On 08/01/2010 07:44 PM, Ralph Blach wrote: > Thanks all > > If I have any problems I will repost. I might have made some small syntax errors like corenet_tcp_bind_http_ports(sshd_t) vs. corenet_tcp_bind_http_port(sshd_t) But you can just as easily use audit2allow to generate a module to allow it. Also use the policy browser url to reference some of the available macros. And ofcourse if any issues, let us know. > Chip > > On 08/01/2010 12:43 PM, Dominick Grift wrote: >> On 08/01/2010 06:41 PM, Dominick Grift wrote: >>> On 08/01/2010 06:35 PM, Dominick Grift wrote: >>>> On 08/01/2010 06:22 PM, Ralph Blach wrote: >>>>> To be specific, I want to run sshd on port 443, and not port 22, because >>>>> of all the hackers probe port 22. >>>>> >>>>> port 443 looks like httpd traffic and therefore is not really supicious. >>>>> >>>>> That is what I need to achieve so i need to modify the corenetwork >>>>> module to do this. >>>>> >>>>> How is this done and where is the source for the core network module? >>>> >>>> Try this: >>>> >>>> mkdir ~/mysshd; cd ~/mysshd; >>>> >>>> cat <mysshd.te >>>> policy_module(mysshd, 1.0.0) >>>> gen_require(` > >>>> type shorewall_t; > >> And this needs to be .. > >> type sshd_t; > >> .. instead > >>>> ') >>>> corenet_tcp_bind_http_ports(sshd_t) >>>> D_G >>>> >>>> That custom policy module should allow sshd to bind tcp sockets to http >>>> ports (including tcp:443) >>> >>> Ofcourse you also have to build and install the custom module: >>> >>> ( below is how that is done in Fedora (RHEL5 requires that you also >>> install selinux-policy-devel to build a module) >>> >>> make -f /usr/share/selinux/devel/Makefile mysshd.pp >>> sudo semodule -i mysshd.pp >>> >>> >>>> >>>> You can find source policy in the source package for your policy. >>>> >>>> Here is the policy browser from upstream: >>>> http://oss.tresys.com/projects/refpolicy/browser >>>> >>>> >>>>> Thanks >>>>> >>>>> Chip >>>>> >>>>> >>>>> >>>>> On 08/01/2010 12:02 PM, Dominick Grift wrote: >>>>>> On 08/01/2010 05:43 PM, Ralph Blach wrote: >>>>>>> I have discovered that ports 443 and 22 are in module tcp. >>>>>>> >>>>>>> How do i rewrite module tcp so that I can configure as I want it. >>>>>>> >>>>>>> Where do I find module tcp? >>>>>>> >>>>>>> I did a semanage port -l | grep 22 and module tcp was listed. >>>>>>> I did the same for port 443 >>>>>>> >>>>>>> Thanks >>>>> >>>>>> ports are declared (defined) in the corenetwork module. This module is >>>>>> part of the base module. modules that are part of the base module are >>>>>> not listed with semodule -l. >>>>> >>>>>> What exactly do you want to achieve? If you are specific about your >>>>>> requirements we can try to help you implement it. >>>>> >>>>>>> Chip >>>>>>> >>>>>>> On 07/27/2010 08:29 PM, Jason Axelson wrote: >>>>>>>> On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach wrote: >>>>>>>>> how do I use semanage to list the policy modules. >>>>>>> >>>>>>>> Hi Chip, >>>>>>> >>>>>>>> Perhaps you are looking for "semodule -l"? That will list out all the >>>>>>>> installed policy modules (besides base). >>>>>>> >>>>>>>> Jason >>>>>>> >>>>>>> >>>>> >>>>>> -- >>>>>> This message was distributed to subscribers of the selinux mailing list. >>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov >>>>>> with >>>>>> the words "unsubscribe selinux" without quotes as the message. >>>>> >>>>> >>>>> >>>> >>> >>> > > >