SELinux and Shorewall with IPSets

Dominick Grift domg472 at gmail.com
Tue Jun 29 08:41:05 UTC 2010 

On 06/29/2010 01:42 AM, Mr Dash Four wrote:
> 
>>> I did and everything works to absolute perfection!
>>>
>>> I couldn't help but try it myself. Both "semodule -i" and "restorecon 
>>> -rivvF /" (this is what I executed to relabel the whole file system - is 
>>> that right?) ran without any difficulties and did the job as expected. 
>>> When I later on mounted the image and logged in using qemu everything 
>>> was there as expected (semodule -lv shows the newly installed module and 
>>> I also ran cross checks on the SELinux file attributes to see whether 
>>> they were changed with "ls -Z" and they have).
>>>     
>>
>> sudo restorecon -R -v should usually be suffice.
>> The -F (force) option is to force customizable types to be reset.
>> Customizable types are types defined to not relabel by default
>>   
> Noted, thanks.
> 
>>> There is a slight drawback to all of this though - for some (well, most 
>>> really) processes I use non-standard ports (another security measure I 
>>> have taken onboard and implemented). sshd for example is not listening 
>>> on the 'standard' port (tcp/22), but on a different one and this causes 
>>> SELinux to issue "denied { name_bind }" alert. Also, my syslog-ng is
>>>     
>>
>>
>> For example if ssh bind tcp sockets to port 11000:
>>
>> sudo semanage port -a -t ssh_port_t -p tcp 11000
>>   
> Is this type "ssh_port_t" something, which is already registered (as 
> part of the targeted policy perhaps?) and I am just modifying it or is 
> this not the case?
> 

Yes ssh_port_t is the ssh port type. tcp;22 is labelled with type
ssh_port_t, we just label tcp:11000 ssh_port_t so that ssh can bind tcp
sockets to that port as well.

>>> using a directory, which maps to a non-standard directory (through 
>>> symbolic link - /var/log is a symbolic link to a different/secure 
>>> partition of the disk) and that also causes "denied { read }" with 
>>> "tclass=lnk_file" alert.
>>>     
>>
>> This will require a patch (need more info : avc denials of this event)
>>   
> I will post it separately as when I run the image with qemu cutting and 
> pasting is not as straightforward.
> 
>>> What documentation source would you recommend for this kind of job? As 
>>> all alterations will be done through the kickstart file I am going to 
>>> use command line tools only - no GUI!
>>>     
>>
>> www.selinuxbyexample.com
>>
>> By the best doc, uptodate and all, is the source policy. writing policy
>> isnt so hard but theres a lot of it usually. and if you focus on the
>> amount of rules then its easy to think that stuff is complex.
>>
>> If you take away all the types, then it boils down to the core, which
>> are type statements, classes, attributes, types, interfaces, templates,
>> permissions, permission sets, and a few mpre of those things. You can
>> learn all about those by just studying the source policy.
>> www.selinuxproject.org also has some nice docs.
>>   
> Noted, many thanks!
> 
> I am really liking this - today tried to execute "semodule -lv > 
> loaded_modules.txt" (as root and pwd -> /root) and instantly got an 
> alert - semodule was prevented from creating that file! Lovely stuff!

Exactly my thought.

> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100629/0b5d5530/attachment-0001.bin

More information about the selinux mailing list