• 1

Re: PSAD SELinux file context

Yes this is the wrong thing to do, and I am suprissed this would work in enforcing mode. iptables_t is a process context and you are assiging it to a file. I don't believe in enforcing mode this would work.

You really have a few choices here. You can just allow or dontaudit iptables_t writing to var_log_t. You can do this using audit2allow -M to build a policy module.

You can build a more complex policy module with a type defined psad_log_t and then allow iptabels_t to manage the type. Something like:

cat mypsad.te

gen_require(`
type iptables_t;
')

type psad_log_t;
logging_file_type(psad_log_t)

manage_files_pattern(iptables_t, psad_log_t, psad_log_t)

cat mypsad.fc
/var/log/psad(/.*)? gen_context("system_u:object_r:psad_log_t, s0)


Or

You can try to find a file_type that iptables_t can currently write to and assign the context to the directory.


# sesearch --allow -s iptables_t | grep " file.*write"
WARNING: This policy contained disabled aliases; they have been removed.
allow @ttr2145 @ttr2113 : file { ioctl read write getattr lock append } ;
allow iptables_t xdm_home_t : file { ioctl read write getattr lock append } ;
allow iptables_t initrc_tmp_t : file { ioctl read write getattr lock append } ;
allow @ttr2145 user_tmp_t : file { ioctl write getattr lock append } ;
allow iptables_t @ttr2113 : file { ioctl read write getattr lock append } ;
allow iptables_t iptables_var_run_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow iptables_t iptables_t : file { ioctl read write getattr lock append } ;
allow iptables_t iptables_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;

Say try iptables_var_run_t or iptabels_tmp_t.

semanage fcontext -a -t iptables_var_run_t "/var/log/psad(/.*)?"

  • 1
?

Log in