From: Christian Kuester <c.kuester@tarent.de>
To: selinux@tycho.nsa.gov
Subject: Adding local nodecon's through semanage
Date: Thu, 03 Jul 2008 15:47:58 +0200 [thread overview]
Message-ID: <486CD88E.2000406@tarent.de> (raw)
Hi List,
I had a small conversation with Stephen Smalley on the
fedora-selinux-list about an easy way to add
(local) nodecon's on a SELinux enabled system. As this is not
implemented in semanage yet
he gave me the advice to revive a discussion[1] on this list from 2006.
It began because a patch against
semanage was posted which enabled nodecon support. It seems that the
patch never got commited
because it didn't work as expected.
I writing because I would like to know if there's any chance to get that
fully working. I played around
with the patch and I could set labels to nodes and my SELinux seems to
respect these settings.
f.i
# semanage node -t blacknetwork_node_t -a -p 0 -M 255.255.255.255
192.168.100.54
$ ./socat -u TCP4-LISTEN:5555,bind=192.168.100.54,reuseaddr,fork -
...
type=AVC msg=audit(1215085777.002:689775728): avc: denied { node_bind
} for pid=26627 comm="socat" saddr=192.168.100.54 src=5555
scontext=user_u:user_r:exe_t:s0
tcontext=system_u:object_r:blacknetwork_node_t:s0 tclass=tcp_socket
So, this seems to work. But I run into problems when I told semanage
about the
*actual* netmask of this node, which is 255.255.255.0. The tcontext
string switched from
"blacknetwork_node_t" to the generic "node_t".
Kind regards,
Chris
[1] http://www.nsa.gov/selinux/list-archive/0609/16754.cfm
--
tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH
Heilsbachstr. 24, 53123 Bonn | Poststr. 4-5, 10178 Berlin
fon: +49(228) / 52675-0 | fon: +49(30) / 27594853
fax: +49(228) / 52675-25 | fax: +49(30) / 78709617
Geschäftsführer
Boris Esser, Elmar Geese
HRB AG Bonn 5168
Ust-ID: DE122264941
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2008-07-03 13:48 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-03 13:47 Christian Kuester [this message]
2008-07-03 14:32 ` Adding local nodecon's through semanage Paul Moore
2008-07-03 16:16 ` Stephen Smalley
2008-07-03 16:45 ` Paul Moore
2008-07-03 17:01 ` Stephen Smalley
2008-07-04 8:10 ` Christian Kuester
2008-07-07 17:11 ` Stephen Smalley
2008-07-08 10:13 ` Christian Kuester
2008-07-08 12:30 ` Stephen Smalley
2008-07-29 12:13 ` Stephen Smalley
2008-08-14 7:32 ` [PATCH] Revised Patch for local nodecon support in semanage (was: Adding local nodecon's through semanage) Christian Kuester
2008-08-21 20:59 ` Stephen Smalley
2008-08-26 13:37 ` Stephen Smalley
2008-07-08 15:14 ` Adding local nodecon's through semanage Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=486CD88E.2000406@tarent.de \
--to=c.kuester@tarent.de \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.