Paul Howarth wrote:
On Wed, 10 Sep 2008 19:47:22 -0400
Fred Wittekind <rom@xxxxxxxxxxxxxxxxxx> wrote:
I'm trying to write a new policy for PvPGN.
When I try to start the service via the init script I get:
Starting PvPGN game server: /usr/sbin/bnetd: error while loading
shared libraries: libm.so.6: cannot open shared object file:
Permission denied [FAILED]
And:
host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0
ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=dir
host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
Add to your policy:
libs_use_shared_libs(pvpgn_t)
Thanks, that got me pointed in the right direction, I was sure there was
a simple way to do it, I just wasn't seeing it.
Policy RPM selinux-policy-3.3.1-84.fc9
If I run the service from the command line without the init script,
it works. I'm sure I'm missing something stuipid, just can't figure
out what it is. Can't figure out why it works without the
initscript, and throws selinux errors when run from the init script.
When you run the service directly from the command line, it doesn't
transition to pvpgn_t, running unconfined instead, hence no SELinux
issues.
That explains it. Just because I like to know how things work, what
makes the initscript different? Is it something in the policy, or
something in the functions file?
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
