrop_t); corenet_tcp_connect_all_ports(eggdrop_t) corenet_tcp_sendrecv_all_ports(eggdrop_t)
type eggdrop_telnet_port_t, port_type; type eggdrop_client_packet_t, packet_type, client_packet_type; type eggdrop_server_packet_t, packet_type, server_packet_type; portcon tcp 3333 gen_context(system_u:object_r:eggdrop_telnet_port_t,s0)
unconfined_run_to(eggdrop_t, eggdrop_exec_t)
libs_use_ld_so(eggdrop_t) libs_use_shared_libs(eggdrop_t) miscfiles_read_localization(eggdrop_t) files_search_usr(eggdrop_t) files_read_usr_files(eggdrop_t) files_search_tmp(eggdrop_t) files_manage_generic_tmp_dirs(eggdrop_t) files_manage_generic_tmp_files(eggdrop_t) files_search_home(eggdrop_t) corecmd_search_bin(eggdrop_t)
files_home_filetrans(eggdrop_t, eggdrop_home_t, file); fs_associate(eggdrop_home_t) manage_files_pattern(eggdrop_t,eggdrop_home_t,eggdrop_home_t) manage_files_pattern(unconfined_t, eggdrop_home_t, eggdrop_home_t)
auth_use_nsswitch(eggdrop_t)
allow eggdrop_t self:fifo_file write; allow eggdrop_t self:fifo_file read;
On 11-03-30 07:52, Dominick Grift wrote:
On 03/30/2011 01:46 PM, Luciano Furtado wrote:
On 11-03-28 05:06, Dominick Grift wrote:
On 03/28/2011 02:32 AM, Luciano Furtado wrote:
Hi guys,
I started creating my policy module for the eggdrop irc bot. I am getting stuck on simple task. I want to add a transition from unconfined_t to eggdrop_t when I run a eggdrop_exec_t file.
This is what I have:
policy_module(eggdrop, 1.0.0)
######################################## ## Declarations#gen_require(` type unconfined_t; ') type eggdrop_t; type eggdrop_exec_t;
application_executable_file(eggdrop_exec_t)
This is not required, it is in "application_domain() which you should call. lack of application_domain(eggdrop_t, eggdrop_exec_t) is whats causing the constraint violation.
Also allow the unconfined_r role the eggdrop_t domain:
role unconfined_r types eggdrop_t;
(you also will need to require "role unconfined_r;")
type eggdrop_conf_t; files_config_file(eggdrop_conf_t)
corenet_tcp_connect_ircd_port(eggdrop_t) corenet_tcp_sendrecv_ircd_port(eggdrop_t)
domain_auto_trans(unconfined_t,eggdrop_exec_t,eggdrop_t)
Better use domtrans_pattern() instead of domain_auto_trans. It better fits the requirements:
domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t)
so a basic standard template to start is:
----------->8--------------
policy_module(eggdrop, 1.0.0)
gen_require(` type unconfined_t; role unconfined_r; ')
type eggdrop_t; type eggdrop_exec_t; application_domain(eggdrop_t, eggdrop_exec_t) role unconfined_r types eggdrop_t;
type eggdrop_etc_t; files_config_file(eggdrop_etc_t)
domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t
-------------8<------------
This is what I get when I try to load this policy module:
lrfurtado:~/selinux/eggdrop# make load Loading default modules: eggdrop /usr/sbin/semodule -i eggdrop.pp libsepol.check_assertion_helper: neverallow violated by allow unconfined_t eggdrop_t:process { transition }; libsemanage.semanage_expand_sandbox: Expand module failed /usr/sbin/semodule: Failed! make: *** [tmp/loaded] Error 1 lrfurtado:~/selinux/eggdrop#
What's the proper way of accomplishing this?
On 11-03-25 15:24, Dominick Grift wrote:
On 03/25/2011 08:16 PM, Luciano Furtado wrote:
Thanks Dominick,
I will use this as an exercise on how to create a new policy module. I hope you guys can tolerate my newbie questions for a while.
