SELinux and Shorewall with IPSets

Mon Jun 28 23:42:56 UTC 2010

>> I did and everything works to absolute perfection!
>>
>> I couldn't help but try it myself. Both "semodule -i" and "restorecon 
>> -rivvF /" (this is what I executed to relabel the whole file system - is 
>> that right?) ran without any difficulties and did the job as expected. 
>> When I later on mounted the image and logged in using qemu everything 
>> was there as expected (semodule -lv shows the newly installed module and 
>> I also ran cross checks on the SELinux file attributes to see whether 
>> they were changed with "ls -Z" and they have).
>>     
>
> sudo restorecon -R -v should usually be suffice.
> The -F (force) option is to force customizable types to be reset.
> Customizable types are types defined to not relabel by default
>   
Noted, thanks.

>> There is a slight drawback to all of this though - for some (well, most 
>> really) processes I use non-standard ports (another security measure I 
>> have taken onboard and implemented). sshd for example is not listening 
>> on the 'standard' port (tcp/22), but on a different one and this causes 
>> SELinux to issue "denied { name_bind }" alert. Also, my syslog-ng is
>>     
>
>
> For example if ssh bind tcp sockets to port 11000:
>
> sudo semanage port -a -t ssh_port_t -p tcp 11000
>   
Is this type "ssh_port_t" something, which is already registered (as 
part of the targeted policy perhaps?) and I am just modifying it or is 
this not the case?

>> using a directory, which maps to a non-standard directory (through 
>> symbolic link - /var/log is a symbolic link to a different/secure 
>> partition of the disk) and that also causes "denied { read }" with 
>> "tclass=lnk_file" alert.
>>     
>
> This will require a patch (need more info : avc denials of this event)
>   
I will post it separately as when I run the image with qemu cutting and 
pasting is not as straightforward.

>> What documentation source would you recommend for this kind of job? As 
>> all alterations will be done through the kickstart file I am going to 
>> use command line tools only - no GUI!
>>     
>
> www.selinuxbyexample.com
>
> By the best doc, uptodate and all, is the source policy. writing policy
> isnt so hard but theres a lot of it usually. and if you focus on the
> amount of rules then its easy to think that stuff is complex.
>
> If you take away all the types, then it boils down to the core, which
> are type statements, classes, attributes, types, interfaces, templates,
> permissions, permission sets, and a few mpre of those things. You can
> learn all about those by just studying the source policy.
> www.selinuxproject.org also has some nice docs.
>   
Noted, many thanks!

I am really liking this - today tried to execute "semodule -lv > 
loaded_modules.txt" (as root and pwd -> /root) and instantly got an 
alert - semodule was prevented from creating that file! Lovely stuff!