[redhat-lspp] Re: Possible policy issue - nc related

Tue, 19 Dec 2006 11:17:34 -0800 

Loulwa Salem wrote:

Hi,
I am writing a testcase that uses netcat (nc) as part of my cipso testing. I ran into a slight problem when in Enforcing mode. user_r, sysadm_r, or secadm_r can't execute nc ... below are the AVC records I was seeing and the policy I used to fix it. 


Note: This is when running in Enforcing mode, drop 1207 with lspp.58 
kernel

and policy version 2.4.6-12.el5

Shouldn't at least one of them be able to execute nc?


type=AVC msg=audit(1166479344.923:3782): avc:  denied  { name_bind } 
for pid=31873 comm="nc" src=3333 
scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023 
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket



type=AVC msg=audit(1166479424.896:3788): avc:  denied  { node_bind } 
for pid=31907 comm="nc" src=3333 
scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket



type=AVC msg=audit(1166138167.737:18159): avc:  denied  { name_bind } 
for pid=4305 comm="nc" src=3333 scontext=user_u:user_r:user_t:s2:c2 
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket



policy to fix it ...

policy_module(mypol,1.0.0)

########################################
#
# Declarations
#

gen_require(`
        type secadm_t, sysadm_t, user_t, port_t;
        type inaddr_any_node_t;
')
allow user_t port_t:tcp_socket name_bind;
allow secadm_t port_t:tcp_socket name_bind;
allow sysadm_t inaddr_any_node_t:tcp_socket node_bind;

thnaks,
- Loulwa





This looks fine for a test policy.  What you have said here is to allow 
user_t and secadm_t to bind to all ports that are not labeled. 


You could have defined a port, say


gen_require(`
       type secadm_t, sysadm_t, user_t;
       type inaddr_any_node_t;
')
type test_port_t

allow user_t test_port_t:tcp_socket name_bind;
allow secadm_t test_port_t:tcp_socket name_bind;
allow sysadm_t inaddr_any_node_t:tcp_socket node_bind;


Then use semanage to assign ports to test_port_t.

semanage port -a -p tcp -t test_port_t 3333


This would give you a little tighter security and would allow you to 
test out some of the other features available with SELinux.


--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp






















					Reply via email to