* ROUTE
@ 2008-02-05 10:14 Brent Clark
2008-02-05 11:41 ` ROUTE Rob Sterenborg
0 siblings, 1 reply; 8+ messages in thread
From: Brent Clark @ 2008-02-05 10:14 UTC (permalink / raw)
To: netfilter
Hi all
Its been a while since i have been on this list, I trust everyone is
good and well.
I need to compile the 2.6.24 kernel, but with POMS ROUTE.
Im seeing that Route is not the lastest POM.
If i may ask is there a reason for this, or is there a better way to
route traffic out a different interface.
If anyone could assist, thanks in advance.
Regards
Brent Clark
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: ROUTE
2008-02-05 10:14 ROUTE Brent Clark
@ 2008-02-05 11:41 ` Rob Sterenborg
2008-02-05 12:38 ` ROUTE Brent Clark
0 siblings, 1 reply; 8+ messages in thread
From: Rob Sterenborg @ 2008-02-05 11:41 UTC (permalink / raw)
To: netfilter
> Its been a while since i have been on this list, I trust everyone is
> good and well.
>
> I need to compile the 2.6.24 kernel, but with POMS ROUTE.
>
> Im seeing that Route is not the lastest POM.
>
> If i may ask is there a reason for this, or is there a better way to
> route traffic out a different interface.
The module is removed some time ago and although I don't know the exact
reason, I can imagine it has to do with maintaining it but of course
there could be another reason.
http://www.gossamer-threads.com/lists/iptables/devel/68781
You could mark the packets and route them using iproute2, but I don't
know if that would satisfy your needs. Or, if it's of use for you,
checkout the TEE target.
http://www.spinics.net/lists/netfilter/msg42319.html
http://dev.computergmbh.de/wsvn/misc_kernel/xt_TEE/
Grts,
Rob
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: ROUTE
2008-02-05 11:41 ` ROUTE Rob Sterenborg
@ 2008-02-05 12:38 ` Brent Clark
2008-02-05 12:51 ` ROUTE Rob Sterenborg
0 siblings, 1 reply; 8+ messages in thread
From: Brent Clark @ 2008-02-05 12:38 UTC (permalink / raw)
To: netfilter
Rob Sterenborg wrote:
>
> The module is removed some time ago and although I don't know the exact
> reason, I can imagine it has to do with maintaining it but of course
> there could be another reason.
> http://www.gossamer-threads.com/lists/iptables/devel/68781
>
> You could mark the packets and route them using iproute2, but I don't
> know if that would satisfy your needs. Or, if it's of use for you,
> checkout the TEE target.
> http://www.spinics.net/lists/netfilter/msg42319.html
> http://dev.computergmbh.de/wsvn/misc_kernel/xt_TEE/
>
Thank you for your reply.
Most odd / co-incidental.
root@zion:/usr/src/patch-o-matic-ng-20080130# ./runme --download
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch ROUTE <- And here it is.
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time
./patchlets/ipv4options exists and is not external
./patchlets/TARPIT exists and is not external
Successfully downloaded external patch ACCOUNT
Successfully downloaded external patch pknock
Hey! KERNEL_DIR is not set.
But i still want to try your advised route. Will be fun.
Thanks again.
Brent Clark
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: ROUTE
2008-02-05 12:38 ` ROUTE Brent Clark
@ 2008-02-05 12:51 ` Rob Sterenborg
0 siblings, 0 replies; 8+ messages in thread
From: Rob Sterenborg @ 2008-02-05 12:51 UTC (permalink / raw)
To: netfilter
> Most odd / co-incidental.
>
> root@zion:/usr/src/patch-o-matic-ng-20080130# ./runme --download
> Successfully downloaded external patch geoip
> Successfully downloaded external patch condition
> Successfully downloaded external patch IPMARK
> Successfully downloaded external patch ROUTE <- And here it is.
Yes, but it won't work if your kernel is recent: when pom-ng starts, you
will not be asked to patch the kernel for ROUTE.
> Successfully downloaded external patch connlimit
> Successfully downloaded external patch ipp2p
> Successfully downloaded external patch time
> ./patchlets/ipv4options exists and is not external
> ./patchlets/TARPIT exists and is not external
> Successfully downloaded external patch ACCOUNT
> Successfully downloaded external patch pknock
> Hey! KERNEL_DIR is not set.
Try:
IPTABLES_DIR="/path/to/iptables-source" \
KERNEL_DIR="/path/to/kernel-source" \
./runme --download
> But i still want to try your advised route. Will be fun.
Good luck. :-)
Grts,
Rob
^ permalink raw reply [flat|nested] 8+ messages in thread
* route
@ 2002-09-04 17:27 Carsten Grohmann
2002-09-05 12:47 ` route Russell Coker
0 siblings, 1 reply; 8+ messages in thread
From: Carsten Grohmann @ 2002-09-04 17:27 UTC (permalink / raw)
To: SELinux
[-- Attachment #1: Type: text/plain, Size: 96 bytes --]
Hi!
attached is the rule set for the route_t domain.
I am glad if anybody use it.
