Problem with selinux
Kerry Thompson
kerry at security.geek.nz
Fri Jul 11 22:20:10 UTC 2008
Lars Hecking wrote:
> While we're on the issue of random ports, has anyone thought of how to
> configure selinux for the new port-randomising bind versions?
>
> Previous bind versions were easy to administer in this regard, without
> in-depth knowledge of selinux: run audit2allow on /var/log/messages,
> create and deploy named policy. Maybe repeat once or twice until all
> operations performed by named have been caught.
>
> This can no longer be done. Either one needs to know you to create
> selinux policies manually, or turn it off altogether. That's less
> security, not more.
>
> I would be particularily interested in comments from RedHat people :)
>
>
>
>
Hi Lars
Redhat included a patch to the named policy in their batch for BIND, see
http://lwn.net/Articles/289264/ (& search for selinux). Sometimes
audit2allow just doesn't give you what you really want :-). It seems
what they've done is to permit the name_bind domain to bind() to any udp
source socket, from the patch:
--- policy-1.17.30/domains/program/unused/named.te~ 2008-07-01
11:24:40.000000000 -0400
+++ policy-1.17.30/domains/program/unused/named.te 2008-07-01
11:24:13.000000000 -0400
@@ -69,7 +69,7 @@ can_tcp_connect(domain, named_t)
log_domain(named)
# Bind to the named port.
-allow named_t dns_port_t:udp_socket name_bind;
+allow named_t port_type:udp_socket name_bind;
allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;
bool named_write_master_zones false;
So if you have policy sources then replacing that one line will fix it
up. Otherwise you could just add the port_type:udp_socket line to a
local policy file and load it.
I'm no Redhat person, the Redhat SELinux mailing list might be a better
place if you want a more in-depth answer.
Kerry
More information about the bind-users
mailing list