FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-02-2008, 10:03 AM
Christian Kuester
 
Default Adding local nodecons

Hi List,

I'm using Fedora 8 and would like to put types on various nodes.
What would be the best way to do it since semanage seems to support
doing nodecons on specific nodes.

Do I have to rebuild the complete policy or is there some more convienent
way to do it? For example in a new local policy?

Kind regards,
Chris

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-02-2008, 12:12 PM
Stephen Smalley
 
Default Adding local nodecons

On Wed, 2008-07-02 at 12:03 +0200, Christian Kuester wrote:
> Hi List,
>
> I'm using Fedora 8 and would like to put types on various nodes.
> What would be the best way to do it since semanage seems to support
> doing nodecons on specific nodes.
>
> Do I have to rebuild the complete policy or is there some more convienent
> way to do it? For example in a new local policy?

I don't believe this is presently supported by semanage, although the
libsemanage infrastructure exists.

However, I think what you likely want is to use secmark instead.
http://james-morris.livejournal.com/11010.html

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-02-2008, 02:32 PM
Christian Kuester
 
Default Adding local nodecons

Stephen Smalley schrieb:
>> I'm using Fedora 8 and would like to put types on various nodes.
>> What would be the best way to do it since semanage seems to support
>> doing nodecons on specific nodes.
>>
> I don't believe this is presently supported by semanage, although the
> libsemanage infrastructure exists.
>
I've seen a older discussion on the NSA-SELinux mailinglist about that.
The patch
for semanage wasn't commited though.
> However, I think what you likely want is to use secmark instead.
> http://james-morris.livejournal.com/11010.htm
Interesting article. Perhaps I could use this instead of nodecon but it
seems much more
complex than that. The only thing I want to accomplish is to have a way
to restrict
node_binds, so that specific programs can only open sockets on 127.0.0.1
(f.i.).


Kind regards,
Chris

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-02-2008, 02:39 PM
Stephen Smalley
 
Default Adding local nodecons

On Wed, 2008-07-02 at 16:32 +0200, Christian Kuester wrote:
> Stephen Smalley schrieb:
> >> I'm using Fedora 8 and would like to put types on various nodes.
> >> What would be the best way to do it since semanage seems to support
> >> doing nodecons on specific nodes.
> >>
> > I don't believe this is presently supported by semanage, although the
> > libsemanage infrastructure exists.
> >
> I've seen a older discussion on the NSA-SELinux mailinglist about that.
> The patch
> for semanage wasn't commited though.
> > However, I think what you likely want is to use secmark instead.
> > http://james-morris.livejournal.com/11010.htm
> Interesting article. Perhaps I could use this instead of nodecon but it
> seems much more
> complex than that. The only thing I want to accomplish is to have a way
> to restrict
> node_binds, so that specific programs can only open sockets on 127.0.0.1
> (f.i.).

Ok - then you do want node contexts.

As I recall, the patch posted to selinux list circa 2006 for adding
semanage node context support didn't actually work correctly and no one
chased it down. So if you want to revive it on selinux list and see if
we can hunt down the underlying issue, that might be worthwhile.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:16 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org