I created some screen casts and put them on youtube that show some of this:
Write a policy module part 1 to 4 (on fedora):
part 1: http://www.youtube.com/watch?v=s4EyoW_7riQ part 2: http://www.youtube.com/watch?v=G5gUt1-ttGg part 3: http://www.youtube.com/watch?v=nbFnchVAgYs part 4: http://www.youtube.com/watch?v=rUGBgzTr92A
Some other examples:
part 1: http://www.youtube.com/watch?v=sBI50O84NLo part 2: http://www.youtube.com/watch?v=ATTJ5xUKH1E part 3: http://www.youtube.com/watch?v=e3cQNi3bi70
may or may not be helpful.
Best Regards. Luciano
On 11-03-25 14:29, Dominick Grift wrote: > On 03/25/2011 07:09 PM, Luciano Furtado wrote: >> Hi Group,
>> Does eggdrop has a selinux policy module? if so starting on which fedora >> version?
> The only reference that i could find to it was:
> "You can find a copy of my irssi policy here > http://pastebin.ca/768256?srch=irssi_exec_t it also includes policy for > eggdrop and manual pages"
> - From my 2008 article > "http://domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html"
> Unfortunately seems "pastebin.ca" no longer exists. I can no longer > access the site.
>> I am looking to get the sources for it , build / install it on my Debian >> installation which doesn't seem to have a module for it.
>> Best Regards. >> Luciano
On my policy right now I have this which I think would allow eggdrop to sendrecv packet to any host/port combination
corenet_tcp_sendrecv_all_ports(eggdrop_t)
If wanted to limit eggdrop to talk only to specific host/port would it possible to use iptables to label the packets to to something like eggdrop_packet_t and them add a rule like this.
corenet_tcp_recvfrom_labeled(eggdrop_t, eggdrop_packet_t)
Is this the right approach to accomplish this.
I am not into the selinux networking controls but dwalsh recently published an article that may or may not inspire you:
http://www.linux.com/learn/tutorials/421152-using-selinux-and-iptables-toget...
My WIP policy is locate at http://lrfurtado.vps.bitfolk.com/eggdrop/
I probably would have done it differently, but if it works; it works.
Best Regards. Luciano
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I am able to assign a port number to eggdrop_telnet_port_t with the folowing command:
lrfurtado:~/selinux/eggdrop# semanage port -a -t eggdrop_telnet_port_t - -p tcp 3333 lrfurtado:~/selinux/eggdrop# semanage port -l | grep eggdrop eggdrop_telnet_port_t tcp 3333 lrfurtado:~/selinux/eggdrop#
My question is , if for some reason I can't have portcon on my module, how do I define a default port number for eggdrop_telnet_port_t from inside my module.
Best Regards. Luciano
On 11-04-02 15:45, Luciano Furtado wrote:
Hi Guys,
First of all thanks for being so prompt with the answers on this list. Now I am trying to restrict eggdrop to listen only a specific port for the telnet support. I thought about using portcon and friends but I keep getting the error bellow:
lrfurtado:~/selinux/eggdrop# make Compiling default eggdrop module echo "ifdef(`""eggdrop""_per_role_template',`" > tmp/eggdrop.mod.role m4 -D enable_mcs -D distro_debian -D direct_sysadm_daemon -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 /usr/share/selinux/default/include/rolemap | gawk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $3 "; role " $1 ";)\neggdrop_per_role_template(" $2 "," $3 "," $1 ")" }' >> tmp/eggdrop.mod.role echo "')" >> tmp/eggdrop.mod.role echo "ifdef(`""eggdrop""_per_userdomain_template',`" >> tmp/eggdrop.mod.role echo "errprint(`Warning: per_userdomain_templates have been renamed to per_role_templates (""eggdrop""_per_userdomain_template)'__endline__)"
tmp/eggdrop.mod.role
m4 -D enable_mcs -D distro_debian -D direct_sysadm_daemon -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 /usr/share/selinux/default/include/rolemap | gawk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $3 "; role " $1 ";)\neggdrop_per_userdomain_template(" $2 "," $3 "," $1 ")" }' >> tmp/eggdrop.mod.role echo "')" >> tmp/eggdrop.mod.role m4 -D enable_mcs -D distro_debian -D direct_sysadm_daemon -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/default/include/support/all_perms.spt /usr/share/selinux/default/include/support/file_patterns.spt /usr/share/selinux/default/include/support/ipc_patterns.spt /usr/share/selinux/default/include/support/loadable_module.spt /usr/share/selinux/default/include/support/misc_macros.spt /usr/share/selinux/default/include/support/misc_patterns.spt /usr/share/selinux/default/include/support/mls_mcs_macros.spt /usr/share/selinux/default/include/support/obj_perm_sets.spt tmp/all_interfaces.conf eggdrop.te tmp/eggdrop.mod.role > tmp/eggdrop.tmp /usr/bin/checkmodule -M -m tmp/eggdrop.tmp -o tmp/eggdrop.mod /usr/bin/checkmodule: loading policy configuration from tmp/eggdrop.tmp eggdrop.te":39:ERROR 'syntax error' at token 'portcon' on line 4063: type eggdrop_server_packet_t, packet_type, server_packet_type; portcon tcp 3333 system_u:object_r:eggdrop_telnet_port_t:s0 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/eggdrop.mod] Error 1 lrfurtado:~/selinux/eggdrop# vi
I tried using portcon like it's used on corenetwork.te
policy_module(eggdrop, 1.0.0)
######################################## # # Declarations # gen_require(` type unconfined_t; role unconfined_r; role object_r; attribute packet_type; attribute port_type; attribute client_packet_type; attribute server_packet_type; ')
type eggdrop_t; type eggdrop_exec_t; type eggdrop_home_t; type eggdrop_tty_device_t; type eggdrop_devpts_t; role unconfined_r types eggdrop_t; role object_r types eggdrop_exec_t;
application_domain(eggdrop_t, eggdrop_exec_t) type eggdrop_conf_t; files_config_file(eggdrop_conf_t) allow eggdrop_t eggdrop_conf_t:dir list_dir_perms; read_files_pattern(eggdrop_t,eggdrop_conf_t,eggdrop_conf_t) read_lnk_files_pattern(eggdrop_t,eggdrop_conf_t,eggdrop_conf_t) corenet_tcp_bind_all_nodes(eggdrop_t); corenet_tcp_connect_all_ports(eggdrop_t) corenet_tcp_sendrecv_all_ports(eggdrop_t)
type eggdrop_telnet_port_t, port_type; type eggdrop_client_packet_t, packet_type, client_packet_type; type eggdrop_server_packet_t, packet_type, server_packet_type; portcon tcp 3333 gen_context(system_u:object_r:eggdrop_telnet_port_t,s0)
unconfined_run_to(eggdrop_t, eggdrop_exec_t)
libs_use_ld_so(eggdrop_t) libs_use_shared_libs(eggdrop_t) miscfiles_read_localization(eggdrop_t) files_search_usr(eggdrop_t) files_read_usr_files(eggdrop_t) files_search_tmp(eggdrop_t) files_manage_generic_tmp_dirs(eggdrop_t) files_manage_generic_tmp_files(eggdrop_t) files_search_home(eggdrop_t) corecmd_search_bin(eggdrop_t)
files_home_filetrans(eggdrop_t, eggdrop_home_t, file); fs_associate(eggdrop_home_t) manage_files_pattern(eggdrop_t,eggdrop_home_t,eggdrop_home_t) manage_files_pattern(unconfined_t, eggdrop_home_t, eggdrop_home_t)
auth_use_nsswitch(eggdrop_t)
allow eggdrop_t self:fifo_file write; allow eggdrop_t self:fifo_file read;
On 11-03-30 07:52, Dominick Grift wrote:
On 03/30/2011 01:46 PM, Luciano Furtado wrote:
On 11-03-28 05:06, Dominick Grift wrote:
On 03/28/2011 02:32 AM, Luciano Furtado wrote:
Hi guys,
I started creating my policy module for the eggdrop irc bot. I am getting stuck on simple task. I want to add a transition from unconfined_t to eggdrop_t when I run a eggdrop_exec_t file.
This is what I have:
policy_module(eggdrop, 1.0.0)
######################################## ## Declarations#gen_require(` type unconfined_t; ') type eggdrop_t; type eggdrop_exec_t;
application_executable_file(eggdrop_exec_t)
This is not required, it is in "application_domain() which you should call. lack of application_domain(eggdrop_t, eggdrop_exec_t) is whats causing the constraint violation.
