I found that named(bind 9.1.0) didn't work on SELinux(LSM-based Prototype)
even if the kernel was flask development mode.
Named doesn't response to nslookup.
I can use other services(httpd,sendmail,ftpd). And,Named works on usual Linux(2.4.3,2.4.9) and on original SELinux prototype.
I installed SELinux (LSM-based Prototype) as development mode in RH7.1. And the kernel configration option is following,
CONFIG_NETFILTER="Y" CONFIG_CAPABILITIES ="N" CONFIG_SELINUX="Y" CONFIG_LSM_IP="Y".
The startup log of named is following.
Sep 25 15:11:54 myhost named[797]: starting BIND 9.1.0 -u named Sep 25 15:11:54 myhost named[797]: using 1 CPU Sep 25 15:11:54 myhost named: named startup succeeded Sep 25 15:11:54 myhost named[801]: loading configuration from'/etc/named.conf'
Sep 25 15:11:54 myhost named[801]: could not listen on UDP socket: permission denied
Sep 25 15:11:54 myhost named[801]: creating IPv4 interface lo failed;
interface ignored
Sep 25 15:11:54 myhost named[801]: listening on IPv4 interface eth0,
133.xxx.x.75#53
Sep 25 15:11:54 myhost named[801]: could not listen on UDP socket: permission denied
Sep 25 15:11:54 myhost named[801]: creating IPv4 interface eth0 failed;
interface ignored
Sep 25 15:11:54 myhost named[801]: not listening on any interfaces
Why named doesn't work on LSM based prototype?
Did I miss kernel configuration or else?
Please tell me.
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On Tue, 25 Sep 2001, Yuichi Nakamura wrote:
> I found that named(bind 9.1.0) didn't work on SELinux(LSM-based Prototype)
> even if the kernel was flask development mode.
>
> Why named doesn't work on LSM based prototype?
Did you apply the patch that I posted to the mailing list for
selinux_ip_postroute (See
http://marc.theaimsgroup.com/?l=selinux&m=99962056431023&w=2).
If not, then apply this patch and try again. If you already
applied this patch, then check /var/log/messages and/or the output of
'dmesg' for any messages, particularly ones from selinux_ip_postroute.
Also, be aware that an updated release should be available soon based on 2.4.10 with a number of bug fixes and improvements to both LSM and SELinux.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Chris Vance <cvance_at_tislabs.com>
With RedhHat 7.1, the default configuration for named uses the '-u' flag to tell named to run as the specified user. For Linux, named uses the kernel's capability mechanism to drop all root privileges except the ability to bind() to a privileged port.
As a result, the '-u' option requires Linux kernel capability checks. While the prior SELinux prototype retained these checks, the current LSM-based kernel removes the capabilities checks from the kernel and places them in a separately configurable LSM module.
We are currently investigating ways to compose the SELinux module with the capabilities module or reproduce the capabilities checks in SELinux, so that we can retain all of the original Linux kernel checks. However, the current LSM-based SELinux distribution does not perform kernel capability checks.
In the mean time, if you start named without that option, it should run normally. Since the default SELinux policy does not contain support for named, I would recommend adding a domain and appropriate permissions.
Has anyone on this list already created a policy for named?
chris.
On Tue, 25 Sep 2001, Yuichi Nakamura wrote:
> I found that named(bind 9.1.0) didn't work on SELinux(LSM-based Prototype)
> even if the kernel was flask development mode.
>
> Named doesn't response to nslookup.
>
> I can use other services(httpd,sendmail,ftpd).
> And,Named works on usual Linux(2.4.3,2.4.9) and on original SELinux
> prototype.
>
> I installed SELinux (LSM-based Prototype) as development mode in RH7.1.
> And the kernel configration option is following,
> CONFIG_NETFILTER="Y"
> CONFIG_CAPABILITIES ="N"
> CONFIG_SELINUX="Y"
> CONFIG_LSM_IP="Y".
>
> The startup log of named is following.
