Hi,
I am writing a testcase that uses netcat (nc) as part of my cipso testing. I ran
into a slight problem when in Enforcing mode.
user_r, sysadm_r, or secadm_r can't execute nc ... below are the AVC records I
was seeing and the policy I used to fix it.
Note: This is when running in Enforcing mode, drop 1207 with lspp.58 kernel
and policy version 2.4.6-12.el5
Shouldn't at least one of them be able to execute nc?
type=AVC msg=audit(1166479344.923:3782): avc: denied { name_bind } for
pid=31873 comm="nc" src=3333 scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1166479424.896:3788): avc: denied { node_bind } for
pid=31907 comm="nc" src=3333 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
type=AVC msg=audit(1166138167.737:18159): avc: denied { name_bind } for
pid=4305 comm="nc" src=3333 scontext=user_u:user_r:user_t:s2:c2
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
policy to fix it ...
policy_module(mypol,1.0.0)
########################################
#
# Declarations
#
gen_require(`
type secadm_t, sysadm_t, user_t, port_t;
type inaddr_any_node_t;
')
allow user_t port_t:tcp_socket name_bind;
allow secadm_t port_t:tcp_socket name_bind;
allow sysadm_t inaddr_any_node_t:tcp_socket node_bind;
thnaks,
- Loulwa
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
