Re: Need some help with a new policy module

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fred Wittekind wrote:
Daniel J Walsh wrote:
Fred Wittekind wrote:
I'm trying to write a new policy for PvPGN.

When I try to start the service via the init script I get:
Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
libraries: libm.so.6: cannot open shared object file: Permission denied
                                                          [FAILED]

And:
host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
denied  { search } for  pid=3526 comm="bnetd" name="usr" dev=dm-0
ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=dir

host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)

Policy RPM                    selinux-policy-3.3.1-84.fc9


If I run the service from the command line without the init script, it
works.  I'm sure I'm missing something stuipid, just can't figure out
what it is.  Can't figure out why it works without the initscript, and
throws selinux errors when run from the init script.

Thanks in advance for any help.

Fred Wittekind IV


------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Fred if you use policy_module(pvpgn, 1.0.0)
You will get all of the gen_require stuff for free.
Quite helpful, thanks.
corenet_udp_bind_generic_port(pvpgn_t)
corenet_tcp_bind_generic_port(pvpgn_t)

type pvpgn_port_t;
ports_type(pvpgn_port_t)

allow pvpgn_t pbpgn_port_t:tcp_socket name_bind;
allow pvpgn_t pbpgn_port_t:udp_socket name_bind;

Then you need to add the ports definition using
semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
Assuming this policy files is going to be included into a rpm I'm making for pvpgn, what's best practice for handling adding the port numbers. Add semanage statements for the port numbers to the %post section? Or is there a way to encode the port numbers into the policy file?
You really should define a port and then allow pvpgn bind to the
specific port.  (Unless pvpgn binds to random ports?)
Wanted to, but couldn't quite figure out how to define a specific port. Using source rpm for policy as a reference, but, it appears to use
macros for all the ports it needs.
If this is on Fedora 10 you might want to add

permissive pvpgn_t;

Which will allow the daemon to run in permissive mode while you are
testing.
It's Fedora 9, thanks though.

Well that should show up in Fedora 9 whenever they move to the
kernel-2.6.27 kernel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJIF4ACgkQrlYvE4MpobOXcACg5nX3J9InfRUZ+bWK3ECMqkBw
l6QAn2JO8BOwXMzxLE570FxoqT7B5k10
=Sedm
-----END PGP SIGNATURE-----


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux