Re: Need some help with a new policy module

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fred Wittekind wrote:

I'm trying to write a new policy for PvPGN.

When I try to start the service via the init script I get:
Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
libraries: libm.so.6: cannot open shared object file: Permission denied
                                                          [FAILED]

And:
host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc: denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0 
ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=dir

host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)

Policy RPM                    selinux-policy-3.3.1-84.fc9


If I run the service from the command line without the init script, it
works.  I'm sure I'm missing something stuipid, just can't figure out
what it is.  Can't figure out why it works without the initscript, and
throws selinux errors when run from the init script.

Thanks in advance for any help.

Fred Wittekind IV


------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


Fred if you use policy_module(pvpgn, 1.0.0)
You will get all of the gen_require stuff for free.

Quite helpful, thanks.

corenet_udp_bind_generic_port(pvpgn_t)
corenet_tcp_bind_generic_port(pvpgn_t)

You really should define a port and then allow pvpgn bind to the
specific port.  (Unless pvpgn binds to random ports?)
Wanted to, but couldn't quite figure out how to define a specific port. Using source rpm for policy as a reference, but, it appears to use macros for all the ports it needs. 
If this is on Fedora 10 you might want to add

permissive pvpgn_t;

Which will allow the daemon to run in permissive mode while you are testing.

It's Fedora 9, thanks though.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJFb4ACgkQrlYvE4MpobP73gCdF0SzLu6vwQKvlxlzZpisGmcp
uS0An3qN7yVmjTrhtaKxytQKICcP9oQQ
=dg/y
-----END PGP SIGNATURE-----



--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux