netif and node check in RHEL5

netif and node check in RHEL5

[Takesi satoh]

[-- Attachment #1: Type: text/plain, Size: 1787 bytes --]

Hello,

I wonder that whether node and netif are checked in RHEL5 or not.
I tried to add some auditallow sentences in RHEL4 at first.

> auditallow unconfined_t node_type: node *;
> auditallow unconfined_t netif_type:netif *;

and executeed some commands such as,
> nc -p -l 8888
> echo "testtest" | nc 127.0.0.1 8888

Then, SELinux generated granted logs such as,
> localhost kernel: audit(1190468263.024:250): avc: granted { tcp_send }
for pid=6057 comm="nc" name="bash" dev=dm-0 ino=686823
scontext=root:system_r:unconfind_t tcontext=root:system_r:node_t
tclass=node

I tried same thing in RHEL5. but no granted logs are found in
/var/log/audit/audit.log.
I created module like below, and after compiling the module, tried
"semodule -i test.pp".
> policy_module(test, 1.0.0)
> gen_require {
> attribute node_type;
> attribute netif_type;
> type unconfined_t;
> }
> auditallow unconfined_t node_type:node *;
> auditallow unconfined_t netif_type:netif *;
>
> ( fc and if file are empty.)

I thought subject domain was not unconfined_t, so I confirmed what user
security context was.
But I logined root( unconfined_t )

Anyway, Does SELinux in RHEL5 checks node and netif ? or just my
mistake?

Regards,
K



Take a perfect family vacation to Orlando. Click Here.
<http://tagline.bidsystem.com/fc/Ioyw36XIxjaEAYbNOPV0Zq9V2bkt0YOrGFBXvN6
j0K6aTh5Me2S2sL/> 



<span id=m2wTl><p><font face="Arial, Helvetica, sans-serif" size="2" style="font-size:13.5px">_______________________________________________________________<BR>Get the FREE email that has everyone talking at <a href=http://www.mail2world.com target=new>http://www.mail2world.com</a><br>  <font color=#999999>Unlimited Email Storage &#150; POP3 &#150; Calendar &#150; SMS &#150; Translator &#150; Much More!</font></font></span>

[-- Attachment #2: Type: text/html, Size: 2273 bytes --]

Re: netif and node check in RHEL5

[Paul Moore]

On Wednesday 21 May 2008 9:37:30 am Takesi satoh wrote:
> I wonder that whether node and netif are checked in RHEL5 or not.

Hello,

I believe RHEL5 makes use of secmark controls instead of the node/netif 
checks (the RH folks can correct me if I am wrong).  You can enable the 
node/netif checks in place of secmark if you want by 
enabling "compat_net" ...

 # echo 1 > /selinux/compat_net

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: netif and node check in RHEL5

[Takesi satoh]

[-- Attachment #1: Type: text/plain, Size: 1344 bytes --]

Hello Paul,

Thank you for your reply,
> # echo 1 > /selinux/compat_net
It works fine!
Again, thank you very much.

Regards,
K



<-----Original Message-----> 
>From: Paul Moore [paul.moore@hp.com]
>Sent: 22/5/2008 1:53:38 AM
>To: t_mail@mail2airport.com
>Cc: selinux@tycho.nsa.gov
>Subject: Re: netif and node check in RHEL5
>
>On Wednesday 21 May 2008 9:37:30 am Takesi satoh wrote:
>> I wonder that whether node and netif are checked in RHEL5 or not.
>
>Hello,
>
>I believe RHEL5 makes use of secmark controls instead of the node/netif
>checks (the RH folks can correct me if I am wrong). You can enable the 
>node/netif checks in place of secmark if you want by 
>enabling "compat_net" ...
>
> # echo 1 > /selinux/compat_net
>
>-- 
>paul moore
>linux @ hp
>.
> 


Click to make millions by owning your own franchise.
<http://tagline.bidsystem.com/fc/Ioyw36XIjJ7iSBZ3r8Nw2oFv47LqDSMeEA0KgJL
jwBELfau1cSYPrk/> 



<span id=m2wTl><p><font face="Arial, Helvetica, sans-serif" size="2" style="font-size:13.5px">_______________________________________________________________<BR>Get the FREE email that has everyone talking at <a href=http://www.mail2world.com target=new>http://www.mail2world.com</a><br>  <font color=#999999>Unlimited Email Storage &#150; POP3 &#150; Calendar &#150; SMS &#150; Translator &#150; Much More!</font></font></span>

[-- Attachment #2: Type: text/html, Size: 1812 bytes --]

Re: netif and node check in RHEL5

[Paul Moore]

On Friday 23 May 2008 1:05:40 pm Takesi satoh wrote:
> Hello Paul,
>
> Thank you for your reply,
>
> > # echo 1 > /selinux/compat_net
>
> It works fine!
> Again, thank you very much.

I'm glad that solved your problem.  I would still encourage you to 
transition your systems to secmark as the compat_net controls are 
considered "deprecated" and may go away in the future.  In addition, 
you should notice better performance with secmark versus compat_net.

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: netif and node check in RHEL5

[Takesi satoh]

[-- Attachment #1: Type: text/plain, Size: 1644 bytes --]

Hello Paul,

Thank you for your additional information.
I understand node/netif functionality may go away in future.
I may have to think not to use node/netif functionality.
Thanks again!

Regards,
K


<-----Original Message----->

From: Paul Moore [paul.moore@hp.com]
Sent: 24/5/2008 3:08:39 AM
To: Takesi satoh
Cc: selinux@tycho.nsa.gov
Subject: Re: netif and node check in RHEL5

On Friday 23 May 2008 1:05:40 pm Takesi satoh wrote:
> Hello Paul,
>
> Thank you for your reply,
>
> > # echo 1 > /selinux/compat_net
>
> It works fine!
> Again, thank you very much.

I'm glad that solved your problem. I would still encourage you to 
transition your systems to secmark as the compat_net controls are 
considered "deprecated" and may go away in the future. In addition, 
you should notice better performance with secmark versus compat_net.

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.
. 


Save on Cell Phones. Click Now!
<http://tagline.bidsystem.com/fc/Ioyw36XI3zggwuBSpKVxg8AwbQLP6qrdTFY8ykn
TNr0fPKabxoxAuu/> 



<span id=m2wTl><p><font face="Arial, Helvetica, sans-serif" size="2" style="font-size:13.5px">_______________________________________________________________<BR>Get the FREE email that has everyone talking at <a href=http://www.mail2world.com target=new>http://www.mail2world.com</a><br>  <font color=#999999>Unlimited Email Storage &#150; POP3 &#150; Calendar &#150; SMS &#150; Translator &#150; Much More!</font></font></span>

[-- Attachment #2: Type: text/html, Size: 2094 bytes --]