Carsten
[-- Attachment #2: route.te --]
[-- Type: text/plain, Size: 1531 bytes --]
#
# This policy is for route
#
# Author : Carsten Grohmann <carstengrohmann@gmx.de>
#
# $Id$
#
# License : GPL
#
# Last change: 04. September 2002
#
# State : complete and testet
#
# Tested versions:
# - SuSE 7.3
#
# Hints :
# -
#
# Changes :
# -
#
# Enhancements/Corrections:
# -
# General declarations
######################
type route_t, domain;
role system_r types route_t;
role sysadm_r types route_t;
# type for the route executable
type route_exec_t, file_type, sysadmfile, exec_type;
# type for route configuration file ( /etc/route.conf )
type etc_route_t, file_type, sysadmfile;
file_type_auto_trans(route_t, etc_t, etc_route_t)
domain_auto_trans(initrc_t, route_exec_t, route_t)
type_transition init_t route_exec_t:process route_t;
domain_auto_trans(sysadm_t, route_exec_t, route_t)
# File permissions
##################
# Allow access to proc_t
allow route_t proc_t:dir { search };
allow route_t proc_t:file { getattr read };
# Allow access to sysadm_tty_device_t
allow route_t sysadm_tty_device_t:chr_file { getattr ioctl read write };
# Process permissions
#####################
# Allow to use shared libraries
uses_shlib(route_t)
allow route_t self:capability { net_admin };
# Allow process and network communication
#########################################
allow route_t local_login_t:fd { use };
allow route_t self:udp_socket { create ioctl };
# Settings to allow initrc_t access to etc_route_t
ifdef(`initrc.te', `allow initrc_t etc_route_t:file { ioctl read }; ')
[-- Attachment #3: route.fc --]
[-- Type: text/plain, Size: 203 bytes --]
#
# Author: Carsten Grohmann <carstengrohmann@gmx.de>
#
# $Id$
#
# settings for route
####################
/sbin/route system_u:object_r:route_exec_t
/etc/route.conf system_u:object_r:etc_route_t
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: route
2002-09-04 17:27 route Carsten Grohmann
@ 2002-09-05 12:47 ` Russell Coker
2002-09-05 19:13 ` route Carsten Grohmann
0 siblings, 1 reply; 8+ messages in thread
From: Russell Coker @ 2002-09-05 12:47 UTC (permalink / raw)
To: Carsten Grohmann, SELinux
On Wed, 4 Sep 2002 19:27, Carsten Grohmann wrote:
> attached is the rule set for the route_t domain.
> I am glad if anybody use it.
What problem does this solve? Why is it that route can't just be run in the
context of the program that called it?
The kernel source comments suggest that net_admin capability is needed for
changing routes, but sysadm_t doesn't have that and can still change routes.
It seems that you're not giving route_t any other access than net_admin...
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: route
2002-09-05 12:47 ` route Russell Coker
@ 2002-09-05 19:13 ` Carsten Grohmann
2002-09-06 9:50 ` route Russell Coker
0 siblings, 1 reply; 8+ messages in thread
From: Carsten Grohmann @ 2002-09-05 19:13 UTC (permalink / raw)
To: Russell Coker, SELinux
Am Donnerstag, 5. September 2002 14:47 schrieb Russell Coker:
> On Wed, 4 Sep 2002 19:27, Carsten Grohmann wrote:
> > attached is the rule set for the route_t domain.
> > I am glad if anybody use it.
>
> What problem does this solve? Why is it that route can't just be run in
> the context of the program that called it?
I use it in the rules for the ipppd_t domain. Through ipppd_t don't need
access to execute all sbin_t programms.
Or do you think this is not neseccary?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: route
2002-09-05 19:13 ` route Carsten Grohmann
@ 2002-09-06 9:50 ` Russell Coker
0 siblings, 0 replies; 8+ messages in thread
From: Russell Coker @ 2002-09-06 9:50 UTC (permalink / raw)
To: Carsten Grohmann, SELinux
On Thu, 5 Sep 2002 21:13, Carsten Grohmann wrote:
> Am Donnerstag, 5. September 2002 14:47 schrieb Russell Coker:
> > On Wed, 4 Sep 2002 19:27, Carsten Grohmann wrote:
> > > attached is the rule set for the route_t domain.
> > > I am glad if anybody use it.
> >
> > What problem does this solve? Why is it that route can't just be run in
> > the context of the program that called it?
>
> I use it in the rules for the ipppd_t domain. Through ipppd_t don't need
> access to execute all sbin_t programms.
> Or do you think this is not neseccary?
Why do you need a separate ipppd_t domain? Surely the best thing would be to
just give pppd_t access to the ISDN devices...
pppd_t can execute sbin_t binaries, this is needed for ip-up scripts...
I think it would be a better solution to have ipppd run in the pppd_t domain
and to allow it to run /sbin/route in the pppd_t domain as well.
One problem with creating lots of domains is that it makes the policy more
complex, more difficult to audit, and more difficult for new users to manage
(which will decrease the popularity of SE Linux). I try and avoid creating a
new domain unless there is a clear well defined security benefit.
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2008-02-05 12:51 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-02-05 10:14 ROUTE Brent Clark
2008-02-05 11:41 ` ROUTE Rob Sterenborg
2008-02-05 12:38 ` ROUTE Brent Clark
2008-02-05 12:51 ` ROUTE Rob Sterenborg
-- strict thread matches above, loose matches on Subject: below --
2002-09-04 17:27 route Carsten Grohmann
2002-09-05 12:47 ` route Russell Coker
2002-09-05 19:13 ` route Carsten Grohmann
2002-09-06 9:50 ` route Russell Coker
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.