From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mummy.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id m4LDc1nj013175 for ; Wed, 21 May 2008 09:38:01 -0400 Received: from icweb02oc.mail2world.com (jazzhorn.ncsc.mil [144.51.5.9]) by mummy.ncsc.mil (8.12.10/8.12.10) with ESMTP id m4LDbxlF001768 for ; Wed, 21 May 2008 13:38:00 GMT From: "Takesi satoh" To: Subject: netif and node check in RHEL5 Date: Wed, 21 May 2008 06:37:30 -0700 Message-ID: <0a1101c8bb47$d12c4270$036a010a@mail2world.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0A12_01C8BB0D.24CD6A70" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov This is a multi-part message in MIME format. ------=_NextPart_000_0A12_01C8BB0D.24CD6A70 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Hello, I wonder that whether node and netif are checked in RHEL5 or not. I tried to add some auditallow sentences in RHEL4 at first. > auditallow unconfined_t node_type: node *; > auditallow unconfined_t netif_type:netif *; and executeed some commands such as, > nc -p -l 8888 > echo "testtest" | nc 127.0.0.1 8888 Then, SELinux generated granted logs such as, > localhost kernel: audit(1190468263.024:250): avc: granted { tcp_send } for pid=6057 comm="nc" name="bash" dev=dm-0 ino=686823 scontext=root:system_r:unconfind_t tcontext=root:system_r:node_t tclass=node I tried same thing in RHEL5. but no granted logs are found in /var/log/audit/audit.log. I created module like below, and after compiling the module, tried "semodule -i test.pp". > policy_module(test, 1.0.0) > gen_require { > attribute node_type; > attribute netif_type; > type unconfined_t; > } > auditallow unconfined_t node_type:node *; > auditallow unconfined_t netif_type:netif *; > > ( fc and if file are empty.) I thought subject domain was not unconfined_t, so I confirmed what user security context was. But I logined root( unconfined_t ) Anyway, Does SELinux in RHEL5 checks node and netif ? or just my mistake? Regards, K Take a perfect family vacation to Orlando. Click Here.

_______________________________________________________________
Get the FREE email that has everyone talking at http://www.mail2world.com
Unlimited Email Storage – POP3 – Calendar – SMS – Translator – Much More! ------=_NextPart_000_0A12_01C8BB0D.24CD6A70 Content-Type: text/html Content-Transfer-Encoding: 7bit Hello,

I wonder that whether node and netif are checked in RHEL5 or not.
I tried to add some auditallow sentences in RHEL4 at first.

> auditallow unconfined_t node_type: node *;
> auditallow unconfined_t netif_type:netif *;

and executeed some commands such as,
> nc -p -l 8888
> echo "testtest" | nc 127.0.0.1 8888

Then, SELinux generated granted logs such as,
> localhost kernel: audit(1190468263.024:250): avc: granted { tcp_send } for pid=6057 comm="nc" name="bash" dev=dm-0 ino=686823 scontext=root:system_r:unconfind_t tcontext=root:system_r:node_t tclass=node

I tried same thing in RHEL5. but no granted logs are found in /var/log/audit/audit.log.
I created module like below, and after compiling the module, tried "semodule -i test.pp".
> policy_module(test, 1.0.0)
> gen_require {
> attribute node_type;
> attribute netif_type;
> type unconfined_t;
> }
> auditallow unconfined_t node_type:node *;
> auditallow unconfined_t netif_type:netif *;
>
> ( fc and if file are empty.)

I thought subject domain was not unconfined_t, so I confirmed what user security context was.
But I logined root( unconfined_t )

Anyway, Does SELinux in RHEL5 checks node and netif ? or just my mistake?

Regards,
K

Take a perfect family vacation to Orlando. Click Here.