semanage

semanage

[Ralph Blach]

how do I use semanage to list the policy modules.


Thanks

Chip

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage

[Jason Axelson]

On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach <chipper19522@gmail.com> wrote:
> how do I use semanage to list the policy modules.

Hi Chip,

Perhaps you are looking for "semodule -l"? That will list out all the
installed policy modules (besides base).

Jason

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage

[Ralph Blach]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for the hint, now how do I find out which policies contain which
ports ?

Thanks

Chip

On 07/27/2010 08:29 PM, Jason Axelson wrote:
> On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach <chipper19522@gmail.com> wrote:
>> how do I use semanage to list the policy modules.
> 
> Hi Chip,
> 
> Perhaps you are looking for "semodule -l"? That will list out all the
> installed policy modules (besides base).
> 
> Jason
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMVZQnAAoJEI46azFTGsehxt4P/3W2xUW9eUZ7w4y09EuxRMSf
8TmTSlp+yfWNfzq5ps9VuduJj6xf+vl8B6FRSswvj6U8QT1Kg/REo71FhIuGlW15
dKk7LMfVrWgRyx3SEYzl42jwCPgn9K/oXiDz71pAG92rmc3srMyN17wGwZKveXsE
vq85UgjvR5CnxmyjpUni/boAxg21Uj8VBTe7QfqXyFN0gbJ/4aZvAwTlGr3QJpdT
G+y9GO46e+UFMJ9lwyqzIjjtOSFW1HYqJzjlTw0Xqqu+mGPm9SU6wLNKTN98RrfO
h2eIoaSXK+URav4PqO9L/rmEimUrbF3Ox5Hxg5/cZSC0tX10rNoRkrOYFt3mVRMc
08KeURJ+/gsDfsNiyii7uPfDu0asOfGo4peRgCy91azc2FdRsGQpj9QU6tXgUP0l
9ALz5UvEXVELG2pWzIB9Q7TLCeSnLsEB21nox8zWGBGZWo2a0ntJJt7THMODEwI+
1LZFQnfRfjnYNVabuX0H2nLe5akp9irsUPuCI22q5JgAyyWKGvJ5dSR3G4/NG5yh
qDBGTytsGqETREHAdwlaMCsP3zhslvSmr3pfUqeWdDBmL7tXhgCsMpA1/JP9prTf
SwG6E+kPJ1+xZ8fBmqTC9PLfz57NK44a3QuQg/hnaCylXHntlO37wfBVmd15BSYO
rz7y7Z4/85JFIlG+Uy80
=d8BN
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage

[Ralph Blach]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have discovered that ports 443 and 22 are in module tcp.

How do i rewrite module tcp so that I can configure as I want it.

Where do I find module tcp?

I did a semanage port -l | grep 22 and module tcp was listed.
I did the same for port 443

Thanks

Chip

On 07/27/2010 08:29 PM, Jason Axelson wrote:
> On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach <chipper19522@gmail.com> wrote:
>> how do I use semanage to list the policy modules.
> 
> Hi Chip,
> 
> Perhaps you are looking for "semodule -l"? That will list out all the
> installed policy modules (besides base).
> 
> Jason
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMVZYiAAoJEI46azFTGsehGfQP/0V9ZUHgAtlu7ALAyBLu4kTu
+06VDeeeAIkwxwZxeb9hYo+zGGbj3/QUkvJ1I2v3NwD4GUD2XTdmvCL1OJxk9CAl
y+433whxMa8hkGmGcyY5Fsgs7R8Cg6g8/rcerQGwzI9/rsUBEoX5ijd1/1ZP2MZx
W9RQKUnWjenwJQpTRnlXMh9u5BAx6oSDGmXEeSjQxgYYbdujPXVyRkgR8WNSuc1y
3HA8mObkWvVJ0g9Q2lt74n8CM+KQsrSucRzZnA4iPRe5hgaZE9f3B6rnkbjUi2Lz
g2YtHR5KduGwzp+yuNW3O8u72lX7OGQKQX9ExI8fEr34D6gNTIzvZeI1Fpqg7SdS
MFamLOSkgwYgCmyFG+Iu2EXr3JX+Y/51wHrpkfK0S0ICohMI6R1J7OF2Kp7YODwP
Xgr+yCvp7uo7VtVhxwdRhApOl/5YcTX2dXuhOk5JCLcxL5Yd9MeYMU/db2KGvOhE
6gqhs/p9YX3tk2E6Dd9qUgEu2eSGjov9Jm/tFBiR37PQ1Ajg0x4SXKowahjYkABw
YtRx7+nJaUuvPC8ep66U0ri1PDg6YIAddnFp0RsG3vyUErWH5k7zAdzvCbJARBAm
PpLBNqyiG1gcXk1rGoTgfL0Uv7kScSruP+LvedPbVvYkaEww4vbD4kax3+42gEAN
tTxM5Vb+58W3V5vYGgi+
=UBjr
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 1213 bytes --]

On 08/01/2010 05:43 PM, Ralph Blach wrote:
> I have discovered that ports 443 and 22 are in module tcp.
> 
> How do i rewrite module tcp so that I can configure as I want it.
> 
> Where do I find module tcp?
> 
> I did a semanage port -l | grep 22 and module tcp was listed.
> I did the same for port 443
> 
> Thanks

ports are declared (defined) in the corenetwork module. This module is
part of the base module. modules that are part of the base module are
not listed with semodule -l.

What exactly do you want to achieve? If you are specific about your
requirements we can try to help you implement it.

> Chip
> 
> On 07/27/2010 08:29 PM, Jason Axelson wrote:
>> On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach <chipper19522@gmail.com> wrote:
>>> how do I use semanage to list the policy modules.
> 
>> Hi Chip,
> 
>> Perhaps you are looking for "semodule -l"? That will list out all the
>> installed policy modules (besides base).
> 
>> Jason
> 
> 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

Re: semanage

[Ralph Blach]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To be specific, I want to run sshd on port 443, and not port 22, because
of all the hackers probe port 22.

port 443 looks like httpd traffic and therefore is not really supicious.

That is what I need to achieve so i need to modify the corenetwork
module to do this.

How is this done and where is the source for the core network module?

Thanks

Chip



On 08/01/2010 12:02 PM, Dominick Grift wrote:
> On 08/01/2010 05:43 PM, Ralph Blach wrote:
>> I have discovered that ports 443 and 22 are in module tcp.
>>
>> How do i rewrite module tcp so that I can configure as I want it.
>>
>> Where do I find module tcp?
>>
>> I did a semanage port -l | grep 22 and module tcp was listed.
>> I did the same for port 443
>>
>> Thanks
> 
> ports are declared (defined) in the corenetwork module. This module is
> part of the base module. modules that are part of the base module are
> not listed with semodule -l.
> 
> What exactly do you want to achieve? If you are specific about your
> requirements we can try to help you implement it.
> 
>> Chip
>>
>> On 07/27/2010 08:29 PM, Jason Axelson wrote:
>>> On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach <chipper19522@gmail.com> wrote:
>>>> how do I use semanage to list the policy modules.
>>
>>> Hi Chip,
>>
>>> Perhaps you are looking for "semodule -l"? That will list out all the
>>> installed policy modules (besides base).
>>
>>> Jason
>>
>>
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMVZ8vAAoJEI46azFTGsehivYP/2OongqEYeroMPognxG7nTcc
cbqWlFI32xSIwVhAWNqioSg5eWA5AN6vDnN43q4AL64UqVe4mwl6IF9/4ydhpJwc
xCvje3g5At+FCjHy6mx1yi56Zm7E2gI1pR4I0Gsrxdqk0WWlGbbhs8Dz84dSjKWH
3B12jW43sw/kyzHhR+AbLGlA+oU5TA1hTOSmTkuwOjQoWqQtYnc5nsXzX8uBvd1Z
MLCTNQ0ZkNjPvSAbp3qqA+9I1Bavytq2900rUMm861ui+HrTLpBt7+qkf8NomNVF
xmQ64Lcb7VKFOVdSCV+PmfUQBIdw4/LS9thB8/o3avy/1+hHclaVYrYxjgxjOPfB
budsoVBRM6Q5QwKJL+d+oYdklGimtZv+wAfvBxveQ4vdjXePHmTAtiQ6reY6JBwa
vGqq7O/sKStyErB/BCeDASdQCgxkJwFZMw11z2OTDQrdVH+7H6Szq3a+O4SpZ59Z
zNrsJ4CQU6d/dgf9Jy29SS1zCaEBoWTcEbVKp2RV4dXRAYkf58FpIEKD3PZkkE4F
0/GJSHuXvek1PGlR1PyJ84T2CHnXBsYbKGXG4DKISwd/SzPj3rLkIRRqX7n31dSU
d8phXUdCyG9SJZC0ew6IE5PM8NQoCTV+tHakhLyK2HJXUr887bddxd+6VPtlSwBF
fJtEe6w6Iy1qIRxnJaLP
=PE3f
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 2244 bytes --]

On 08/01/2010 06:22 PM, Ralph Blach wrote:
> To be specific, I want to run sshd on port 443, and not port 22, because
> of all the hackers probe port 22.
> 
> port 443 looks like httpd traffic and therefore is not really supicious.
> 
> That is what I need to achieve so i need to modify the corenetwork
> module to do this.
> 
> How is this done and where is the source for the core network module?

Try this:

mkdir ~/mysshd; cd ~/mysshd;

cat <<D_G >mysshd.te
policy_module(mysshd, 1.0.0)
gen_require(`
type shorewall_t;
')
corenet_tcp_bind_http_ports(sshd_t)
D_G

That custom policy module should allow sshd to bind tcp sockets to http
ports (including tcp:443)

You can find source policy in the source package for your policy.

Here is the policy browser from upstream:
http://oss.tresys.com/projects/refpolicy/browser


> Thanks
> 
> Chip
> 
> 
> 
> On 08/01/2010 12:02 PM, Dominick Grift wrote:
>> On 08/01/2010 05:43 PM, Ralph Blach wrote:
>>> I have discovered that ports 443 and 22 are in module tcp.
>>>
>>> How do i rewrite module tcp so that I can configure as I want it.
>>>
>>> Where do I find module tcp?
>>>
>>> I did a semanage port -l | grep 22 and module tcp was listed.
>>> I did the same for port 443
>>>
>>> Thanks
> 
>> ports are declared (defined) in the corenetwork module. This module is
>> part of the base module. modules that are part of the base module are
>> not listed with semodule -l.
> 
>> What exactly do you want to achieve? If you are specific about your
>> requirements we can try to help you implement it.
> 
>>> Chip
>>>
>>> On 07/27/2010 08:29 PM, Jason Axelson wrote:
>>>> On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach <chipper19522@gmail.com> wrote:
>>>>> how do I use semanage to list the policy modules.
>>>
>>>> Hi Chip,
>>>
>>>> Perhaps you are looking for "semodule -l"? That will list out all the
>>>> installed policy modules (besides base).
>>>
>>>> Jason
>>>
>>>
> 
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>> with
>> the words "unsubscribe selinux" without quotes as the message.
> 
> 
> 


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

Re: semanage

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 2660 bytes --]

On 08/01/2010 06:35 PM, Dominick Grift wrote:
> On 08/01/2010 06:22 PM, Ralph Blach wrote:
>> To be specific, I want to run sshd on port 443, and not port 22, because
>> of all the hackers probe port 22.
>>
>> port 443 looks like httpd traffic and therefore is not really supicious.
>>
>> That is what I need to achieve so i need to modify the corenetwork
>> module to do this.
>>
>> How is this done and where is the source for the core network module?
> 
> Try this:
> 
> mkdir ~/mysshd; cd ~/mysshd;
> 
> cat <<D_G >mysshd.te
> policy_module(mysshd, 1.0.0)
> gen_require(`
> type shorewall_t;
> ')
> corenet_tcp_bind_http_ports(sshd_t)
> D_G
> 
> That custom policy module should allow sshd to bind tcp sockets to http
> ports (including tcp:443)

Ofcourse you also have to build and install the custom module:

( below is how that is done in Fedora (RHEL5 requires that you also
install selinux-policy-devel to build a module)

make -f /usr/share/selinux/devel/Makefile mysshd.pp
sudo semodule -i mysshd.pp


> 
> You can find source policy in the source package for your policy.
> 
> Here is the policy browser from upstream:
> http://oss.tresys.com/projects/refpolicy/browser
> 
> 
>> Thanks
>>
>> Chip
>>
>>
>>
>> On 08/01/2010 12:02 PM, Dominick Grift wrote:
>>> On 08/01/2010 05:43 PM, Ralph Blach wrote:
>>>> I have discovered that ports 443 and 22 are in module tcp.
>>>>
>>>> How do i rewrite module tcp so that I can configure as I want it.
>>>>
>>>> Where do I find module tcp?
>>>>
>>>> I did a semanage port -l | grep 22 and module tcp was listed.
>>>> I did the same for port 443
>>>>
>>>> Thanks
>>
>>> ports are declared (defined) in the corenetwork module. This module is
>>> part of the base module. modules that are part of the base module are
>>> not listed with semodule -l.
>>
>>> What exactly do you want to achieve? If you are specific about your
>>> requirements we can try to help you implement it.
>>
>>>> Chip
>>>>
>>>> On 07/27/2010 08:29 PM, Jason Axelson wrote:
>>>>> On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach <chipper19522@gmail.com> wrote:
>>>>>> how do I use semanage to list the policy modules.
>>>>
>>>>> Hi Chip,
>>>>
>>>>> Perhaps you are looking for "semodule -l"? That will list out all the
>>>>> installed policy modules (besides base).
>>>>
>>>>> Jason
>>>>
>>>>
>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>> with
>>> the words "unsubscribe selinux" without quotes as the message.
>>
>>
>>
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

Re: semanage

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 2871 bytes --]

On 08/01/2010 06:41 PM, Dominick Grift wrote:
> On 08/01/2010 06:35 PM, Dominick Grift wrote:
>> On 08/01/2010 06:22 PM, Ralph Blach wrote:
>>> To be specific, I want to run sshd on port 443, and not port 22, because
>>> of all the hackers probe port 22.
>>>
>>> port 443 looks like httpd traffic and therefore is not really supicious.
>>>
>>> That is what I need to achieve so i need to modify the corenetwork
>>> module to do this.
>>>
>>> How is this done and where is the source for the core network module?
>>
>> Try this:
>>
>> mkdir ~/mysshd; cd ~/mysshd;
>>
>> cat <<D_G >mysshd.te
>> policy_module(mysshd, 1.0.0)
>> gen_require(`

>> type shorewall_t;

And this needs to be ..

type sshd_t;

.. instead

>> ')
>> corenet_tcp_bind_http_ports(sshd_t)
>> D_G
>>
>> That custom policy module should allow sshd to bind tcp sockets to http
>> ports (including tcp:443)
> 
> Ofcourse you also have to build and install the custom module:
> 
> ( below is how that is done in Fedora (RHEL5 requires that you also
> install selinux-policy-devel to build a module)
> 
> make -f /usr/share/selinux/devel/Makefile mysshd.pp
> sudo semodule -i mysshd.pp
> 
> 
>>
>> You can find source policy in the source package for your policy.
>>
>> Here is the policy browser from upstream:
>> http://oss.tresys.com/projects/refpolicy/browser
>>
>>
>>> Thanks
>>>
>>> Chip
>>>
>>>
>>>
>>> On 08/01/2010 12:02 PM, Dominick Grift wrote:
>>>> On 08/01/2010 05:43 PM, Ralph Blach wrote:
>>>>> I have discovered that ports 443 and 22 are in module tcp.
>>>>>
>>>>> How do i rewrite module tcp so that I can configure as I want it.
>>>>>
>>>>> Where do I find module tcp?
>>>>>
>>>>> I did a semanage port -l | grep 22 and module tcp was listed.
>>>>> I did the same for port 443
>>>>>
>>>>> Thanks
>>>
>>>> ports are declared (defined) in the corenetwork module. This module is
>>>> part of the base module. modules that are part of the base module are
>>>> not listed with semodule -l.
>>>
>>>> What exactly do you want to achieve? If you are specific about your
>>>> requirements we can try to help you implement it.
>>>
>>>>> Chip
>>>>>
>>>>> On 07/27/2010 08:29 PM, Jason Axelson wrote:
>>>>>> On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach <chipper19522@gmail.com> wrote:
>>>>>>> how do I use semanage to list the policy modules.
>>>>>
>>>>>> Hi Chip,
>>>>>
>>>>>> Perhaps you are looking for "semodule -l"? That will list out all the
>>>>>> installed policy modules (besides base).
>>>>>
>>>>>> Jason
>>>>>
>>>>>
>>>
>>>> --
>>>> This message was distributed to subscribers of the selinux mailing list.
>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>> with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>>
>>>
>>
> 
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

Re: semanage (Thanks all)

[Ralph Blach]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks all

If I have any problems I will repost.

Chip

On 08/01/2010 12:43 PM, Dominick Grift wrote:
> On 08/01/2010 06:41 PM, Dominick Grift wrote:
>> On 08/01/2010 06:35 PM, Dominick Grift wrote:
>>> On 08/01/2010 06:22 PM, Ralph Blach wrote:
>>>> To be specific, I want to run sshd on port 443, and not port 22, because
>>>> of all the hackers probe port 22.
>>>>
>>>> port 443 looks like httpd traffic and therefore is not really supicious.
>>>>
>>>> That is what I need to achieve so i need to modify the corenetwork
>>>> module to do this.
>>>>
>>>> How is this done and where is the source for the core network module?
>>>
>>> Try this:
>>>
>>> mkdir ~/mysshd; cd ~/mysshd;
>>>
>>> cat <<D_G >mysshd.te
>>> policy_module(mysshd, 1.0.0)
>>> gen_require(`
> 
>>> type shorewall_t;
> 
> And this needs to be ..
> 
> type sshd_t;
> 
> .. instead
> 
>>> ')
>>> corenet_tcp_bind_http_ports(sshd_t)
>>> D_G
>>>
>>> That custom policy module should allow sshd to bind tcp sockets to http
>>> ports (including tcp:443)
>>
>> Ofcourse you also have to build and install the custom module:
>>
>> ( below is how that is done in Fedora (RHEL5 requires that you also
>> install selinux-policy-devel to build a module)
>>
>> make -f /usr/share/selinux/devel/Makefile mysshd.pp
>> sudo semodule -i mysshd.pp
>>
>>
>>>
>>> You can find source policy in the source package for your policy.
>>>
>>> Here is the policy browser from upstream:
>>> http://oss.tresys.com/projects/refpolicy/browser
>>>
>>>
>>>> Thanks
>>>>
>>>> Chip
>>>>
>>>>
>>>>
>>>> On 08/01/2010 12:02 PM, Dominick Grift wrote:
>>>>> On 08/01/2010 05:43 PM, Ralph Blach wrote:
>>>>>> I have discovered that ports 443 and 22 are in module tcp.
>>>>>>
>>>>>> How do i rewrite module tcp so that I can configure as I want it.
>>>>>>
>>>>>> Where do I find module tcp?
>>>>>>
>>>>>> I did a semanage port -l | grep 22 and module tcp was listed.
>>>>>> I did the same for port 443
>>>>>>
>>>>>> Thanks
>>>>
>>>>> ports are declared (defined) in the corenetwork module. This module is
>>>>> part of the base module. modules that are part of the base module are
>>>>> not listed with semodule -l.
>>>>
>>>>> What exactly do you want to achieve? If you are specific about your
>>>>> requirements we can try to help you implement it.
>>>>
>>>>>> Chip
>>>>>>
>>>>>> On 07/27/2010 08:29 PM, Jason Axelson wrote:
>>>>>>> On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach <chipper19522@gmail.com> wrote:
>>>>>>>> how do I use semanage to list the policy modules.
>>>>>>
>>>>>>> Hi Chip,
>>>>>>
>>>>>>> Perhaps you are looking for "semodule -l"? That will list out all the
>>>>>>> installed policy modules (besides base).
>>>>>>
>>>>>>> Jason
>>>>>>
>>>>>>
>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>>> with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>>>
>>>>
>>>
>>
>>
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMVbKBAAoJEI46azFTGsehAvIP+gIHx6S3whcGGuiruVSSQTK0
NmRWSVTfyLpuNRz7/hQePqegKQzoephclyBfvwr32Oe4S1HEax/p1HlRwhdBjDM+
EUS0FiFQDMUbHT0edXJK7Cb7XKc9L/qNsNSIuvYCdfO8/uXLUreURIn65XNbMrO7
ztleKChvtB5jHONEPyCRSz/FKRCZugi8+9+OQvM8E6KpLNcVZHOrdlR1ONkOKMpd
wFjfWP7Bvwwpwm8M0kT0Jxf1yMTHJR3pstxkq1vk+WPUpFU2eMAAJRP3zZDuX5qn
yDYzJV3IwJ+q91Js6YrhAA1gdyGI0oZ+C/wQDZC5MyOqcVe7fy0de8Ng/Q2/TJGk
zzR+9WzBEeAyEl6HyJiwYuclIdVRlPncGtE+Ne8V1/kM3264BZxNuhyUBH64u2Zf
fiFfJhGxHyfPSrRm2Wp/dgGHP8EEVryC3jc6xzUyQUnNHMOl+Btlmj3htrg5bxTD
ZQ2ye6L90OVWvGXzIbXR/4PNv5fU+fZRjdxECnEmoXdODP5vyrwho0FDML5KEtfO
4/OUVYkDBYFBa1bN5jj2NxJEeUN15F5txIOyoQMkWbdUBMX0pvVmgIOcLBja9/Kv
dFHxo98ZJpO7JJej4nJeKdQoarzpAnJ/QmTcbVkPcnlX3B04rd0OtVe/NvRPl3BU
XzfQCjtoOMbx0aQUtAbg
=INAT
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage (Thanks all)

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 3585 bytes --]

On 08/01/2010 07:44 PM, Ralph Blach wrote:
> Thanks all
> 
> If I have any problems I will repost.

I might have made some small syntax errors like

corenet_tcp_bind_http_ports(sshd_t)
vs.
corenet_tcp_bind_http_port(sshd_t)

But you can just as easily use audit2allow to generate a module to allow it.

Also use the policy browser url to reference some of the available macros.

And ofcourse if any issues, let us know.

> Chip
> 
> On 08/01/2010 12:43 PM, Dominick Grift wrote:
>> On 08/01/2010 06:41 PM, Dominick Grift wrote:
>>> On 08/01/2010 06:35 PM, Dominick Grift wrote:
>>>> On 08/01/2010 06:22 PM, Ralph Blach wrote:
>>>>> To be specific, I want to run sshd on port 443, and not port 22, because
>>>>> of all the hackers probe port 22.
>>>>>
>>>>> port 443 looks like httpd traffic and therefore is not really supicious.
>>>>>
>>>>> That is what I need to achieve so i need to modify the corenetwork
>>>>> module to do this.
>>>>>
>>>>> How is this done and where is the source for the core network module?
>>>>
>>>> Try this:
>>>>
>>>> mkdir ~/mysshd; cd ~/mysshd;
>>>>
>>>> cat <<D_G >mysshd.te
>>>> policy_module(mysshd, 1.0.0)
>>>> gen_require(`
> 
>>>> type shorewall_t;
> 
>> And this needs to be ..
> 
>> type sshd_t;
> 
>> .. instead
> 
>>>> ')
>>>> corenet_tcp_bind_http_ports(sshd_t)
>>>> D_G
>>>>
>>>> That custom policy module should allow sshd to bind tcp sockets to http
>>>> ports (including tcp:443)
>>>
>>> Ofcourse you also have to build and install the custom module:
>>>
>>> ( below is how that is done in Fedora (RHEL5 requires that you also
>>> install selinux-policy-devel to build a module)
>>>
>>> make -f /usr/share/selinux/devel/Makefile mysshd.pp
>>> sudo semodule -i mysshd.pp
>>>
>>>
>>>>
>>>> You can find source policy in the source package for your policy.
>>>>
>>>> Here is the policy browser from upstream:
>>>> http://oss.tresys.com/projects/refpolicy/browser
>>>>
>>>>
>>>>> Thanks
>>>>>
>>>>> Chip
>>>>>
>>>>>
>>>>>
>>>>> On 08/01/2010 12:02 PM, Dominick Grift wrote:
>>>>>> On 08/01/2010 05:43 PM, Ralph Blach wrote:
>>>>>>> I have discovered that ports 443 and 22 are in module tcp.
>>>>>>>
>>>>>>> How do i rewrite module tcp so that I can configure as I want it.
>>>>>>>
>>>>>>> Where do I find module tcp?
>>>>>>>
>>>>>>> I did a semanage port -l | grep 22 and module tcp was listed.
>>>>>>> I did the same for port 443
>>>>>>>
>>>>>>> Thanks
>>>>>
>>>>>> ports are declared (defined) in the corenetwork module. This module is
>>>>>> part of the base module. modules that are part of the base module are
>>>>>> not listed with semodule -l.
>>>>>
>>>>>> What exactly do you want to achieve? If you are specific about your
>>>>>> requirements we can try to help you implement it.
>>>>>
>>>>>>> Chip
>>>>>>>
>>>>>>> On 07/27/2010 08:29 PM, Jason Axelson wrote:
>>>>>>>> On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach <chipper19522@gmail.com> wrote:
>>>>>>>>> how do I use semanage to list the policy modules.
>>>>>>>
>>>>>>>> Hi Chip,
>>>>>>>
>>>>>>>> Perhaps you are looking for "semodule -l"? That will list out all the
>>>>>>>> installed policy modules (besides base).
>>>>>>>
>>>>>>>> Jason
>>>>>>>
>>>>>>>
>>>>>
>>>>>> --
>>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>>>> with
>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
> 
> 
> 


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

Re: semanage

[Ralph Blach]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok, you said

cat <<D_G >mysshd.te

is D_G a file someplace?

Thanks

Chip


On 08/01/2010 12:43 PM, Dominick Grift wrote:
> On 08/01/2010 06:41 PM, Dominick Grift wrote:
>> On 08/01/2010 06:35 PM, Dominick Grift wrote:
>>> On 08/01/2010 06:22 PM, Ralph Blach wrote:
>>>> To be specific, I want to run sshd on port 443, and not port 22, because
>>>> of all the hackers probe port 22.
>>>>
>>>> port 443 looks like httpd traffic and therefore is not really supicious.
>>>>
>>>> That is what I need to achieve so i need to modify the corenetwork
>>>> module to do this.
>>>>
>>>> How is this done and where is the source for the core network module?
>>>
>>> Try this:
>>>
>>> mkdir ~/mysshd; cd ~/mysshd;
>>>
>>> cat <<D_G >mysshd.te
>>> policy_module(mysshd, 1.0.0)
>>> gen_require(`
> 
>>> type shorewall_t;
> 
> And this needs to be ..
> 
> type sshd_t;
> 
> .. instead
> 
>>> ')
>>> corenet_tcp_bind_http_ports(sshd_t)
>>> D_G
>>>
>>> That custom policy module should allow sshd to bind tcp sockets to http
>>> ports (including tcp:443)
>>
>> Ofcourse you also have to build and install the custom module:
>>
>> ( below is how that is done in Fedora (RHEL5 requires that you also
>> install selinux-policy-devel to build a module)
>>
>> make -f /usr/share/selinux/devel/Makefile mysshd.pp
>> sudo semodule -i mysshd.pp
>>
>>
>>>
>>> You can find source policy in the source package for your policy.
>>>
>>> Here is the policy browser from upstream:
>>> http://oss.tresys.com/projects/refpolicy/browser
>>>
>>>
>>>> Thanks
>>>>
>>>> Chip
>>>>
>>>>
>>>>
>>>> On 08/01/2010 12:02 PM, Dominick Grift wrote:
>>>>> On 08/01/2010 05:43 PM, Ralph Blach wrote:
>>>>>> I have discovered that ports 443 and 22 are in module tcp.
>>>>>>
>>>>>> How do i rewrite module tcp so that I can configure as I want it.
>>>>>>
>>>>>> Where do I find module tcp?
>>>>>>
>>>>>> I did a semanage port -l | grep 22 and module tcp was listed.
>>>>>> I did the same for port 443
>>>>>>
>>>>>> Thanks
>>>>
>>>>> ports are declared (defined) in the corenetwork module. This module is
>>>>> part of the base module. modules that are part of the base module are
>>>>> not listed with semodule -l.
>>>>
>>>>> What exactly do you want to achieve? If you are specific about your
>>>>> requirements we can try to help you implement it.
>>>>
>>>>>> Chip
>>>>>>
>>>>>> On 07/27/2010 08:29 PM, Jason Axelson wrote:
>>>>>>> On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach <chipper19522@gmail.com> wrote:
>>>>>>>> how do I use semanage to list the policy modules.
>>>>>>
>>>>>>> Hi Chip,
>>>>>>
>>>>>>> Perhaps you are looking for "semodule -l"? That will list out all the
>>>>>>> installed policy modules (besides base).
>>>>>>
>>>>>>> Jason
>>>>>>
>>>>>>
>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>>> with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>>>
>>>>
>>>
>>
>>
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMVeG9AAoJEI46azFTGsehSwMP/10gXSM8CaVLzRndSJCKNeIy
KdT3bQ01SyxgjH8rmkELyovRczMMOb1gUfjs0yYLuPnZ5G6z+m9mQKGD22kAnYU2
lwB6X0jTaP4XSQuXMBleBFPqISNBUz90lKd2xRleVY+1lnaok9i1cOJDrkdJbKFm
5PZpFGnODpp83lrtZgAB2dTBvYWDDVuCdePo6524Q7fAroygRNrrXDerFfPPDll1
CiP7dqiuodJbe5njT/avFFTYJuCWuoY1Z0mS7HiRinHRGJtjI6PAIa7i7ESHyWKz
BT9WQHljroU/b6O4jUREEZgcFRKtGCmEO2RZLGeTkg/ci5Yz9533q6fk9P63XgfY
ink/JxGyO4HMoEvu+2yEG2OPtd1fP3TfPs9o/6mSo+fWmLvlO4arey2QtuMOrpQN
OERbdwBjv/pvsLi6K89AQcCVLAtHiYQOqTcmXJJXwZ1tjSUvUyr3s9rNNdnh5zYT
CuW4/sq70Vxc0zxHXqLPj5dfvEp1W3sRAmfrMAySatpJGa0h7wORaIWKz04mOZ0q
5T6so0oQmHUvmpWB3SzWsz93Ve1/wjM1Q2o8RQnZoUeiJp1Ga/tAN9UioT+iuF+U
A2lTXXUH0Bancoah54JrHGxKf09qdCOKe5P8z7xKpW0bIoQQAYVdUgtXyzTuaMGg
r6PDIN5xDjUOQvjaiBmL
=hNcN
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semanage

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 3689 bytes --]

On 08/01/2010 11:06 PM, Ralph Blach wrote:
> Ok, you said
> 
> cat <<D_G >mysshd.te
> 
> is D_G a file someplace?

No it is a way to echo multiple lines into a file (mysshd.te)

you could also:

mkdir ~/mysshd; cd ~/mysshd;
echo "policy_module(mysshd, 1.0.0) > mysshd.te;
echo "gen_require(\`" >> mysshd.te;
echo "type sshd_t;" >> mysshd.te;
echo "')" >> mysshd.te;
echo "corenet_tcp_bind_http_port(sshd_t)" >> mysshd.te;
make -f /usr/share/selinux/devel/Makefile mysshd.pp
sudo semodule -i mysshd.pp


> Thanks
> 
> Chip
> 
> 
> On 08/01/2010 12:43 PM, Dominick Grift wrote:
>> On 08/01/2010 06:41 PM, Dominick Grift wrote:
>>> On 08/01/2010 06:35 PM, Dominick Grift wrote:
>>>> On 08/01/2010 06:22 PM, Ralph Blach wrote:
>>>>> To be specific, I want to run sshd on port 443, and not port 22, because
>>>>> of all the hackers probe port 22.
>>>>>
>>>>> port 443 looks like httpd traffic and therefore is not really supicious.
>>>>>
>>>>> That is what I need to achieve so i need to modify the corenetwork
>>>>> module to do this.
>>>>>
>>>>> How is this done and where is the source for the core network module?
>>>>
>>>> Try this:
>>>>
>>>> mkdir ~/mysshd; cd ~/mysshd;
>>>>
>>>> cat <<D_G >mysshd.te
>>>> policy_module(mysshd, 1.0.0)
>>>> gen_require(`
> 
>>>> type shorewall_t;
> 
>> And this needs to be ..
> 
>> type sshd_t;
> 
>> .. instead
> 
>>>> ')
>>>> corenet_tcp_bind_http_ports(sshd_t)
>>>> D_G
>>>>
>>>> That custom policy module should allow sshd to bind tcp sockets to http
>>>> ports (including tcp:443)
>>>
>>> Ofcourse you also have to build and install the custom module:
>>>
>>> ( below is how that is done in Fedora (RHEL5 requires that you also
>>> install selinux-policy-devel to build a module)
>>>
>>> make -f /usr/share/selinux/devel/Makefile mysshd.pp
>>> sudo semodule -i mysshd.pp
>>>
>>>
>>>>
>>>> You can find source policy in the source package for your policy.
>>>>
>>>> Here is the policy browser from upstream:
>>>> http://oss.tresys.com/projects/refpolicy/browser
>>>>
>>>>
>>>>> Thanks
>>>>>
>>>>> Chip
>>>>>
>>>>>
>>>>>
>>>>> On 08/01/2010 12:02 PM, Dominick Grift wrote:
>>>>>> On 08/01/2010 05:43 PM, Ralph Blach wrote:
>>>>>>> I have discovered that ports 443 and 22 are in module tcp.
>>>>>>>
>>>>>>> How do i rewrite module tcp so that I can configure as I want it.
>>>>>>>
>>>>>>> Where do I find module tcp?
>>>>>>>
>>>>>>> I did a semanage port -l | grep 22 and module tcp was listed.
>>>>>>> I did the same for port 443
>>>>>>>
>>>>>>> Thanks
>>>>>
>>>>>> ports are declared (defined) in the corenetwork module. This module is
>>>>>> part of the base module. modules that are part of the base module are
>>>>>> not listed with semodule -l.
>>>>>
>>>>>> What exactly do you want to achieve? If you are specific about your
>>>>>> requirements we can try to help you implement it.
>>>>>
>>>>>>> Chip
>>>>>>>
>>>>>>> On 07/27/2010 08:29 PM, Jason Axelson wrote:
>>>>>>>> On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach <chipper19522@gmail.com> wrote:
>>>>>>>>> how do I use semanage to list the policy modules.
>>>>>>>
>>>>>>>> Hi Chip,
>>>>>>>
>>>>>>>> Perhaps you are looking for "semodule -l"? That will list out all the
>>>>>>>> installed policy modules (besides base).
>>>>>>>
>>>>>>>> Jason
>>>>>>>
>>>>>>>
>>>>>
>>>>>> --
>>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>>>> with
>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
> 
> 
> 


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 261 bytes --]

Re: semanage

[Ralph Blach]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/01/2010 05:11 PM, Dominick Grift wrote:
> -i mysshd.pp
worked like a champ, but a little explantion of what the module reall
does, would be nice.

Thanks

Chip
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMVf3lAAoJEI46azFTGsehIlYQAIa6r7UoOkCAMgYxNqTdzkEj
NBhnYKaIV5smPRqU3klZ/uwOz7A78+jyBJFoLIgQ8gpFaJcCRtI7P2MaEftExwg3
zwlld35EO8cSdGgtLgA+itpiJMvfDF6Zqfz9DEiFBORIcT9+8VTMqG1rpYBZ19js
wgNgGUFIKTqqjwWysMNw1KHNVaHrkqYcPLFWmwCOmsKxAZWrhaKPHZQe2Sm3JPXi
OJQPK662XHNsACij0CvmqAij5KbvO1KcA6MYUiORryf4KflpMLcJm+c+bbxxCOEm
xeCUCa/1Brq8DPtn+MxGkVykmAgOBSYjQwxc4Q8Kj1fv5o5K0fA+pYqPjaJMnnjS
47HO5O8RqjJ9w5wD8ajkfempAbaTNlDxoh5rEEVRIw05zuoE0MHIuYN/ui4zYzbL
+VRUbg6tTERbsOldIehssI042qpZu4iTx2KhjxJgvQ/mGzeVmvi2r9jrXKyW8goA
Aplb2w1rGykCb+Wked0UH+9ufBv9UxGM67/HOK052onuIO5/GIwu4+S6iypoQnO0
FvmMJllzA1uqPT7xwtI0cDxtuAApNj8AKen2nTD9W6+iv7GbzNP5d/8FJMmANzh1
GtY1OUbepswdUkLD5Zq11aTszVaeVNnf48+LhAW7N7S+TcYe5nNbjPZKKoakPnNw
6BoDB+dIbs2BG9QUfzb0
=2/H5
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.