Thanks for the hint, now how do I find out which policies contain which ports ? Thanks Chip On 07/27/2010 08:29 PM, Jason Axelson wrote: > On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach <chipper19522@...> wrote: >> how do I use semanage to list the policy modules. > > Hi Chip, > > Perhaps you are looking for "semodule -l"? That will list out all the > installed policy modules (besides base). > > Jason >
I have discovered that ports 443 and 22 are in module tcp. How do i rewrite module tcp so that I can configure as I want it. Where do I find module tcp? I did a semanage port -l | grep 22 and module tcp was listed. I did the same for port 443 Thanks Chip On 07/27/2010 08:29 PM, Jason Axelson wrote: > On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach <chipper19522@...> wrote: >> how do I use semanage to list the policy modules. > > Hi Chip, > > Perhaps you are looking for "semodule -l"? That will list out all the > installed policy modules (besides base). > > Jason >
On 08/01/2010 05:43 PM, Ralph Blach wrote: > I have discovered that ports 443 and 22 are in module tcp. > > How do i rewrite module tcp so that I can configure as I want it. > > Where do I find module tcp? > > I did a semanage port -l | grep 22 and module tcp was listed. > I did the same for port 443 > > Thanks ports are declared (defined) in the corenetwork module. This module is part of the base module. modules that are part of the base module are not listed with semodule -l. What exactly do you want to achieve? If you are specific about your requirements we can try to help you implement it. > Chip > > On 07/27/2010 08:29 PM, Jason Axelson wrote: >> On Tue, Jul 27, 2010 at 2:20 PM, Ralph Blach <chipper19522@...> wrote: >>> how do I use semanage to list the policy modules. > >> Hi Chip, > >> Perhaps you are looking for "semodule -l"? That will list out all the >> installed policy modules (besides base).(Continue reading)
To be specific, I want to run sshd on port 443, and not port 22, because of all the hackers probe port 22. port 443 looks like httpd traffic and therefore is not really supicious. That is what I need to achieve so i need to modify the corenetwork module to do this. How is this done and where is the source for the core network module? Thanks Chip On 08/01/2010 12:02 PM, Dominick Grift wrote: > On 08/01/2010 05:43 PM, Ralph Blach wrote: >> I have discovered that ports 443 and 22 are in module tcp. >> >> How do i rewrite module tcp so that I can configure as I want it. >> >> Where do I find module tcp? >> >> I did a semanage port -l | grep 22 and module tcp was listed. >> I did the same for port 443 >> >> Thanks > > ports are declared (defined) in the corenetwork module. This module is > part of the base module. modules that are part of the base module are(Continue reading)
On 08/01/2010 06:22 PM, Ralph Blach wrote: > To be specific, I want to run sshd on port 443, and not port 22, because > of all the hackers probe port 22. > > port 443 looks like httpd traffic and therefore is not really supicious. > > That is what I need to achieve so i need to modify the corenetwork > module to do this. > > How is this done and where is the source for the core network module? Try this: mkdir ~/mysshd; cd ~/mysshd; cat <<D_G >mysshd.te policy_module(mysshd, 1.0.0) gen_require(` type shorewall_t; ') corenet_tcp_bind_http_ports(sshd_t) D_G That custom policy module should allow sshd to bind tcp sockets to http ports (including tcp:443) You can find source policy in the source package for your policy. Here is the policy browser from upstream: http://oss.tresys.com/projects/refpolicy/browser(Continue reading)
On 08/01/2010 06:35 PM, Dominick Grift wrote: > On 08/01/2010 06:22 PM, Ralph Blach wrote: >> To be specific, I want to run sshd on port 443, and not port 22, because >> of all the hackers probe port 22. >> >> port 443 looks like httpd traffic and therefore is not really supicious. >> >> That is what I need to achieve so i need to modify the corenetwork >> module to do this. >> >> How is this done and where is the source for the core network module? > > Try this: > > mkdir ~/mysshd; cd ~/mysshd; > > cat <<D_G >mysshd.te > policy_module(mysshd, 1.0.0) > gen_require(` > type shorewall_t; > ') > corenet_tcp_bind_http_ports(sshd_t) > D_G > > That custom policy module should allow sshd to bind tcp sockets to http > ports (including tcp:443) Ofcourse you also have to build and install the custom module: ( below is how that is done in Fedora (RHEL5 requires that you also(Continue reading)
