• 1
Is there a way to deny explicitly some actions? I wrote this module for instance:

#========START POLICY =====#
module unserverd 1.0;

require {
class tcp_socket { create name_bind listen write accept };
class udp_socket{ create name_bind listen write accept };
type staff_t;
type unreserved_port_t ;
type ephemeral_port_t;
attribute domain;
}
neverallow staff_t unreserved_port_t: tcp_socket{ create name_bind listen write accept};
neverallow staff_t unreserved_port_t: udp_socket{ create name_bind listen write accept};
neverallow staff_t ephemeral_port_t: tcp_socket{ create name_bind listen write accept };
neverallow staff_t ephemeral_port_t: udp_socket{ create name_bind listen write accept };

#========END POLICY =====#

but i can still bind, no avc denials in the log. Should i recompile-reinstall the whole policy for the policy compiler to see my module? However using auditallow logs my name_bind to a port.

Re: Explicit deny rule

No. SELinux does not have a deny. It is a deny everything system and then you write allow rules.

neverallow are more like "C" assertions. They will blow up the compile when people add policy to allow staff_t to listen on these ports.

We do not process Neverallow rules in the shipping product on in the base build. They cause the policy compile to take too long.

There is a boolean for controlling this in Fedora/RHEL7 selinuxuser_tcp_server
user_tcp_server on RHEL6.

# sesearch -A -s staff_t -t unreserved_port_t -C -p name_bind
Found 4 semantic av rules:
allow staff_usertype unreserved_port_t : udp_socket name_bind ;
DT allow staff_usertype unreserved_port_type : tcp_socket name_bind ; [ selinuxuser_tcp_server ]
DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
DT allow nsswitch_domain unreserved_port_t : udp_socket name_bind ; [ nis_enabled ]


  • 1
?

Log in