Hello,
I would like to log process binding on tcp ports > 1023.
"On YYYY/MM/DD hh:mm:ss, which account ran the process X listening on port aaaa"
Is there any way to do this with SElinux on permissive mode ?
- using système policy ? - creating a new policy ? - ... ?
Thanks a lot in advance !
François
On Mon, Jan 24, 2011 at 09:49:01AM +0100, François Chenais wrote:
Hello,
I would like to log process binding on tcp ports > 1023.
something like this may work:
mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0) gen_require(` attribute domain, userdomain, port_type; ') auditallow { userdomain domain } port_type:tcp_socket name_bind;" > mytest.te; make -f /usr/share/selinux/devel/Makefile mytest.pp; sudo semodule -i mytest.pp
Then any attempts to bind tcp_sockets to port_type ports by domain as well as userdomain will be logged in /var/log/audit/audit.log.
You may, or may not, be able to do similar things by using the audit suite instead (man auditctl)
"On YYYY/MM/DD hh:mm:ss, which account ran the process X listening on port aaaa"
Is there any way to do this with SElinux on permissive mode ?
- using système policy ?
- creating a new policy ?
- ... ?
Thanks a lot in advance !
François
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
2011/1/24 Dominick Grift domg472@gmail.com
On Mon, Jan 24, 2011 at 09:49:01AM +0100, François Chenais wrote:
Hello,
I would like to log process binding on tcp ports > 1023.
something like this may work:
mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0) gen_require(` attribute domain, userdomain, port_type; ') auditallow { userdomain domain } port_type:tcp_socket name_bind;" > mytest.te; make -f /usr/share/selinux/devel/Makefile mytest.pp; sudo semodule -i mytest.pp
Then any attempts to bind tcp_sockets to port_type ports by domain as well as userdomain will be logged in /var/log/audit/audit.log.
Coool ! Thanks a lot, I'm trying it now ...
You may, or may not, be able to do similar things by using the audit suite instead (man auditctl)
Yes but I can't find how to restrict the audit on a specific port number :/
auditctl -d exit,always -S bind -k BIND
2011/1/24 François Chenais francois.chenais@gmail.com
2011/1/24 Dominick Grift domg472@gmail.com
On Mon, Jan 24, 2011 at 09:49:01AM +0100, François Chenais wrote:
Hello,
I would like to log process binding on tcp ports > 1023.
something like this may work:
mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0) gen_require(` attribute domain, userdomain, port_type; ') auditallow { userdomain domain } port_type:tcp_socket name_bind;" > mytest.te; make -f /usr/share/selinux/devel/Makefile mytest.pp; sudo semodule -i mytest.pp
Then any attempts to bind tcp_sockets to port_type ports by domain as well as userdomain will be logged in /var/log/audit/audit.log.
Coool ! Thanks a lot, I'm trying it now ...
You may, or may not, be able to do similar things by using the audit suite instead (man auditctl)
Yes but I can't find how to restrict the audit on a specific port number :/
auditctl -d exit,always -S bind -k BIND
-a and not -d !!
2011/1/24 François Chenais francois.chenais@gmail.com
2011/1/24 Dominick Grift domg472@gmail.com
On Mon, Jan 24, 2011 at 09:49:01AM +0100, François Chenais wrote:
Hello,
I would like to log process binding on tcp ports > 1023.
something like this may work:
mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0) gen_require(` attribute domain, userdomain, port_type; ') auditallow { userdomain domain } port_type:tcp_socket name_bind;" > mytest.te; make -f /usr/share/selinux/devel/Makefile mytest.pp; sudo semodule -i mytest.pp
Then any attempts to bind tcp_sockets to port_type ports by domain as well as userdomain will be logged in /var/log/audit/audit.log.
Coool ! Thanks a lot, I'm trying it now ...
It works fine.
I've modified your exemple to permit a port list selection ::
$ cat mytest.te policy_module(mytest, 1.0.0)
gen_require(` attribute domain, userdomain, port_type; ')
type mytest_t; domain_type(mytest_t)
auditallow { userdomain domain } mytest_t:tcp_socket name_bind;
Then run ::
$ semanage port -a mytest_t -p tcp 1234
Thanks you very much !
You may, or may not, be able to do similar things by using the audit suite
instead (man auditctl)
Yes but I can't find how to restrict the audit on a specific port number :/
auditctl -d exit,always -S bind -k BIND
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/25/2011 01:03 PM, François Chenais wrote:
2011/1/24 François Chenais francois.chenais@gmail.com
2011/1/24 Dominick Grift domg472@gmail.com
On Mon, Jan 24, 2011 at 09:49:01AM +0100, François Chenais wrote:
Hello,
I would like to log process binding on tcp ports > 1023.
something like this may work:
mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0) gen_require(` attribute domain, userdomain, port_type; ') auditallow { userdomain domain } port_type:tcp_socket name_bind;" > mytest.te; make -f /usr/share/selinux/devel/Makefile mytest.pp; sudo semodule -i mytest.pp
Then any attempts to bind tcp_sockets to port_type ports by domain as well as userdomain will be logged in /var/log/audit/audit.log.
Coool ! Thanks a lot, I'm trying it now ...
It works fine.
I've modified your exemple to permit a port list selection ::
$ cat mytest.te policy_module(mytest, 1.0.0)
gen_require(` attribute domain, userdomain, port_type; ')
type mytest_t; domain_type(mytest_t)
auditallow { userdomain domain } mytest_t:tcp_socket name_bind;
Then run ::
$ semanage port -a mytest_t -p tcp 1234
Thanks you very much !
i am surprised if this would work. port_types are not domain_types.
instead of:
domain_type(mytest_t)
use
corenet_port(mytest_t)
You may, or may not, be able to do similar things by using the audit suite
instead (man auditctl)
Yes but I can't find how to restrict the audit on a specific port number :/
auditctl -d exit,always -S bind -k BIND
selinux@lists.fedoraproject.org