> --------------------------------------------------------
> Sep 25 15:11:54 myhost named[797]: starting BIND 9.1.0 -u named
> Sep 25 15:11:54 myhost named[797]: using 1 CPU
> Sep 25 15:11:54 myhost named: named startup succeeded
> Sep 25 15:11:54 myhost named[801]: loading configuration from
> '/etc/named.conf'
> Sep 25 15:11:54 myhost named[801]: the default for the 'auth-nxdomain'
> option is now 'no'
> Sep 25 15:11:54 myhost named[801]: no IPv6 interfaces found
> Sep 25 15:11:54 myhost named[801]: listening on IPv4 interface lo,
> 127.0.0.1#53
>
> Sep 25 15:11:54 myhost named[801]: could not listen on UDP socket:
> permission denied
>
> Sep 25 15:11:54 myhost named[801]: creating IPv4 interface lo failed;
> interface ignored
> Sep 25 15:11:54 myhost named[801]: listening on IPv4 interface eth0,
> 133.xxx.x.75#53
>
> Sep 25 15:11:54 myhost named[801]: could not listen on UDP socket:
> permission denied
>
> Sep 25 15:11:54 myhost named[801]: creating IPv4 interface eth0 failed;
> interface ignored
> Sep 25 15:11:54 myhost named[801]: not listening on any interfaces
> -------------------------------------------------------------
>
> Why named doesn't work on LSM based prototype?
>
> Did I miss kernel configuration or else?
>
> Please tell me.
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Yuichi Nakamura <ynakam_at_ori.hitachi-sk.co.jp>
I could use named(bind 9.1.0) on SELinux-lsm. Named worked without option
"-u". When I used Stephen Smalley's patch(cap_stack.patch),it worked with
option "-u". Thank you!
Chris Vance wrote:
>Has anyone on this list already created a policy for named?
The policy files for named which I used are following(for RH 7.1). I created named.te and modified file_contexts,initrc.te,network.te,net_contexts,rbac.
################
#setfiles/file_contexts
/var/named(|/.*) system_u:object_r:named_conf_t /etc/named.conf system_u:object_r:named_conf_t /usr/sbin/named system_u:object_r:named_exec_t#policy/domains/system/named.te
#########################
#named_t is general domain label and can communicate with syslog.
type named_t, domain, privlog;
#A type for /usr/sbin/named
type named_exec_t, file_type,sysadmfile, exec_type;
# A type for configuration files of named.
type named_conf_t, file_type,sysadmfile;
# A type for files in /var/run specific to named
type named_var_run_t, file_type, sysadmfile;
# Use capabilities. Surplus capabilities may be allowed.
allow named_t named_t:capability { setuid setgid net_bind_service };
# Inherit and use descriptors from init.
allow named_t init_t:fd inherit_fd_perms;
#Named can use network
can_network(named_t)
# Bind to the named port.
allow named_t named_port_t:udp_socket name_bind;
# Allow named_t to put a pid file in /var/run
file_type_auto_trans(named_t, var_run_t, named_var_run_t)
#named can append to log files.
allow named_t var_log_t:file ra_file_perms;
#read configuration files
allow named_t named_conf_t:file r_file_perms;
allow named_t named_conf_t:dir search;
#when sysadm_t runs named.
#Don't forget to add entry in rbac(role sysadm_r types{named_t}).
#domain_auto_trans(sysadm_t, named_exec_t,named_t)
########################
#policy/domains/system/initrc.te
domain_auto_trans(initrc_t, named_exec_t,named_t)
###################
#policy/types/network.te
type named_port_t,port_type;
###############
#policy/net_contexts
udp 53 system_u:object_r:named_port_t
##########
#policy/rbac
role system_r types {
.... .... ....
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On Tue, 2 Oct 2001, Yuichi Nakamura wrote:
> The policy files for named which I used are following(for RH 7.1). I created
> named.te and modified file_contexts,initrc.te,network.te,net_contexts,rbac.
Thanks for the named policy configuration. I've attached a patch relative to the 9/26 release that updates the example policy to include your named domain. To apply this patch, save it to named.patch, change to your selinux directory, and run 'patch -p1 < named.patch'. Then, do a 'make load' in the policy directory and a 'make relabel' in the setfiles directory.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
- TEXT/PLAIN attachment: named.patch
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT