proc_net .... kudzu.te, rpcd.te, mozilla_macros.te

Tom London <selinux@xxxxxxxxx> · Sun, 28 Nov 2004 14:07:15 -0800

Running strict/enforcing, latest Rawhide.

Looks like some changes to policy
for proc_net_t is causing some denials.

Nov 28 09:06:51 fedora kernel: audit(1101661600.402:0): avc:  denied 
{ search } for  pid=1520 exe=/usr/sbin/kudzu name=net dev=proc
ino=-268435434 scontext=system_u:system_r:kudzu_t
tcontext=system_u:object_r:proc_net_t tclass=dir
Nov 28 10:28:12 fedora kernel: audit(1101666486.919:0): avc:  denied 
{ search } for  pid=1843 exe=/usr/sbin/rpc.idmapd name=net dev=proc
ino=-268435434 scontext=system_u:system_r:rpcd_t
tcontext=system_u:object_r:proc_net_t tclass=dir
Nov 28 10:29:38 fedora kernel: audit(1101666578.571:0): avc:  denied 
{ read } for  pid=3146 exe=/bin/netstat name=net dev=proc
ino=-268435434 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:proc_net_t tclass=dir
Nov 28 10:29:39 fedora kernel: audit(1101666579.074:0): avc:  denied 
{ search } for  pid=3146 exe=/bin/netstat name=net dev=proc
ino=-268435434 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:proc_net_t tclass=dir

Made the following changes to
kudzu.te, rpcd.te and mozilla_macros.te

Please correct as needed.... 
   tom

--- SAVE/kudzu.te       2004-11-28 10:23:18.000000000 -0800
+++ ./kudzu.te  2004-11-28 10:25:43.000000000 -0800
@@ -18,7 +18,8 @@
 allow kudzu_t modules_object_t:dir r_dir_perms;
 allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
 allow kudzu_t mouse_device_t:chr_file { read write };
-allow kudzu_t proc_t:file { getattr read };
+allow kudzu_t proc_net_t:dir r_dir_perms;
+allow kudzu_t { proc_t proc_net_t }:file { getattr read };
 allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file
rw_file_perms;
 allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
 allow kudzu_t { bin_t sbin_t }:dir { getattr search };
--- SAVE/rpcd.te        2004-11-28 10:43:20.801436658 -0800
+++ ./rpcd.te   2004-11-28 10:45:04.285886135 -0800
@@ -126,3 +126,4 @@
 r_dir_file(rpcd_t, rpc_pipefs_t)
 allow rpcd_t rpc_pipefs_t:sock_file { read write };
 dontaudit rpcd_t selinux_config_t:dir { search };
+allow rpcd_t proc_net_t:dir search;
--- SAVE/mozilla_macros.te      2004-11-28 10:47:54.527909494 -0800
+++ ./mozilla_macros.te 2004-11-28 10:47:57.741626903 -0800
@@ -48,6 +48,7 @@
 # for bash
 allow $1_mozilla_t device_t:dir r_dir_perms;
 allow $1_mozilla_t devpts_t:dir r_dir_perms;
+allow $1_mozilla_t proc_net_t:dir r_dir_perms;
+allow $1_mozilla_t proc_net_t:file r_file_perms;
 allow $1_mozilla_t proc_t:file { getattr read };
 dontaudit $1_mozilla_t tty_device_t:chr_file getattr;

-- 
Tom London