On 08/01/2010 06:41 PM, Dominick Grift wrote: > On 08/01/2010 06:35 PM, Dominick Grift wrote: >> On 08/01/2010 06:22 PM, Ralph Blach wrote: >>> To be specific, I want to run sshd on port 443, and not port 22, because >>> of all the hackers probe port 22. >>> >>> port 443 looks like httpd traffic and therefore is not really supicious. >>> >>> That is what I need to achieve so i need to modify the corenetwork >>> module to do this. >>> >>> How is this done and where is the source for the core network module? >> >> Try this: >> >> mkdir ~/mysshd; cd ~/mysshd; >> >> cat <<D_G >mysshd.te >> policy_module(mysshd, 1.0.0) >> gen_require(` >> type shorewall_t; And this needs to be .. type sshd_t; .. instead >> ')(Continue reading)
Thanks all If I have any problems I will repost. Chip On 08/01/2010 12:43 PM, Dominick Grift wrote: > On 08/01/2010 06:41 PM, Dominick Grift wrote: >> On 08/01/2010 06:35 PM, Dominick Grift wrote: >>> On 08/01/2010 06:22 PM, Ralph Blach wrote: >>>> To be specific, I want to run sshd on port 443, and not port 22, because >>>> of all the hackers probe port 22. >>>> >>>> port 443 looks like httpd traffic and therefore is not really supicious. >>>> >>>> That is what I need to achieve so i need to modify the corenetwork >>>> module to do this. >>>> >>>> How is this done and where is the source for the core network module? >>> >>> Try this: >>> >>> mkdir ~/mysshd; cd ~/mysshd; >>> >>> cat <<D_G >mysshd.te >>> policy_module(mysshd, 1.0.0) >>> gen_require(` > >>> type shorewall_t;(Continue reading)
On 08/01/2010 07:44 PM, Ralph Blach wrote: > Thanks all > > If I have any problems I will repost. I might have made some small syntax errors like corenet_tcp_bind_http_ports(sshd_t) vs. corenet_tcp_bind_http_port(sshd_t) But you can just as easily use audit2allow to generate a module to allow it. Also use the policy browser url to reference some of the available macros. And ofcourse if any issues, let us know. > Chip > > On 08/01/2010 12:43 PM, Dominick Grift wrote: >> On 08/01/2010 06:41 PM, Dominick Grift wrote: >>> On 08/01/2010 06:35 PM, Dominick Grift wrote: >>>> On 08/01/2010 06:22 PM, Ralph Blach wrote: >>>>> To be specific, I want to run sshd on port 443, and not port 22, because >>>>> of all the hackers probe port 22. >>>>> >>>>> port 443 looks like httpd traffic and therefore is not really supicious. >>>>> >>>>> That is what I need to achieve so i need to modify the corenetwork >>>>> module to do this.(Continue reading)
Ok, you said cat <<D_G >mysshd.te is D_G a file someplace? Thanks Chip On 08/01/2010 12:43 PM, Dominick Grift wrote: > On 08/01/2010 06:41 PM, Dominick Grift wrote: >> On 08/01/2010 06:35 PM, Dominick Grift wrote: >>> On 08/01/2010 06:22 PM, Ralph Blach wrote: >>>> To be specific, I want to run sshd on port 443, and not port 22, because >>>> of all the hackers probe port 22. >>>> >>>> port 443 looks like httpd traffic and therefore is not really supicious. >>>> >>>> That is what I need to achieve so i need to modify the corenetwork >>>> module to do this. >>>> >>>> How is this done and where is the source for the core network module? >>> >>> Try this: >>> >>> mkdir ~/mysshd; cd ~/mysshd; >>> >>> cat <<D_G >mysshd.te(Continue reading)
RSS Feed72 | |
|---|---|
56 | |
27 | |
36 | |
112 | |
43 | |
49 | |
45 | |
186 | |
217 | |
328 | |
207 | |
103 | |
33 | |
243 | |
104 | |
60 | |
97 | |
85 | |
61 | |
254 | |
320 | |
110 | |
74 | |
116 | |
136 | |
169 | |
84 | |
60 | |
69 | |
49 | |
91 | |
24 | |
73 | |
162 | |
163 | |
181 | |
146 | |
260 | |
257 | |
202 | |
83 | |
130 | |
140 | |
302 | |
329 | |
389 | |
146 | |
210 | |
274 | |
241 | |
276 | |
228 | |
144 | |
172 | |
367 | |
330 | |
449 | |
435 | |
368 | |
249 | |
287 | |
537 | |
691 | |
498 | |
467 | |
354 | |
290 | |
503 | |
758 | |
277 | |
491 | |
405 | |
480 | |
498 | |
474 | |
410 | |
1 |
