3:07 a.m.
http://infrahip.hiit.fi/index.php?index=download
Would it be possible to install hipl-all,
and get a it to work with selinux enabled.
Asking in advance, or should I just try it first,
then look for help?
--
Regards,
Frank Murphy
UTF_8 Encoded.
3:25 a.m.
On 12/05/2009 11:07 AM, Frank Murphy (Frankly3D) wrote:
http://infrahip.hiit.fi/index.php?index=download
Would it be possible to install hipl-all,
and get a it to work with selinux enabled.
Asking in advance, or should I just try it first,
then look for help?
Those instructions are purely idiotic. Just install it, go to permissive
mode and create a policy based on the AVCs that get logged.
Note that installing the rpm packages should never trigger any selinux
denials.
3:36 a.m.
On 05/12/09 09:25, Manuel Wolfshant wrote:
On 12/05/2009 11:07 AM, Frank Murphy (Frankly3D) wrote:
> http://infrahip.hiit.fi/index.php?index=download
>
> Would it be possible to install hipl-all,
> and get a it to work with selinux enabled.
>
> Asking in advance, or should I just try it first,
> then look for help?
>
Those instructions are purely idiotic.
Just install it, go to permissive
mode and create a policy based on the AVCs that get logged.
Cool, thanks.
--
Regards,
Frank Murphy
UTF_8 Encoded.
3:42 a.m.
On 12/05/2009 11:25 AM, Manuel Wolfshant wrote:
On 12/05/2009 11:07 AM, Frank Murphy (Frankly3D) wrote:
> http://infrahip.hiit.fi/index.php?index=download
>
> Would it be possible to install hipl-all,
> and get a it to work with selinux enabled.
>
> Asking in advance, or should I just try it first,
> then look for help?
>
Those instructions are purely idiotic. Just install it, go to
permissive mode and create a policy based on the AVCs that get logged.
Note that installing the rpm packages should never trigger any selinux
denials.
And once we (that is you :) ) have a correct policy, it would be polite
to send it to them and ask them to fix the instructions. And eventually
post the policy on their website (because we can include it in fedora,
but for sure RHEL and, by matter of consequence Centos will not . At
least not in a foreseeable future.)
4:06 a.m.
On 05/12/09 09:42, Manuel Wolfshant wrote:
--snip--
And once we (that is you :) ) have a correct policy,
Does this look ok?
audit2allow -M myhipd01 < /var/log/audit/audit.log
module myhipd01 1.0;
require {
type unconfined_t;
type ifconfig_t;
type unconfined_java_t;
type chrome_sandbox_t;
type root_t;
type admin_home_t;
type null_device_t;
type iptables_t;
type abrt_t;
type initrc_t;
type ftp_port_t;
type var_lock_t;
type xauth_t;
type device_t;
type setroubleshootd_t;
type wine_t;
type rpm_var_cache_t;
type rpcd_t;
type system_mail_t;
type plymouthd_t;
class capability sys_ptrace;
class netlink_ip6fw_socket { read write };
class process execmem;
class memprotect mmap_zero;
class netlink_firewall_socket { read write };
class chr_file unlink;
class netlink_xfrm_socket { read write };
class tcp_socket name_connect;
class file { read write };
class rawip_socket { read write };
class netlink_route_socket { read write };
class udp_socket { read write };
class dir { write remove_name create };
role system_r;
role unconfined_r;
}
#============= abrt_t ==============
allow abrt_t ftp_port_t:tcp_socket name_connect;
allow abrt_t rpm_var_cache_t:dir create;
#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:capability sys_ptrace;
#============= ifconfig_t ==============
allow ifconfig_t initrc_t:netlink_route_socket { read write };
allow ifconfig_t initrc_t:netlink_xfrm_socket { read write };
allow ifconfig_t initrc_t:udp_socket { read write };
allow ifconfig_t var_lock_t:file { read write };
#============= iptables_t ==============
allow iptables_t initrc_t:netlink_firewall_socket { read write };
allow iptables_t initrc_t:netlink_ip6fw_socket { read write };
allow iptables_t initrc_t:rawip_socket { read write };
allow iptables_t initrc_t:udp_socket { read write };
allow iptables_t var_lock_t:file { read write };
#============= plymouthd_t ==============
allow plymouthd_t device_t:dir { write remove_name };
allow plymouthd_t null_device_t:chr_file unlink;
#============= setroubleshootd_t ==============
allow setroubleshootd_t device_t:file write;
#============= system_mail_t ==============
allow system_mail_t root_t:dir write;
#============= unconfined_t ==============
allow unconfined_t self:process execmem;
#============= wine_t ==============
allow wine_t self:memprotect mmap_zero;
#============= xauth_t ==============
allow xauth_t admin_home_t:file { write read };
#============= ROLES ==============
role system_r types unconfined_java_t;
role unconfined_r types rpcd_t;
--
Regards,
Frank Murphy
UTF_8 Encoded.
4:09 a.m.
On 12/05/09 02:06, Frank Murphy (Frankly3D) wrote:
On 05/12/09 09:42, Manuel Wolfshant wrote:
--snip--
> And once we (that is you :) ) have a correct policy,
Does this look ok?
audit2allow -M myhipd01 < /var/log/audit/audit.log
module myhipd01 1.0;
require {
type unconfined_t;
type ifconfig_t;
type unconfined_java_t;
type chrome_sandbox_t;
type root_t;
type admin_home_t;
type null_device_t;
type iptables_t;
type abrt_t;
type initrc_t;
type ftp_port_t;
type var_lock_t;
type xauth_t;
type device_t;
type setroubleshootd_t;
type wine_t;
type rpm_var_cache_t;
type rpcd_t;
type system_mail_t;
type plymouthd_t;
class capability sys_ptrace;
class netlink_ip6fw_socket { read write };
class process execmem;
class memprotect mmap_zero;
class netlink_firewall_socket { read write };
class chr_file unlink;
class netlink_xfrm_socket { read write };
class tcp_socket name_connect;
class file { read write };
class rawip_socket { read write };
class netlink_route_socket { read write };
class udp_socket { read write };
class dir { write remove_name create };
role system_r;
role unconfined_r;
}
#============= abrt_t ==============
allow abrt_t ftp_port_t:tcp_socket name_connect;
allow abrt_t rpm_var_cache_t:dir create;
#============= chrome_sandbox_t ==============
allow chrome_sandbox_t self:capability sys_ptrace;
#============= ifconfig_t ==============
allow ifconfig_t initrc_t:netlink_route_socket { read write };
allow ifconfig_t initrc_t:netlink_xfrm_socket { read write };
allow ifconfig_t initrc_t:udp_socket { read write };
allow ifconfig_t var_lock_t:file { read write };
#============= iptables_t ==============
allow iptables_t initrc_t:netlink_firewall_socket { read write };
allow iptables_t initrc_t:netlink_ip6fw_socket { read write };
allow iptables_t initrc_t:rawip_socket { read write };
allow iptables_t initrc_t:udp_socket { read write };
allow iptables_t var_lock_t:file { read write };
#============= plymouthd_t ==============
allow plymouthd_t device_t:dir { write remove_name };
allow plymouthd_t null_device_t:chr_file unlink;
#============= setroubleshootd_t ==============
allow setroubleshootd_t device_t:file write;
#============= system_mail_t ==============
allow system_mail_t root_t:dir write;
#============= unconfined_t ==============
allow unconfined_t self:process execmem;
#============= wine_t ==============
allow wine_t self:memprotect mmap_zero;
#============= xauth_t ==============
allow xauth_t admin_home_t:file { write read };
#============= ROLES ==============
role system_r types unconfined_java_t;
role unconfined_r types rpcd_t;
sure.. now install your binary!!
Justin P. Mattock
4:54 a.m.
On Sat, Dec 05, 2009 at 02:09:02AM -0800, Justin P. Mattock wrote:
On 12/05/09 02:06, Frank Murphy (Frankly3D) wrote:
>On 05/12/09 09:42, Manuel Wolfshant wrote:
>--snip--
>
>>And once we (that is you :) ) have a correct policy,
>
>Does this look ok?
