SELinux and Shorewall with IPSets
Mr Dash Four
mr.dash.four at googlemail.com
Mon Jun 28 23:42:56 UTC 2010
>> I did and everything works to absolute perfection!
>>
>> I couldn't help but try it myself. Both "semodule -i" and "restorecon
>> -rivvF /" (this is what I executed to relabel the whole file system - is
>> that right?) ran without any difficulties and did the job as expected.
>> When I later on mounted the image and logged in using qemu everything
>> was there as expected (semodule -lv shows the newly installed module and
>> I also ran cross checks on the SELinux file attributes to see whether
>> they were changed with "ls -Z" and they have).
>>
>
> sudo restorecon -R -v should usually be suffice.
> The -F (force) option is to force customizable types to be reset.
> Customizable types are types defined to not relabel by default
>
Noted, thanks.
>> There is a slight drawback to all of this though - for some (well, most
>> really) processes I use non-standard ports (another security measure I
>> have taken onboard and implemented). sshd for example is not listening
>> on the 'standard' port (tcp/22), but on a different one and this causes
>> SELinux to issue "denied { name_bind }" alert. Also, my syslog-ng is
>>
>
>
> For example if ssh bind tcp sockets to port 11000:
>
> sudo semanage port -a -t ssh_port_t -p tcp 11000
>
Is this type "ssh_port_t" something, which is already registered (as
part of the targeted policy perhaps?) and I am just modifying it or is
this not the case?
>> using a directory, which maps to a non-standard directory (through
>> symbolic link - /var/log is a symbolic link to a different/secure
>> partition of the disk) and that also causes "denied { read }" with
>> "tclass=lnk_file" alert.
>>
>
> This will require a patch (need more info : avc denials of this event)
>
I will post it separately as when I run the image with qemu cutting and
pasting is not as straightforward.
>> What documentation source would you recommend for this kind of job? As
>> all alterations will be done through the kickstart file I am going to
>> use command line tools only - no GUI!
>>
>
> www.selinuxbyexample.com
>
> By the best doc, uptodate and all, is the source policy. writing policy
> isnt so hard but theres a lot of it usually. and if you focus on the
> amount of rules then its easy to think that stuff is complex.
>
> If you take away all the types, then it boils down to the core, which
> are type statements, classes, attributes, types, interfaces, templates,
> permissions, permission sets, and a few mpre of those things. You can
> learn all about those by just studying the source policy.
> www.selinuxproject.org also has some nice docs.
>
Noted, many thanks!
I am really liking this - today tried to execute "semodule -lv >
loaded_modules.txt" (as root and pwd -> /root) and instantly got an
alert - semodule was prevented from creating that file! Lovely stuff!
More information about the selinux
mailing list