SELinux and Shorewall with IPSets
Mr Dash Four
mr.dash.four at googlemail.com
Wed Jun 30 16:35:23 UTC 2010
>> Well, I do not wish to keep the tcp/22 as part of the policy (if left,
>> it creates a loophole!). I tried "semanage port -m -t ssh_port_t -p tcp
>> 222" (to modify it), but got "/usr/sbin/semanage: Port tcp/222 is not
>> defined". I then added tcp/222 as you suggested and then tried to
>> execute "semanage port -d -t ssh_port_t -p tcp 22" to remove the tcp/22
>> part, but got this: "/usr/sbin/semanage: Port tcp/22 is defined in
>> policy, cannot be deleted". What does that mean exactly?
>>
>
> It means that the corenetwork module (which is compiled into the base
> module) has a port object context specification for type ssh_port_t --
> tcp:22
>
> So you would have edit that in the main selinux-policy package.
>
How do I do that? I looked at /usr/share/selinux/targeted, but could not
see anything, which could be edited.
>> type=1400 audit(1277908958.656.4): avc: denied { read } for pid=906
>> comm="rsyslogd" name="log" dev=dm-0 ino=16386
>> scontext=system_u:system_r:syslogd_t:s0
>> tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
>>
>> There is a similar one with "mingetty" as well, but
>> scontext=system_u:system_r:getty_t:s0
>>
>
> This symlink is mislabeled. What/who created it? if you , yourself
> created it, then you may be able to make things work by labeling the
> symlink type bin_t or type var_log_t, provided that the source of the
> interaction (in this case syslogd_t and getty_t) have access to the
> target of the symlink.
>
I did create it - it was done during the image build (it is empty, but
it links to a separate/secure partition on the target machine).
Relabelling worked though, I had to link the actual partition in order
to make it work!
More information about the selinux
mailing list