>
>audit2allow -M myhipd01 < /var/log/audit/audit.log
>
>module myhipd01 1.0;
>
>require {
>type unconfined_t;
>type ifconfig_t;
>type unconfined_java_t;
>type chrome_sandbox_t;
>type root_t;
>type admin_home_t;
>type null_device_t;
>type iptables_t;
>type abrt_t;
>type initrc_t;
>type ftp_port_t;
>type var_lock_t;
>type xauth_t;
>type device_t;
>type setroubleshootd_t;
>type wine_t;
>type rpm_var_cache_t;
>type rpcd_t;
>type system_mail_t;
>type plymouthd_t;
>class capability sys_ptrace;
>class netlink_ip6fw_socket { read write };
>class process execmem;
>class memprotect mmap_zero;
>class netlink_firewall_socket { read write };
>class chr_file unlink;
>class netlink_xfrm_socket { read write };
>class tcp_socket name_connect;
>class file { read write };
>class rawip_socket { read write };
>class netlink_route_socket { read write };
>class udp_socket { read write };
>class dir { write remove_name create };
>role system_r;
>role unconfined_r;
>}
>
>#============= abrt_t ==============
>allow abrt_t ftp_port_t:tcp_socket name_connect;
>allow abrt_t rpm_var_cache_t:dir create;
probably bugs in abrt policy
>
>#============= chrome_sandbox_t ==============
>allow chrome_sandbox_t self:capability sys_ptrace;
>
probably bug in chrome policy
>#============= ifconfig_t ==============
>allow ifconfig_t initrc_t:netlink_route_socket { read write };
>allow ifconfig_t initrc_t:netlink_xfrm_socket { read write };
>allow ifconfig_t initrc_t:udp_socket { read write };
>allow ifconfig_t var_lock_t:file { read write };
>
>#============= iptables_t ==============
>allow iptables_t initrc_t:netlink_firewall_socket { read write };
>allow iptables_t initrc_t:netlink_ip6fw_socket { read write };
>allow iptables_t initrc_t:rawip_socket { read write };
>allow iptables_t initrc_t:udp_socket { read write };
>allow iptables_t var_lock_t:file { read write };
whatever runs initrc_t needs policy imho: ps auxZ | grep initrc
>
>#============= plymouthd_t ==============
>allow plymouthd_t device_t:dir { write remove_name };
>allow plymouthd_t null_device_t:chr_file unlink;
>
>#============= setroubleshootd_t ==============
>allow setroubleshootd_t device_t:file write;
Looks like this file is mislabeled. ausearch -m avc -ts today | grep device_t | grep file
| grep avc | head -n 1
>
>#============= system_mail_t ==============
>allow system_mail_t root_t:dir write;
why is it writing to /
>
>#============= unconfined_t ==============
>allow unconfined_t self:process execmem;
allow_execmem boolean or label the executable of the execmem program execmem_exec_t;
>
>#============= wine_t ==============
>allow wine_t self:memprotect mmap_zero;
There is a boolean you can set for this. getsebool -a | grep mmap
>
>#============= xauth_t ==============
>allow xauth_t admin_home_t:file { write read };
>#============= ROLES ==============
>role system_r types unconfined_java_t;
Looks like this is what you get when you run user applications with system role
>role unconfined_r types rpcd_t;
If this is a daemon as the type suggests then it should not be run with unconfined role.
>
sure.. now install your binary!!
Justin P. Mattock
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
5:40 a.m.
On 12/05/2009 11:06 AM, Frank Murphy (Frankly3D) wrote:
On 05/12/09 09:42, Manuel Wolfshant wrote:
--snip--
> And once we (that is you :) ) have a correct policy,
Does this look ok?
audit2allow -M myhipd01 < /var/log/audit/audit.log
Frank,
what is your version of selinux-policy ?
# rpm -q selinux-policy selinux-policy-targeted
4 a.m.
On 12/05/09 01:07, Frank Murphy (Frankly3D) wrote:
http://infrahip.hiit.fi/index.php?index=download
Would it be possible to install hipl-all,
and get a it to work with selinux enabled.
Asking in advance, or should I just try it first,
then look for help?
from what it looks like(not sure what the software is),
but by a quick glance it seems to be similar to wireshark,
so yes you can have that work with the policy in enforce mode,
as well as tcpdump,etherape, and even a honeypot on top..
(just make sure you define the avc's if any are created);
Justin P. Mattock
5274
days inactive
5276
days old
selinux@lists.fedoraproject.org
9 comments
5 participants
participants (5)
-
Dominick Grift -
Frank Murphy -
Justin P. Mattock -
Manuel Wolfshant -
Miroslav Grepl