iptables.te errors

iptables.te errors

[Shaun Savage]

[-- Attachment #1: Type: text/plain, Size: 627 bytes --]

HI
I am having a hard time with getting courier to work that I decided to 
try somwthing easier. iptables. Attached is the te file that I am using.
During make load I get the error

security: context system_u:system_r:iptables_t is invalid

the during the command iptables -t nat -L
I get the errors
avc: denied { create } for pid=9757 exe=/sbin/iptables 
scontext=root:sysadmin_r:sysadmin_t tcontext=root_u:sysadm_r:sysadm_t 
tclass=rawip_socket
avc: denied { getopt } for pid=9757 exe=/sbin/iptables 
scontext=root:sysadmin_r:sysadmin_t tcontext=root_u:sysadm_r:sysadm_t 
tclass=rawip_socket


much more later


Shaun savage

[-- Attachment #2: iptables.te --]
[-- Type: text/plain, Size: 756 bytes --]

#
# Authors:  Justin Smith <jsmith@mcs.drexel.edu>
#

#
# Rules for the iptables_t domain.
#
type iptables_t, domain, privlog;
type iptables_exec_t, file_type, sysadmfile, exec_type;
type iptables_var_run_t, file_type, sysadmfile, pidfile;

domain_auto_trans(iptables_t, insmod_exec_t, insmod_t)
domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)

file_type_auto_trans(iptables_t, var_run_t, iptables_var_run_t)

# Inherit and use descriptors from init.
allow iptables_t init_t:fd inherit_fd_perms;

allow iptables_t bin_t:file { execute execute_no_trans };
allow iptables_t iptables_exec_t:file { execute_no_trans };
allow iptables_t iptables_t:capability { net_admin net_raw };
allow iptables_t iptables_t:rawip_socket { create setopt getopt };

Re: iptables.te errors

[Paul Krumviede]

--On Sunday, 16 December, 2001 10:06 -0800 Shaun Savage <savages@pcez.com> 
wrote:

> HI
> I am having a hard time with getting courier to work that I decided to
> try somwthing easier. iptables. Attached is the te file that I am using.
> During make load I get the error
>
> security: context system_u:system_r:iptables_t is invalid

iptables_t needs to be added to the allowed set of types
for the system_r role. this can be done in policy/rbac or
it can be added to iptables.te (i prefer the latter since
it makes the .te file relatively self-contained, but at the
expense of not having all the allowed types for a given
role in one place to look at; tastes may vary).

> the during the command iptables -t nat -L
> I get the errors
> avc: denied { create } for pid=9757 exe=/sbin/iptables
> scontext=root:sysadmin_r:sysadmin_t tcontext=root_u:sysadm_r:sysadm_t
> tclass=rawip_socket avc: denied { getopt } for pid=9757
> exe=/sbin/iptables scontext=root:sysadmin_r:sysadmin_t
> tcontext=root_u:sysadm_r:sysadm_t tclass=rawip_socket

there is no rule to change the domain of the process when
iptables is run in the system administrator role (nor does
there seem to be domain transition rule for when ipchains
is run by init). this could be added in policy/domains/admin/sysadm.te
or in iptables.te (similarly, a domain transition rule could be added
to policy/domains/system/initrc.te or to iptables.te).

-paul


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: iptables.te errors

[Shaun Savage]

[-- Attachment #1: Type: text/plain, Size: 2072 bytes --]

Thanks it works

I have a iptables.te with some documentation.  Here is what I learned.
you need to add
role sysadm_r types DOMAIN_T
This allows the DOMAIN_T from sysadm_r role, the same for system_r

Allow the change from sysadm_t to DOMAIN_T
domain_auto_trans(sysadm_t, DOMAIN_EXEC_T,DOMAIN_T)
when execute a program of type DOMAIN_EXEC_T from sysadm_t
the new  domain is DOMAIN_T

Next allow input/output
allow DOMAIN_T sysadm_tty_device_t:chr_file rw_file_perms;
allow DOMAIN_T sysadm_devpts_t:chr_file rw_file_perms;
allow DOMAIN_T sysadm_gph_t:fd inherent_fd_perms;




Paul Krumviede wrote:

> --On Sunday, 16 December, 2001 10:06 -0800 Shaun Savage 
> <savages@pcez.com> wrote:
>
>> HI
>> I am having a hard time with getting courier to work that I decided to
>> try somwthing easier. iptables. Attached is the te file that I am using.
>> During make load I get the error
>>
>> security: context system_u:system_r:iptables_t is invalid
>
>
> iptables_t needs to be added to the allowed set of types
> for the system_r role. this can be done in policy/rbac or
> it can be added to iptables.te (i prefer the latter since
> it makes the .te file relatively self-contained, but at the
> expense of not having all the allowed types for a given
> role in one place to look at; tastes may vary).
>
>> the during the command iptables -t nat -L
>> I get the errors
>> avc: denied { create } for pid=9757 exe=/sbin/iptables
>> scontext=root:sysadmin_r:sysadmin_t tcontext=root_u:sysadm_r:sysadm_t
>> tclass=rawip_socket avc: denied { getopt } for pid=9757
>> exe=/sbin/iptables scontext=root:sysadmin_r:sysadmin_t
>> tcontext=root_u:sysadm_r:sysadm_t tclass=rawip_socket
>
>
> there is no rule to change the domain of the process when
> iptables is run in the system administrator role (nor does
> there seem to be domain transition rule for when ipchains
> is run by init). this could be added in policy/domains/admin/sysadm.te
> or in iptables.te (similarly, a domain transition rule could be added
> to policy/domains/system/initrc.te or to iptables.te).
>
> -paul
>
>



[-- Attachment #2: iptables.te --]
[-- Type: text/plain, Size: 1308 bytes --]

#
# Authors:  Justin Smith <jsmith@mcs.drexel.edu>
#

# add iptables_t to system_r (from rbac)
role system_r types iptables_t;

# add iptable_t o sysadm_r (from rbac)
role sysadm_r types iptables_t;

# allow the admin to enter iptables_t domain (from sysadm.te)
domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
# allow output (from sysadm.te)
allow iptables_t sysadm_tty_device_t:chr_file rw_file_perms;
allow iptables_t sysadm_devpts_t:chr_file rw_file_perms;
allow iptables_t sysadm_gph_t:fd inherit_fd_perms;
 
#
# Rules for the iptables_t domain.
#
type iptables_t, domain, privlog;
type iptables_exec_t, file_type, sysadmfile, exec_type;
type iptables_var_run_t, file_type, sysadmfile, pidfile;

# run insmod and ifconfig with new domain
domain_auto_trans(iptables_t, insmod_exec_t, insmod_t)
domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)

# set pid files ( hold over from ipchains)
file_type_auto_trans(iptables_t, var_run_t, iptables_var_run_t)

# Inherit and use descriptors from init.
allow iptables_t init_t:fd inherit_fd_perms;

allow iptables_t bin_t:file { execute execute_no_trans };
allow iptables_t iptables_exec_t:file { execute_no_trans };
allow iptables_t iptables_t:capability { net_admin net_raw };
allow iptables_t iptables_t:rawip_socket { create setopt getopt };

Re: iptables.te errors

[Stephen Smalley]

On Sun, 16 Dec 2001, Shaun Savage wrote:

> I have a iptables.te with some documentation.

Thanks for contributing.  However, I was wondering if the additional
permissions that you've defined should be merged back into the ipchains_t
domain, and that domain could be used for both programs.  Is there any
real reason to maintain separate domains for the two programs?

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: iptables.te errors

[Shaun Savage]

>
>
>>I have a iptables.te with some documentation.
>>
>
>Thanks for contributing.  However, I was wondering if the additional
>permissions that you've defined should be merged back into the ipchains_t
>domain, and that domain could be used for both programs.  Is there any
>real reason to maintain separate domains for the two programs?
>
>
I wanted try a simple example of a new policy.  I wanted to try to find 
all the hooks in other te's that needed to be added.
It was a learning process, and I hope to help selinux.

I have a K-12 school district that wants a secure base platform.  I hope 
to create a educational=RH+selinux-(most).

Shaun savage



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: iptables.te errors

[Stephen Smalley]

On Sun, 16 Dec 2001, Shaun Savage wrote:

> HI
> I am having a hard time with getting courier to work that I decided to
> try somwthing easier. iptables. Attached is the te file that I am using.

It looks like you used the ipchains_t domain as your starting point.
Is there any reason why iptables needs its own domain (i.e. does it need
significantly different permissions from ipchains)?  If not, you should
just label iptables with the ipchains_exec_t type and use the existing
ipchains_t domain.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.