Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List
subject: I can ' t use named on LSM-based Prototype. Why? Date: Tue, 25 Sep 2001 16:40:35 +0900
Named doesn't response to nslookup. I can use other services(httpd,sendmail,ftpd). And,Named works on usual Linux(2.4.3,2.4.9) and on original SELinux prototype. I installed SELinux (LSM-based Prototype) as development mode in RH7.1. And the kernel configration option is following, CONFIG_NETFILTER="Y" CONFIG_CAPABILITIES ="N" CONFIG_SELINUX="Y" CONFIG_LSM_IP="Y". The startup log of named is following. Sep 25 15:11:54 myhost named[797]: starting BIND 9.1.0 -u named Sep 25 15:11:54 myhost named[797]: using 1 CPU Sep 25 15:11:54 myhost named: named startup succeeded Sep 25 15:11:54 myhost named[801]: loading configuration from'/etc/named.conf' Sep 25 15:11:54 myhost named[801]: the default for the 'auth-nxdomain' option is now 'no' Sep 25 15:11:54 myhost named[801]: no IPv6 interfaces found Sep 25 15:11:54 myhost named[801]: listening on IPv4 interface lo, 127.0.0.1#53 Sep 25 15:11:54 myhost named[801]: could not listen on UDP socket: permission denied
Sep 25 15:11:54 myhost named[801]: creating IPv4 interface lo failed;
interface ignored
Sep 25 15:11:54 myhost named[801]: could not listen on UDP socket: permission denied
Sep 25 15:11:54 myhost named[801]: creating IPv4 interface eth0 failed;
interface ignored
Why named doesn't work on LSM based prototype? Did I miss kernel configuration or else? Please tell me. Yuichi Nakamura Hitachi Software Engineering Co.,Ltd. ynakam@ori.hitachi-sk.co.jp -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com> subject: Re: I can ' t use named on LSM-based Prototype. Why? Date: Tue, 25 Sep 2001 08:21:54 -0400 (EDT)
On Tue, 25 Sep 2001, Yuichi Nakamura wrote:
> I found that named(bind 9.1.0) didn't work on SELinux(LSM-based Prototype)
Did you apply the patch that I posted to the mailing list for
selinux_ip_postroute (See
Also, be aware that an updated release should be available soon based on 2.4.10 with a number of bug fixes and improvements to both LSM and SELinux. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Chris Vance <cvance_at_tislabs.com> subject: Re: I can ' t use named on LSM-based Prototype. Why? Date: Thu, 27 Sep 2001 09:35:49 -0400 (EDT)
With RedhHat 7.1, the default configuration for named uses the '-u' flag to tell named to run as the specified user. For Linux, named uses the kernel's capability mechanism to drop all root privileges except the ability to bind() to a privileged port. As a result, the '-u' option requires Linux kernel capability checks. While the prior SELinux prototype retained these checks, the current LSM-based kernel removes the capabilities checks from the kernel and places them in a separately configurable LSM module. We are currently investigating ways to compose the SELinux module with the capabilities module or reproduce the capabilities checks in SELinux, so that we can retain all of the original Linux kernel checks. However, the current LSM-based SELinux distribution does not perform kernel capability checks. In the mean time, if you start named without that option, it should run normally. Since the default SELinux policy does not contain support for named, I would recommend adding a domain and appropriate permissions. Has anyone on this list already created a policy for named? chris. On Tue, 25 Sep 2001, Yuichi Nakamura wrote:
> I found that named(bind 9.1.0) didn't work on SELinux(LSM-based Prototype) -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Yuichi Nakamura <ynakam_at_ori.hitachi-sk.co.jp> subject: Re: I can ' t use named on LSM-based Prototype. Why? Date: Tue, 2 Oct 2001 13:19:01 +0900
Chris Vance wrote:
The policy files for named which I used are following(for RH 7.1). I created named.te and modified file_contexts,initrc.te,network.te,net_contexts,rbac.
################ /var/named(|/.*) system_u:object_r:named_conf_t /etc/named.conf system_u:object_r:named_conf_t /usr/sbin/named system_u:object_r:named_exec_t#policy/domains/system/named.te #By Y.Nakamura
#named_t is general domain label and can communicate with syslog.
#A type for /usr/sbin/named
# A type for configuration files of named.
# A type for files in /var/run specific to named
# Use capabilities. Surplus capabilities may be allowed.
# Inherit and use descriptors from init.
#Named can use network
# Bind to the named port.
# Allow named_t to put a pid file in /var/run
#named can append to log files.
#read configuration files
#when sysadm_t runs named.
########################
###################
###############
########## .... .... .... named_t #added }; #END Yuichi Nakamura Hitachi Software Engineering Co.,Ltd. ynakam@ori.hitachi-sk.co.jp -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com> subject: [PATCH] Re: I can ' t use named on LSM-based Prototype. Why? Date: Tue, 2 Oct 2001 10:11:57 -0400 (EDT)
On Tue, 2 Oct 2001, Yuichi Nakamura wrote:
> The policy files for named which I used are following(for RH 7.1). I created Thanks for the named policy configuration. I've attached a patch relative to the 9/26 release that updates the example policy to include your named domain. To apply this patch, save it to named.patch, change to your selinux directory, and run 'patch -p1 < named.patch'. Then, do a 'make load' in the policy directory and a 'make relabel' in the setfiles directory. -- Stephen D. Smalley, NAI Labs ssmalley@nai.com
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |