1 |
In fact, I think that there is no problem with protmap as I got |
2 |
mv1 sbin # ls -lZ port* |
3 |
-rwxr-xr-x root root system_u:object_r:portmap_exec_t portmap |
4 |
|
5 |
However, other binaries such as rpc.* or other are labelled as bin_t |
6 |
which is not correct, I think. |
7 |
|
8 |
But as I work with managed SELinux (2006+), I do not have the src |
9 |
directories and thus policy/ subdirectories ... So I'm quite blocked |
10 |
here : |
11 |
my filesystem is not correctly labelled and I cannot find which labels |
12 |
I should have ! |
13 |
|
14 |
Is there a way to get these information ? |
15 |
|
16 |
Chris PeBenito <pebenito@g.o> a écrit : |
17 |
|
18 |
> On Wed, 2007-08-01 at 11:53 +0200, julien.thomas@×××××××××××××.fr wrote: |
19 |
>> Thanks for the tip with ssh. This work really well now. |
20 |
>> |
21 |
>> Unefortunately, it is not the only error I got with SELinux. |
22 |
>> Some files were not correctly labelled (though I don't know how many |
23 |
>> rlpkg -ar were done ...) |
24 |
>> |
25 |
>> For example here is a result of audit2allow. But the most important |
26 |
>> problem, I think, is the networks error with for example allow |
27 |
>> kernel_t lo_node_t:node udp_recv. |
28 |
>> |
29 |
>> For a full example, I have added the kernel messages |
30 |
>> (/var/log/kern.log | grep portmap) produced by the portmap daemon. I |
31 |
>> think that it s a recurrent error that is not produced by the daemon |
32 |
>> but more by a network/kernel wrong labelling/policy. |
33 |
>> |
34 |
>> If someone has any clue about this, I will take it as I cannot find |
35 |
>> any relevant information on the web. |
36 |
> |
37 |
> At a minimum, the portmap service is running in the wrong domain: |
38 |
> |
39 |
>> allow initrc_t inaddr_any_node_t:tcp_socket node_bind; |
40 |
>> allow initrc_t pop_port_t:tcp_socket name_bind; |
41 |
>> allow initrc_t unspec_node_t:tcp_socket node_bind; |
42 |
>> allow initrc_t var_lib_t:sock_file { create rename setattr unlink }; |
43 |
> |
44 |
> -- |
45 |
> Chris PeBenito |
46 |
> <pebenito@g.o> |
47 |
> Developer, |
48 |
> Hardened Gentoo Linux |
49 |
> |
50 |
> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
51 |
> Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
52 |
> |
53 |
|
54 |
|
55 |
|
56 |
-- |
57 |
gentoo-hardened@g.o mailing list |