Also allow the unconfined_r role the eggdrop_t domain:
role unconfined_r types eggdrop_t;
(you also will need to require "role unconfined_r;")
type eggdrop_conf_t; files_config_file(eggdrop_conf_t)
corenet_tcp_connect_ircd_port(eggdrop_t) corenet_tcp_sendrecv_ircd_port(eggdrop_t)
domain_auto_trans(unconfined_t,eggdrop_exec_t,eggdrop_t)
Better use domtrans_pattern() instead of domain_auto_trans. It better fits the requirements:
domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t)
so a basic standard template to start is:
----------->8--------------
policy_module(eggdrop, 1.0.0)
gen_require(` type unconfined_t; role unconfined_r; ')
type eggdrop_t; type eggdrop_exec_t; application_domain(eggdrop_t, eggdrop_exec_t) role unconfined_r types eggdrop_t;
type eggdrop_etc_t; files_config_file(eggdrop_etc_t)
domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t
-------------8<------------
This is what I get when I try to load this policy module:
lrfurtado:~/selinux/eggdrop# make load Loading default modules: eggdrop /usr/sbin/semodule -i eggdrop.pp libsepol.check_assertion_helper: neverallow violated by allow unconfined_t eggdrop_t:process { transition }; libsemanage.semanage_expand_sandbox: Expand module failed /usr/sbin/semodule: Failed! make: *** [tmp/loaded] Error 1 lrfurtado:~/selinux/eggdrop#
What's the proper way of accomplishing this?
On 11-03-25 15:24, Dominick Grift wrote:
On 03/25/2011 08:16 PM, Luciano Furtado wrote: > Thanks Dominick,
> I will use this as an exercise on how to create a new policy module. I > hope you guys can tolerate my newbie questions for a while.
I created some screen casts and put them on youtube that show some of this:
Write a policy module part 1 to 4 (on fedora):
part 1: http://www.youtube.com/watch?v=s4EyoW_7riQ part 2: http://www.youtube.com/watch?v=G5gUt1-ttGg part 3: http://www.youtube.com/watch?v=nbFnchVAgYs part 4: http://www.youtube.com/watch?v=rUGBgzTr92A
Some other examples:
part 1: http://www.youtube.com/watch?v=sBI50O84NLo part 2: http://www.youtube.com/watch?v=ATTJ5xUKH1E part 3: http://www.youtube.com/watch?v=e3cQNi3bi70
may or may not be helpful.
> Best Regards. > Luciano
> On 11-03-25 14:29, Dominick Grift wrote: >> On 03/25/2011 07:09 PM, Luciano Furtado wrote: >>> Hi Group,
>>> Does eggdrop has a selinux policy module? if so starting on which fedora >>> version?
>> The only reference that i could find to it was:
>> "You can find a copy of my irssi policy here >> http://pastebin.ca/768256?srch=irssi_exec_t it also includes policy for >> eggdrop and manual pages"
>> - From my 2008 article >> "http://domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html"
>> Unfortunately seems "pastebin.ca" no longer exists. I can no longer >> access the site.
>>> I am looking to get the sources for it , build / install it on my Debian >>> installation which doesn't seem to have a module for it.
>>> Best Regards. >>> Luciano
On my policy right now I have this which I think would allow eggdrop to sendrecv packet to any host/port combination
corenet_tcp_sendrecv_all_ports(eggdrop_t)
If wanted to limit eggdrop to talk only to specific host/port would it possible to use iptables to label the packets to to something like eggdrop_packet_t and them add a rule like this.
corenet_tcp_recvfrom_labeled(eggdrop_t, eggdrop_packet_t)
Is this the right approach to accomplish this.
I am not into the selinux networking controls but dwalsh recently published an article that may or may not inspire you:
http://www.linux.com/learn/tutorials/421152-using-selinux-and-iptables-toget...
My WIP policy is locate at http://lrfurtado.vps.bitfolk.com/eggdrop/
I probably would have done it differently, but if it works; it works.
Best Regards. Luciano
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/25/2011 02:09 PM, Luciano Furtado wrote:
Hi Group,
Does eggdrop has a selinux policy module? if so starting on which fedora version?
I am looking to get the sources for it , build / install it on my Debian installation which doesn't seem to have a module for it.
Best Regards. Luciano
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I don't think so.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
Luciano Furtado