* fwknop, fwknopd, fwknop_serv
@ 2011-04-01 16:10 Bill Chimiak
2011-04-01 16:35 ` Dominick Grift
0 siblings, 1 reply; 3+ messages in thread
From: Bill Chimiak @ 2011-04-01 16:10 UTC (permalink / raw)
To: selinux-mailing-list
fwknop is a single passphrase authorization system.
Fairly cool. selinux did not like fwknop out of the box.
It wanted a new module:
module iptab2log 1.0;
require {
type var_log_t;
type iptables_t;
class file write;
}
#============= iptables_t ==============
allow iptables_t var_log_t:file write;
It works now. Was there another way to do this?
William J. Chimiak
Laboratory for Telecommunication Sciences
8080 Greenmead Drive, College Park, MD 20740
301-422-5217
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: fwknop, fwknopd, fwknop_serv
2011-04-01 16:10 fwknop, fwknopd, fwknop_serv Bill Chimiak
@ 2011-04-01 16:35 ` Dominick Grift
2011-04-01 17:09 ` Daniel J Walsh
0 siblings, 1 reply; 3+ messages in thread
From: Dominick Grift @ 2011-04-01 16:35 UTC (permalink / raw)
To: Bill Chimiak; +Cc: selinux-mailing-list
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/01/2011 06:10 PM, Bill Chimiak wrote:
> fwknop is a single passphrase authorization system.
> Fairly cool. selinux did not like fwknop out of the box.
> It wanted a new module:
>
> module iptab2log 1.0;
>
> require {
> type var_log_t;
> type iptables_t;
> class file write;
> }
>
> #============= iptables_t ==============
> allow iptables_t var_log_t:file write;
Did you notice any loss of functionality?
This may be a leaked file descriptor or something may be passing the
open file to iptables.
You may be able to dontaudited this:
dontaudit iptables_t var_log_t:file write;
Which file exactly is it trying to write to?
By the way this is not the optimal list to be posting this to.
> It works now. Was there another way to do this?
> William J. Chimiak
> Laboratory for Telecommunication Sciences
> 8080 Greenmead Drive, College Park, MD 20740
> 301-422-5217
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2V/t8ACgkQMlxVo39jgT9fUwCdFJjDtXHn1mEneKmP2H9RAk64
+BgAn3SkOt3TuYAAcHr7M1PpGJRZyQYo
=UI5R
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: fwknop, fwknopd, fwknop_serv
2011-04-01 16:35 ` Dominick Grift
@ 2011-04-01 17:09 ` Daniel J Walsh
0 siblings, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2011-04-01 17:09 UTC (permalink / raw)
To: Dominick Grift; +Cc: Bill Chimiak, selinux-mailing-list
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/01/2011 12:35 PM, Dominick Grift wrote:
> On 04/01/2011 06:10 PM, Bill Chimiak wrote:
>> fwknop is a single passphrase authorization system.
>> Fairly cool. selinux did not like fwknop out of the box.
>> It wanted a new module:
>
>> module iptab2log 1.0;
>
>> require {
>> type var_log_t;
>> type iptables_t;
>> class file write;
>> }
>
>> #============= iptables_t ==============
>> allow iptables_t var_log_t:file write;
>
> Did you notice any loss of functionality?
>
> This may be a leaked file descriptor or something may be passing the
> open file to iptables.
>
> You may be able to dontaudited this:
>
> dontaudit iptables_t var_log_t:file write;
>
> Which file exactly is it trying to write to?
>
> By the way this is not the optimal list to be posting this to.
>
>> It works now. Was there another way to do this?
>> William J. Chimiak
>> Laboratory for Telecommunication Sciences
>> 8080 Greenmead Drive, College Park, MD 20740
>> 301-422-5217
>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>
- --
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.
Most likely a redirection of stdout.
script > /var/log/my.log
Would cause this type of AVC for any confined app being run within the
script.
A hacky way to get out of it without changing policy, would be to execute
script | cat > /var/log/my.log
Another option would be to set it up from append
script >> /var/log/my.log
Which would only require append privs.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2WBr0ACgkQrlYvE4MpobO1HQCfac3GdEWkNtvRP2PeXQqXftVC
jqgAnR9Sd4iIj7/WoLoZULPUwo6pXhWJ
=FTQ8
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-04-01 17:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-04-01 16:10 fwknop, fwknopd, fwknop_serv Bill Chimiak
2011-04-01 16:35 ` Dominick Grift
2011-04-01 17:09 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.