[redhat-lspp] Re: Possible policy issue - nc related
Daniel J Walsh
dwalsh at redhat.com
Tue Dec 19 19:17:31 UTC 2006
Loulwa Salem wrote:
> Hi,
> I am writing a testcase that uses netcat (nc) as part of my cipso
> testing. I ran into a slight problem when in Enforcing mode.
> user_r, sysadm_r, or secadm_r can't execute nc ... below are the AVC
> records I was seeing and the policy I used to fix it.
>
> Note: This is when running in Enforcing mode, drop 1207 with lspp.58
> kernel
> and policy version 2.4.6-12.el5
>
> Shouldn't at least one of them be able to execute nc?
>
> type=AVC msg=audit(1166479344.923:3782): avc: denied { name_bind }
> for pid=31873 comm="nc" src=3333
> scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>
> type=AVC msg=audit(1166479424.896:3788): avc: denied { node_bind }
> for pid=31907 comm="nc" src=3333
> scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
>
> type=AVC msg=audit(1166138167.737:18159): avc: denied { name_bind }
> for pid=4305 comm="nc" src=3333 scontext=user_u:user_r:user_t:s2:c2
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>
>
> policy to fix it ...
>
> policy_module(mypol,1.0.0)
>
> ########################################
> #
> # Declarations
> #
>
> gen_require(`
> type secadm_t, sysadm_t, user_t, port_t;
> type inaddr_any_node_t;
> ')
> allow user_t port_t:tcp_socket name_bind;
> allow secadm_t port_t:tcp_socket name_bind;
> allow sysadm_t inaddr_any_node_t:tcp_socket node_bind;
>
> thnaks,
> - Loulwa
>
>
This looks fine for a test policy. What you have said here is to allow
user_t and secadm_t to bind to all ports that are not labeled.
You could have defined a port, say
gen_require(`
type secadm_t, sysadm_t, user_t;
type inaddr_any_node_t;
')
type test_port_t
allow user_t test_port_t:tcp_socket name_bind;
allow secadm_t test_port_t:tcp_socket name_bind;
allow sysadm_t inaddr_any_node_t:tcp_socket node_bind;
Then use semanage to assign ports to test_port_t.
semanage port -a -p tcp -t test_port_t 3333
This would give you a little tighter security and would allow you to
test out some of the other features available with SELinux.
More information about the redhat-lspp
mailing list