[redhat-lspp] Re: Possible policy issue - nc related

Daniel J Walsh dwalsh at redhat.com
Tue Dec 19 19:17:31 UTC 2006 

Loulwa Salem wrote:
> Hi,
> I am writing a testcase that uses netcat (nc) as part of my cipso 
> testing. I ran into a slight problem when in Enforcing mode.
> user_r, sysadm_r, or secadm_r can't execute nc ... below are the AVC 
> records I was seeing and the policy I used to fix it.
>
> Note: This is when running in Enforcing mode, drop 1207 with lspp.58 
> kernel
> and policy version 2.4.6-12.el5
>
> Shouldn't at least one of them be able to execute nc?
>
> type=AVC msg=audit(1166479344.923:3782): avc:  denied  { name_bind } 
> for pid=31873 comm="nc" src=3333 
> scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023 
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>
> type=AVC msg=audit(1166479424.896:3788): avc:  denied  { node_bind } 
> for pid=31907 comm="nc" src=3333 
> scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 
> tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket
>
> type=AVC msg=audit(1166138167.737:18159): avc:  denied  { name_bind } 
> for pid=4305 comm="nc" src=3333 scontext=user_u:user_r:user_t:s2:c2 
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>
>
> policy to fix it ...
>
> policy_module(mypol,1.0.0)
>
> ########################################
> #
> # Declarations
> #
>
> gen_require(`
>         type secadm_t, sysadm_t, user_t, port_t;
>         type inaddr_any_node_t;
> ')
> allow user_t port_t:tcp_socket name_bind;
> allow secadm_t port_t:tcp_socket name_bind;
> allow sysadm_t inaddr_any_node_t:tcp_socket node_bind;
>
> thnaks,
> - Loulwa
>
>

This looks fine for a test policy.  What you have said here is to allow 
user_t and secadm_t to bind to all ports that are not labeled. 

You could have defined a port, say


gen_require(`
        type secadm_t, sysadm_t, user_t;
        type inaddr_any_node_t;
')
type test_port_t

allow user_t test_port_t:tcp_socket name_bind;
allow secadm_t test_port_t:tcp_socket name_bind;
allow sysadm_t inaddr_any_node_t:tcp_socket node_bind;


Then use semanage to assign ports to test_port_t.

semanage port -a -p tcp -t test_port_t 3333

This would give you a little tighter security and would allow you to 
test out some of the other features available with SELinux.

More information about the redhat-lspp mailing list