Kmaiti

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 29 August 2011

How to create custom SELinux module on linux box?

Posted on 06:54 by Unknown
Background scenario :

Here sftp was setup on linux box and sshd was not allowing sftp users to access their directories. Following messages found in audit.log:
----
type=CRED_ACQ msg=audit(1314648699.931:26195): user pid=25524 uid=0 auid=503 ses=671 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="user" exe="/usr/sbin/sshd" hostname=kmaiti.pnq.redhat.com addr=10.65.192.160 terminal=ssh res=success'
type=AVC msg=audit(1314648699.931:26196): avc: denied { getattr } for pid=25524 comm="sshd" path="/chroots" dev=dm-0 ino=34612 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir
----

To allow source context to target once I created a custom module and loaded it in SELinux .

#grep sshd_t /var/log/audit/audit.log | audit2allow -m sftplocal > sftplocal.te
#checkmodule -M -m -o sftplocal.mod sftplocal.te
#semodule_package -o sftplocal.pp -m sftplocal.mod
#semodule -i sftplocal.pp
#semodule -l |grep sftplocal

To unload module do:

#semodule module -d --disable sftplocal.pp

Try. You'll now be able to login using sftp user.


Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • unable connect to socket: No route to host (113)
    Guys, This error message usually comes when you try to access remote linux desktop using vncviewer. Please check the firewall in the linux s...
  • NDMP communication failure error
    Guys, Issue : Netbackup server sends alert NDMP communication failure once everyday. But there is no issue to run scheduled backup jobs. Env...
  • How to verify UDP packet communication between two linux system?
    Guys, Today, I had to check UDP packet communication between linux and a windows system. Main purpose of the windows system was to capturing...
  • what does it mean by "cman expected_votes="1" two_node="1" in cluster.conf ?
    For two node clusters ordinarily, the loss of quorum after one out of two nodes fails will prevent the remaining node from continuing (if bo...
  • Details about NFS timeout on Red Hat Enterprise Linux 5
    There are two mount options for timeouts of an NFS request. # timeo: a timeout value. the unit is 1/10 seconds. # retran...
  • configure: error: could not find library containing RSA_new
    Guys, It seems you have enabled the SSL option during configuring the package. Please either resolve that dependency or disable the SSL opti...
  • How to configure NFSv4 with kerberos on linux?
    Guys, Please refer the following steps to do the same : Used Environment : kerberos(i.e NFSv4) server : RHEL 5.5, 64 bit arch NFS client : R...
  • How to redirect output of script to a file(Need to save log in a file and file should be menioned in the script itself?
    Expectation : @subject Steps : 1. Create a bash script. 2. add line : exec > >(tee /var/log/my_logfile.txt) That's it. All output ...
  • What is "WCHAN" attribute at "ps -alwww" on linux ?
    WCHAN : Name of the kernel function in which the process is sleeping, a "-" if the process is running, or a "*" if the p...
  • Steps to develop patch and apply it to original source file
    1. Create test.c  Above file contains : -------- [kamalma@test-1 C_Programming]$ cat test.c #include #include int main()  {  printf("\n...

Categories

  • ACL
  • ESX
  • Linux
  • Storage
  • UCS

Blog Archive

  • ►  2013 (5)
    • ►  May (1)
    • ►  April (3)
    • ►  February (1)
  • ►  2012 (10)
    • ►  July (1)
    • ►  June (1)
    • ►  April (1)
    • ►  March (3)
    • ►  February (3)
    • ►  January (1)
  • ▼  2011 (86)
    • ►  December (3)
    • ►  November (2)
    • ►  September (19)
    • ▼  August (9)
      • Details about syslog on linux ?
      • How to create custom SELinux module on linux box?
      • How to add sudo user in linux?
      • Why do I get error message "Access Denied Error C...
      • How to redirect output of script to a file(Need to...
      • How to check change log of package which came from...
      • How to capture good out put from strace command?
      • Why device name chaged after update the system or ...
      • How to disable MSI at network driver level?
    • ►  July (5)
    • ►  June (9)
    • ►  May (12)
    • ►  April (3)
    • ►  March (4)
    • ►  February (5)
    • ►  January (15)
  • ►  2010 (152)
    • ►  December (9)
    • ►  November (34)
    • ►  October (20)
    • ►  September (14)
    • ►  August (24)
    • ►  July (19)
    • ►  June (3)
    • ►  May (25)
    • ►  April (3)
    • ►  January (1)
Powered by Blogger.