Fedora 12 and unconfined_u sshdfilter

David Highley dhighley at highley-recommended.com
Fri Dec 4 04:40:23 UTC 2009 

"Daniel J Walsh wrote:"
> 
> On 12/03/2009 12:33 AM, David Highley wrote:
> > I'm trying to get sshdfilter a Perl wrapper around sshd to work in
> > Fedora 12. The script needs to be able to call iptables to drop in new
> > rejection rules detected hacking connections. I used "semanage fcontext
> > -a -t sshd_exec_t" which gave it the same context as sshd. I have not
> > been able to change the unconfined_u to system_u:
> > lz -Z /usr/sbin/sshdfilter unconfined_u:object_r:sshd_exec_t:s0
> >
> > I was getting avc errors so I created an allow policy:
> > module mysshdfilter 1.0;
> >
> > require {
> >          type iptables_exec_t;
> >          type iptables_t;
> >          type sshd_t;
> >          class file execute;
> >          class fifo_file read;
> > }
> >
> > #============= iptables_t ==============
> > allow iptables_t self:fifo_file read;
> >
> > #============= sshd_t ==============
> > allow sshd_t iptables_exec_t:file execute;
> >
> >
> > Now I'm getting:
> > time->Wed Dec  2 21:07:04 2009
> > type=USER_ROLE_CHANGE msg=audit(1259816824.474:201): user pid=3664 uid=0
> > auid=0 ses=12 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=?: exe= "/usr/sbin/sshd" hostname=? addr=? terminal=? res=failed'
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
> >
> You probably want
> 
> iptables_domtrans(sshd_t)

I tried adding this statement to the file, but checkmodule gave syntax
error. I tried searching through the selinux files but did not find an
example of how to use the above statement.

> 
> The ROLE_CHANGE is not an SELinux error, it is just an audit message.
> 
> I will add the fifo_file rule to iptables policy
> 
> Fixed in selinux-policy-3.6.32-54.fc12
> 
> If you want to get real crazy you could write policy for
> /usr/sbin/sshdfilter
> 
> 
> policy_module(sshdfilter, 1.0)
> 
> ssh_server_template(sshdfilter)
> iptables_domtrans(sshdfilter_t)
> 
> 
> 


-- 

Regards,

David Highley
Highley Recommended, Inc.       Phone: (206) 669-0081
2927 SW 339th Street            WEB: http://www.highley-recommended.com
Federal Way, WA 98023-7732

More information about the fedora-selinux-list mailing list