| 1 |
In fact, I think that there is no problem with protmap as I got |
| 2 |
mv1 sbin # ls -lZ port* |
| 3 |
-rwxr-xr-x root root system_u:object_r:portmap_exec_t portmap |
| 4 |
|
| 5 |
However, other binaries such as rpc.* or other are labelled as bin_t |
| 6 |
which is not correct, I think. |
| 7 |
|
| 8 |
But as I work with managed SELinux (2006+), I do not have the src |
| 9 |
directories and thus policy/ subdirectories ... So I'm quite blocked |
| 10 |
here : |
| 11 |
my filesystem is not correctly labelled and I cannot find which labels |
| 12 |
I should have ! |
| 13 |
|
| 14 |
Is there a way to get these information ? |
| 15 |
|
| 16 |
Chris PeBenito <pebenito@g.o> a écrit : |
| 17 |
|
| 18 |
> On Wed, 2007-08-01 at 11:53 +0200, julien.thomas@×××××××××××××.fr wrote: |
| 19 |
>> Thanks for the tip with ssh. This work really well now. |
| 20 |
>> |
| 21 |
>> Unefortunately, it is not the only error I got with SELinux. |
| 22 |
>> Some files were not correctly labelled (though I don't know how many |
| 23 |
>> rlpkg -ar were done ...) |
| 24 |
>> |
| 25 |
>> For example here is a result of audit2allow. But the most important |
| 26 |
>> problem, I think, is the networks error with for example allow |
| 27 |
>> kernel_t lo_node_t:node udp_recv. |
| 28 |
>> |
| 29 |
>> For a full example, I have added the kernel messages |
| 30 |
>> (/var/log/kern.log | grep portmap) produced by the portmap daemon. I |
| 31 |
>> think that it s a recurrent error that is not produced by the daemon |
| 32 |
>> but more by a network/kernel wrong labelling/policy. |
| 33 |
>> |
| 34 |
>> If someone has any clue about this, I will take it as I cannot find |
| 35 |
>> any relevant information on the web. |
| 36 |
> |
| 37 |
> At a minimum, the portmap service is running in the wrong domain: |
| 38 |
> |
| 39 |
>> allow initrc_t inaddr_any_node_t:tcp_socket node_bind; |
| 40 |
>> allow initrc_t pop_port_t:tcp_socket name_bind; |
| 41 |
>> allow initrc_t unspec_node_t:tcp_socket node_bind; |
| 42 |
>> allow initrc_t var_lib_t:sock_file { create rename setattr unlink }; |
| 43 |
> |
| 44 |
> -- |
| 45 |
> Chris PeBenito |
| 46 |
> <pebenito@g.o> |
| 47 |
> Developer, |
| 48 |
> Hardened Gentoo Linux |
| 49 |
> |
| 50 |
> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 51 |
> Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
| 52 |
> |
| 53 |
|
| 54 |
|
| 55 |
|
| 56 |
-- |
| 57 |
gentoo-hardened@g.o mailing list |
Archives