Fwd: Proprietary telnet daemon fails login when SELinux is enabled

Maurizio D'Antonio maurizio.dantonio at gmail.com
Thu Jul 26 18:21:06 UTC 2012 

Hi, Dave
If I understand your problem you need add this port 52000 in the
ports.local file for inherit the correct selinux context.

The command is:

root at localhost # semanage port -a -t telnetd_port_t -p tcp 52000

and probably you need enable the appropriate boolean because you have
a denied { entrypoint } for qmail_t domain.

Try


>>> Maurizio D'Antonio
___________________________________________
H A R D E N I X™ - (Secure by Default)
Mobile: +39 331 4440754
FAX:    +39 08621960432
Web:    www.kernelz.org  |  www.bylinux.org


> 2012/7/26 Dave Stoner <dave.stoner at northgate-is.com>:
> I apologise in advance for asking questions which I feel I should have been
> able to answer from sources on the internet. If you could possibly give me
> some pointers on where to look it would be so much appreciated.
>
>
>
> My system is centos 6.2 –
>
> Linux MyHostName 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22
>
> GMT 2011 x86_64 x86_64 x86_64 GNU/Linux
>
>
>
> SELinux mode is set ‘enforced’.
>
>
>
> I have a proprietary telnet daemon which upon a telnet to port 52000, is
> started OK when SELinux is disabled. But when it is enabled the same telnet
> results in /var/log/audit/audit.log showing:
>
>
>
> type=USER_LOGIN msg=audit(1343048458.345:69): user pid=2536 uid=0 auid=799
> ses=7 subj=system_u:system_r:inetd_t:s0-s0:c0.c1023 msg='op=login id=799
> exe="/bin/login" hostname=0.0.0.0 addr=0.0.0.0 termi
>
> nal=pts/2 res=success'
>
>
>
> A normal telnet gives a message similar to above, my telnet adds the
> following:
>
>
>
> type=AVC msg=audit(1343048458.353:70): avc:  denied  { entrypoint } for
> pid=2543 comm="login" path="/bin/bash" dev=sda2 ino=135083
> scontext=unconfined_u:system_r:qmail_tcp_env_t:s0-s0:c0.c1023 tconte
>
> xt=system_u:object_r:shell_exec_t:s0 tclass=file
>
>
>
> I believe I can create a policy to overcome this using audit2allow, i.e. it
> comes up with:
>
>
>
> module mypola 1.0;
>
>
>
> require {
>
>         type qmail_tcp_env_t;
>
>         type shell_exec_t;
>
>         class file entrypoint;
>
> }
>
>
>
> #============= qmail_tcp_env_t ==============
>
> allow qmail_tcp_env_t shell_exec_t:file entrypoint;
>
>
>
> But it seems to me what I ought to be doing is somehow to get my daemon to
> run with a domain of ‘remote_logon_t’ as is used by the standard telnet
> daemon, as here:
>
>
>
> type=USER_LOGIN msg=audit(1343058924.928:212): user pid=3759 uid=0 auid=799
> ses=29 subj=system_u:system_r:remote_login_t:s0-s0:c0.c1023 msg='op=login
> id=799 exe="/bin/login" hostname=localhost addr=::
>
> 1 terminal=pts/2 res=success'
>
>
>
> This is unfamiliar territory and any hints or pointers would really be
> appreciated.
>
>
>
> Dave.
>
>
>
>
>
> Dave Stoner
>
> Principal Systems Architect
> Northgate Reality
>
> Direct:    +44 (0)1442 272071 - VPN: 872 2071
>
> www.northgate-is.com/reality
>
>
>
>
> ________________________________
>
> This email is sent on behalf of Northgate Information Solutions Limited and
> its associated companies ("Northgate") and is strictly confidential and
> intended solely for the addressee(s).
>
>  If you are not the intended recipient of this email you must: (i) not
> disclose, copy or distribute its contents to any other person nor use its
> contents in any way or you may be acting unlawfully;  (ii) contact Northgate
> immediately on +44 (0)1442 232424 quoting the name of the sender and the
> addressee then delete it from your system.
>
>  Northgate has taken reasonable precautions to ensure that no viruses are
> contained in this email, but does not accept any responsibility once this
> email has been transmitted.  You should scan attachments (if any) for
> viruses.
>
>  Northgate Information Solutions Limited. Registered in England no. 06442582
> -  Northgate Information Solutions UK Limited. Registered in England no.
> 968498  -  NorthgateArinso UK Limited. Registered in England no. 1587537  -
> Moorepay Limited.  Registered in England no. 891686  - First Business
> Support Limited. Registered in England no. 3056267 -   Registered Office:
> Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead,
> Hertfordshire HP2 4NW
>
>  Northgate Managed Services Limited (NI).  Registered in Northern Ireland
> no. NI032979  -  LearnServe Limited (NI).  Registered in Northern Ireland
> no. NI043825 Registered Office: Hillview House, 61 Church Road,
> Newtownabbey, Co. Antrim, BT36 7LQ
>
> ________________________________
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list