Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
trying to create selinux policy for autossh
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message

Joined: 22 Sep 2018
Posts: 37

PostPosted: Mon Oct 01, 2018 8:17 am    Post subject: trying to create selinux policy for autossh Reply with quote

I have an SELinux targeted system where I want to create a policy for autossh, which is launched through /etc/local.d and I want to create this policy so it gets in a context where it can access /home/autossh/.ssh/* (known_hosts and id_rsa in particular).

I want it in the user_u context/domain, and my system uses the targeted policy.

When the system boots it runs this script...


start-stop-daemon --user autossh --exec /usr/bin/autossh -- -M 0 -fN obfuscated.onion -D 1080
sleep 15

Which works fine, because in /etc/selinux/config I have it permissive.

Other local.d scripts run and then this last one starts enforcing...


setenforce 1

After this if the connection to obfuscated.onion dies autossh can no longer start because it can't read the keys in /home/autossh/.ssh (and they're not in var because this user has a shell so I can ssh-copy-id and other lazy reasons).

So I decided to learn more about SELinux, and discovered I can do this...

# sepolicy generate --init /usr/bin/autossh
Can not get port types, must be root for this information
Created the following files:
/root/autossh-policy/autossh.te # Type Enforcement file
/root/autossh-policy/autossh.if # Interface file
/root/autossh-policy/autossh.fc # File Contexts file
/root/autossh-policy/ # Setup Script

Then I can add the file context to autossh.fc, the last two lines are my attempt, but to be honest I'm not really sure what I'm doing at this point. This is where I need help basically, and an explanation based on reason not faith if possible for a newbie like myself.

/usr/bin/autossh                --      gen_context(system_u:object_r:autossh_exec_t,s0)
/home/autossh/.ssh/known_hosts  --      gen_context(user_u:object_r:ssh_home_t,s0)
/home/autossh/.ssh/id_rsa       --      gen_context(user_u:object_r:ssh_home_t,s0)

Here is the heart breaking bit, I might need to emerge something...

# ./
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile autossh.pp
make: /usr/share/selinux/devel/Makefile: No such file or directory
make: *** No rule to make target '/usr/share/selinux/devel/Makefile'.  Stop.

I was in #gentoo-hardened on freenode and a good samaritan told me I could do this to build the module.

# make -f /usr/share/selinux/targeted/include/Makefile autossh.pp

This worked and the module built, which leaves me with one remaining question. How can I break the connection to obfuscated.onion autossh is making to test that this works while the system is running?

So all in all I have three questions.
* Am I right in doing that with file contexts or is it obvious this won't work and why?
* Am I missing something related to SELinux policy development I can emerge?
* How can I disrupt a single TCP connection to test that what I am doing works?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum