Gentoo Archives: gentoo-hardened

From: julien.thomas@×××××××××××××.fr
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] SELinux - network streams
Date: Wed, 01 Aug 2007 09:56:47
Message-Id: 20070801115320.gomokzimqssogggg@webmail.enst-bretagne.fr
Hi.

Thanks for the tip with ssh. This work really well now.

Unefortunately, it is not the only error I got with SELinux.
Some files were not correctly labelled (though I don't know how many  
rlpkg -ar were done ...)

For example here is a result of audit2allow. But the most important  
problem, I think, is the networks error with for example allow  
kernel_t lo_node_t:node udp_recv.

For a full example, I have added the kernel messages  
(/var/log/kern.log | grep portmap) produced by the portmap daemon. I  
think that it s a recurrent error that is not produced by the daemon  
but more by a network/kernel wrong labelling/policy.

If someone has any clue about this, I will take it as I cannot find  
any relevant information on the web.

Julien.

--- audit2allow ----
allow consoletype_t etc_t:file { getattr read };
allow dhcpc_t self:netlink_route_socket nlmsg_write;
allow dhcpc_t var_lib_t:file { getattr write };
allow dmesg_t etc_t:file { getattr read };
allow initrc_t device_t:chr_file write;
allow initrc_t inaddr_any_node_t:tcp_socket node_bind;
allow initrc_t pop_port_t:tcp_socket name_bind;
allow initrc_t unspec_node_t:tcp_socket node_bind;
allow initrc_t var_lib_t:sock_file { create rename setattr unlink };
allow insmod_t device_t:chr_file { getattr read write };
allow kernel_t lo_node_t:node udp_recv;
allow kernel_t netif_t:netif udp_recv;
allow kernel_t node_t:node udp_recv;
allow kernel_t port_t:udp_socket recv_msg;
allow kernel_t portmap_port_t:udp_socket recv_msg;
allow mount_t inaddr_any_node_t:tcp_socket node_bind;
allow mount_t inaddr_any_node_t:udp_socket node_bind;
allow mount_t self:capability net_bind_service;
allow mount_t reserved_port_t:udp_socket { name_bind recv_msg };
allow mount_t user_home_dir_t:dir mounton;
allow udev_t lib_t:file { execute execute_no_trans };

---- kern.log for portmap ----
Aug  1 11:51:50 mv2 EXT3-fs: mounted filesystem with ordered data mode.
Aug  1 11:52:19 mv2 audit(1185961939.858:23): avc:  denied  {  
node_bind } for  pid=4735 comm="mount"  
scontext=system_u:system_r:mount_t  
tcontext=system_u:object_r:inaddr_any_node_t tclass=tcp_socket
Aug  1 11:52:19 mv2 audit(1185961939.954:24): avc:  denied  {  
name_bind } for  pid=4735 comm="mount" src=671  
scontext=system_u:system_r:mount_t  
tcontext=system_u:object_r:reserved_port_t tclass=udp_socket
Aug  1 11:52:19 mv2 audit(1185961939.954:25): avc:  denied  {  
node_bind } for  pid=4735 comm="mount" src=671  
scontext=system_u:system_r:mount_t  
tcontext=system_u:object_r:inaddr_any_node_t tclass=udp_socket
Aug  1 11:52:19 mv2 audit(1185961939.958:26): avc:  denied  {  
net_bind_service } for  pid=4735 comm="mount" capability=10  
scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t  
tclass=capability
Aug  1 11:52:20 mv2 audit(1185961940.026:27): avc:  denied  { recv_msg  
} for  saddr=10.133.14.1 src=838 daddr=10.133.14.12 dest=671  
netif=lanhost scontext=system_u:system_r:mount_t  
tcontext=system_u:object_r:reserved_port_t tclass=udp_socket
Aug  1 11:52:20 mv2 audit(1185961940.042:28): avc:  denied  { mounton  
} for  pid=4735 comm="mount" name="nfs" dev=sda3 ino=410427  
scontext=system_u:system_r:mount_t  
tcontext=root:object_r:user_home_dir_t tclass=dir
Aug  1 11:52:20 mv2 audit(1185961940.110:29): avc:  denied  { udp_recv  
} for  pid=4735 comm="mount" saddr=10.133.14.1 src=2049  
daddr=10.133.14.12 dest=824 netif=lanhost  
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:netif_t  
tclass=netif
Aug  1 11:52:20 mv2 audit(1185961940.110:30): avc:  denied  { udp_recv  
} for  pid=4735 comm="mount" saddr=10.133.14.1 src=2049  
daddr=10.133.14.12 dest=824 netif=lanhost  
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:node_t  
tclass=node
Aug  1 11:52:20 mv2 audit(1185961940.110:31): avc:  denied  { recv_msg  
} for  pid=4735 comm="mount" saddr=10.133.14.1 src=2049  
daddr=10.133.14.12 dest=824 netif=lanhost  
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:port_t  
tclass=udp_socket

-- 
gentoo-hardened@g.o mailing list

Replies

Subject Author
Re: [gentoo-hardened] SELinux - network streams Chris PeBenito <pebenito@g.o>