[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: eggdrop policy module



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/30/2011 01:46 PM, Luciano Furtado wrote:
> On 11-03-28 05:06, Dominick Grift wrote:
>> On 03/28/2011 02:32 AM, Luciano Furtado wrote:
> 
>>> Hi guys,
> 
>>> I started creating my policy module for the eggdrop irc bot. I am
>>> getting stuck on simple task. I want to add a transition from
>>> unconfined_t to eggdrop_t when I run a eggdrop_exec_t file.
> 
>>> This is what I have:
> 
>>> policy_module(eggdrop, 1.0.0)
> 
>>> ########################################
>>> ## Declarations#gen_require(`
>>>    type unconfined_t;
>>> ')
>>> type eggdrop_t;
>>> type eggdrop_exec_t;
> 
>>> application_executable_file(eggdrop_exec_t)
> 
>> This is not required, it is in "application_domain() which you should
>> call. lack of application_domain(eggdrop_t, eggdrop_exec_t) is whats
>> causing the constraint violation.
> 
>> Also allow the unconfined_r role the eggdrop_t domain:
> 
>> role unconfined_r types eggdrop_t;
> 
>> (you also will need to require "role unconfined_r;")
> 
> 
>>> type eggdrop_conf_t;
>>> files_config_file(eggdrop_conf_t)
> 
>>> corenet_tcp_connect_ircd_port(eggdrop_t)
>>> corenet_tcp_sendrecv_ircd_port(eggdrop_t)
> 
>>> domain_auto_trans(unconfined_t,eggdrop_exec_t,eggdrop_t)
> 
>> Better use domtrans_pattern() instead of domain_auto_trans. It better
>> fits the requirements:
> 
>> domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t)
> 
> 
>> so a basic standard template to start is:
> 
>> ----------->8--------------
> 
>> policy_module(eggdrop, 1.0.0)
> 
>> gen_require(`
>>     type unconfined_t;
>>     role unconfined_r;
>> ')
> 
>> type eggdrop_t;
>> type eggdrop_exec_t;
>> application_domain(eggdrop_t, eggdrop_exec_t)
>> role unconfined_r types eggdrop_t;
> 
>> type eggdrop_etc_t;
>> files_config_file(eggdrop_etc_t)
> 
>> domtrans_pattern(unconfined_t, eggdrop_exec_t, eggdrop_t
> 
>> -------------8<------------
> 
> 
> 
> 
>>> This is what I get when I try to load this policy module:
> 
> 
>>> lrfurtado:~/selinux/eggdrop# make load
>>> Loading default modules: eggdrop
>>> /usr/sbin/semodule -i eggdrop.pp
>>> libsepol.check_assertion_helper: neverallow violated by allow
>>> unconfined_t eggdrop_t:process { transition };
>>> libsemanage.semanage_expand_sandbox: Expand module failed
>>> /usr/sbin/semodule:  Failed!
>>> make: *** [tmp/loaded] Error 1
>>> lrfurtado:~/selinux/eggdrop#
> 
> 
>>> What's the proper way of accomplishing this?
> 
> 
> 
>>> On 11-03-25 15:24, Dominick Grift wrote:
>>>> On 03/25/2011 08:16 PM, Luciano Furtado wrote:
>>>>> Thanks Dominick,
> 
>>>>> I will use this as an exercise on how to create a new policy module. I
>>>>> hope you guys can tolerate my newbie questions for a while.
> 
>>>> I created some screen casts and put them on youtube that show some of this:
> 
>>>> Write a policy module part 1 to 4 (on fedora):
> 
>>>> part 1: http://www.youtube.com/watch?v=s4EyoW_7riQ
>>>> part 2: http://www.youtube.com/watch?v=G5gUt1-ttGg
>>>> part 3: http://www.youtube.com/watch?v=nbFnchVAgYs
>>>> part 4: http://www.youtube.com/watch?v=rUGBgzTr92A
> 
>>>> Some other examples:
> 
>>>> part 1: http://www.youtube.com/watch?v=sBI50O84NLo
>>>> part 2: http://www.youtube.com/watch?v=ATTJ5xUKH1E
>>>> part 3: http://www.youtube.com/watch?v=e3cQNi3bi70
> 
>>>> may or may not be helpful.
> 
>>>>> Best Regards.
>>>>> Luciano
> 
> 
>>>>> On 11-03-25 14:29, Dominick Grift wrote:
>>>>>> On 03/25/2011 07:09 PM, Luciano Furtado wrote:
>>>>>>> Hi Group,
> 
>>>>>>> Does eggdrop has a selinux policy module? if so starting on which fedora
>>>>>>> version?
> 
> 
>>>>>> The only reference that i could find to it was:
> 
>>>>>> "You can find a copy of my irssi policy here
>>>>>> http://pastebin.ca/768256?srch=irssi_exec_t it also includes policy for
>>>>>> eggdrop and manual pages"
> 
>>>>>> - From my 2008 article
>>>>>> "http://domg472.blogspot.com/2008/05/how-to-create-integrate-and-rebuild.html";
> 
>>>>>> Unfortunately seems "pastebin.ca" no longer exists. I can no longer
>>>>>> access the site.
> 
> 
>>>>>>> I am looking to get the sources for it , build / install it on my Debian
>>>>>>> installation which doesn't seem to have a module for it.
> 
> 
>>>>>>> Best Regards.
>>>>>>> Luciano
> 
> 
> 
> 
> On my policy right now I have this which I think would allow eggdrop to
> sendrecv packet to any host/port combination
> 
> corenet_tcp_sendrecv_all_ports(eggdrop_t)
> 
> 
> If wanted to limit eggdrop to talk only to specific host/port would it
> possible to use iptables to label the packets to to something like
> eggdrop_packet_t and them add a rule like this.
> 
> corenet_tcp_recvfrom_labeled(eggdrop_t, eggdrop_packet_t)
> 
> 
> Is this the right approach to accomplish this.

I am not into the selinux networking controls but dwalsh recently
published an article that may or may not inspire you:

http://www.linux.com/learn/tutorials/421152-using-selinux-and-iptables-together

> 
> My WIP policy is locate at http://lrfurtado.vps.bitfolk.com/eggdrop/

I probably would have done it differently, but if it works; it works.

> 
> 
> 
> Best Regards.
> Luciano
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2TGZAACgkQMlxVo39jgT8PTgCgumo71iBZfEVyEGkpY8QeD1r6
jS4AniKXLdNUSV4dChoCQGAt4lq/fHxP
=dfSP
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux


[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux

Google
  Web www.spinics.net