Proprietary telnet daemon fails login when SELinux is enabled

Thu Jul 26 14:34:22 UTC 2012

On 26/07/12 14:52, Ted Toth wrote:
> You could try using the exist telnet policy in ref policy by chconing
> your executable to telnetd_exec_t. However depending on what your
> custom telnet daemon does you may still get AVCs.
> 
> Ted
> 
> On Thu, Jul 26, 2012 at 8:10 AM, Dave Stoner
> <dave.stoner at northgate-is.com> wrote:
>> I apologise in advance for asking questions which I feel I should have been
>> able to answer from sources on the internet. If you could possibly give me
>> some pointers on where to look it would be so much appreciated.
>>
>>
>>
>> My system is centos 6.2 –
>>
>> Linux MyHostName 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22
>>
>> GMT 2011 x86_64 x86_64 x86_64 GNU/Linux
>>
>>
>>
>> SELinux mode is set ‘enforced’.
>>
>>
>>
>> I have a proprietary telnet daemon which upon a telnet to port 52000, is
>> started OK when SELinux is disabled. But when it is enabled the same telnet
>> results in /var/log/audit/audit.log showing:
>>
>>
>>
>> type=USER_LOGIN msg=audit(1343048458.345:69): user pid=2536 uid=0 auid=799
>> ses=7 subj=system_u:system_r:inetd_t:s0-s0:c0.c1023 msg='op=login id=799
>> exe="/bin/login" hostname=0.0.0.0 addr=0.0.0.0 termi
>>
>> nal=pts/2 res=success'
>>
>>
>>
>> A normal telnet gives a message similar to above, my telnet adds the
>> following:
>>
>>
>>
>> type=AVC msg=audit(1343048458.353:70): avc:  denied  { entrypoint } for
>> pid=2543 comm="login" path="/bin/bash" dev=sda2 ino=135083
>> scontext=unconfined_u:system_r:qmail_tcp_env_t:s0-s0:c0.c1023 tconte
>>
>> xt=system_u:object_r:shell_exec_t:s0 tclass=file
>>
>>
>>
>> I believe I can create a policy to overcome this using audit2allow, i.e. it
>> comes up with:
>>
>>
>>
>> module mypola 1.0;
>>
>>
>>
>> require {
>>
>>         type qmail_tcp_env_t;
>>
>>         type shell_exec_t;
>>
>>         class file entrypoint;
>>
>> }
>>
>>
>>
>> #============= qmail_tcp_env_t ==============
>>
>> allow qmail_tcp_env_t shell_exec_t:file entrypoint;
>>
>>
>>
>> But it seems to me what I ought to be doing is somehow to get my daemon to
>> run with a domain of ‘remote_logon_t’ as is used by the standard telnet
>> daemon, as here:
>>
>>
>>
>> type=USER_LOGIN msg=audit(1343058924.928:212): user pid=3759 uid=0 auid=799
>> ses=29 subj=system_u:system_r:remote_login_t:s0-s0:c0.c1023 msg='op=login
>> id=799 exe="/bin/login" hostname=localhost addr=::
>>
>> 1 terminal=pts/2 res=success'
>>
>>
>>
>> This is unfamiliar territory and any hints or pointers would really be
>> appreciated.
>>
>>
>>
>> Dave.
>>
>>
>>
>>
>>
>> Dave Stoner
>>
>> Principal Systems Architect
>> Northgate Reality
>>
>> Direct:    +44 (0)1442 272071 - VPN: 872 2071
>>
>> www.northgate-is.com/reality
>>
>>
>>
>>
>> ________________________________
>>
>> This email is sent on behalf of Northgate Information Solutions Limited and
>> its associated companies ("Northgate") and is strictly confidential and
>> intended solely for the addressee(s).
>>
>>  If you are not the intended recipient of this email you must: (i) not
>> disclose, copy or distribute its contents to any other person nor use its
>> contents in any way or you may be acting unlawfully;  (ii) contact Northgate
>> immediately on +44 (0)1442 232424 quoting the name of the sender and the
>> addressee then delete it from your system.
>>
>>  Northgate has taken reasonable precautions to ensure that no viruses are
>> contained in this email, but does not accept any responsibility once this
>> email has been transmitted.  You should scan attachments (if any) for
>> viruses.
>>
>>  Northgate Information Solutions Limited. Registered in England no. 06442582
>> -  Northgate Information Solutions UK Limited. Registered in England no.
>> 968498  -  NorthgateArinso UK Limited. Registered in England no. 1587537  -
>> Moorepay Limited.  Registered in England no. 891686  - First Business
>> Support Limited. Registered in England no. 3056267 -   Registered Office:
>> Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead,
>> Hertfordshire HP2 4NW
>>
>>  Northgate Managed Services Limited (NI).  Registered in Northern Ireland
>> no. NI032979  -  LearnServe Limited (NI).  Registered in Northern Ireland
>> no. NI043825 Registered Office: Hillview House, 61 Church Road,
>> Newtownabbey, Co. Antrim, BT36 7LQ
>>
>> ________________________________
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Maybe this will help you as a starting guide.

http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/index.html

There are details there how to obtain denials and make a custom policy.

Regards,
Tristan

-- 
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore at fedoraproject.org