HOWTO Logging tcp binding on permissive mode
François Chenais
francois.chenais at gmail.com
Tue Jan 25 12:03:34 UTC 2011
2011/1/24 François Chenais <francois.chenais at gmail.com>
>
>
> 2011/1/24 Dominick Grift <domg472 at gmail.com>
>
> On Mon, Jan 24, 2011 at 09:49:01AM +0100, François Chenais wrote:
>> > Hello,
>> >
>> >
>> > I would like to log process binding on tcp ports > 1023.
>>
>> something like this may work:
>>
>> mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0) gen_require(\`
>> attribute domain, userdomain, port_type; ') auditallow { userdomain domain }
>> port_type:tcp_socket name_bind;" > mytest.te; make -f
>> /usr/share/selinux/devel/Makefile mytest.pp; sudo semodule -i mytest.pp
>>
>> Then any attempts to bind tcp_sockets to port_type ports by domain as well
>> as userdomain will be logged in /var/log/audit/audit.log.
>>
>> Coool ! Thanks a lot, I'm trying it now ...
>
>
>
It works fine.
I've modified your exemple to permit a port list selection ::
$ cat mytest.te
policy_module(mytest, 1.0.0)
gen_require(` attribute domain, userdomain, port_type; ')
type mytest_t;
domain_type(mytest_t)
auditallow { userdomain domain } mytest_t:tcp_socket name_bind;
Then run ::
$ semanage port -a mytest_t -p tcp 1234
Thanks you very much !
> You may, or may not, be able to do similar things by using the audit suite
>> instead (man auditctl)
>>
>>
> Yes but I can't find how to restrict the audit on a specific port number :/
>
>
> auditctl -d exit,always -S bind -k BIND
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20110125/3bddcdbc/attachment.html
More information about the selinux
mailing list