-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fred Wittekind wrote:
> Daniel J Walsh wrote:
> Fred Wittekind wrote:
>
>>>> Daniel J Walsh wrote:
>>>> Fred Wittekind wrote:
>>>>
>>>>
>>>>>>> I'm trying to write a new policy for PvPGN.
>>>>>>>
>>>>>>> When I try to start the service via the init script I get:
>>>>>>> Starting PvPGN game server: /usr/sbin/bnetd: error while loading
>>>>>>> shared
>>>>>>> libraries: libm.so.6: cannot open shared object file: Permission
>>>>>>> denied
>>>>>>> [FAILED]
>>>>>>>
>>>>>>> And:
>>>>>>> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
>>>>>>> denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0
>>>>>>> ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
>>>>>>> tcontext=system_u:object_r:usr_t:s0 tclass=dir
>>>>>>>
>>>>>>> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
>>>>>>> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
>>>>>>> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
>>>>>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
>>>>>>> exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0
>>>>>>> key=(null)
>>>>>>>
>>>>>>> Policy RPM selinux-policy-3.3.1-84.fc9
>>>>>>>
>>>>>>>
>>>>>>> If I run the service from the command line without the init
>>>>>>> script, it
>>>>>>> works. I'm sure I'm missing something stuipid, just can't figure out
>>>>>>> what it is. Can't figure out why it works without the initscript,
>>>>>>> and
>>>>>>> throws selinux errors when run from the init script.
>>>>>>>
>>>>>>> Thanks in advance for any help.
>>>>>>>
>>>>>>> Fred Wittekind IV
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> fedora-selinux-list mailing list
>>>>>>> fedora-selinux-list@xxxxxxxxxx
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>>>
>>>> Fred if you use policy_module(pvpgn, 1.0.0)
>>>> You will get all of the gen_require stuff for free.
>>>>
>>>>> Quite helpful, thanks.
>>>>>
>>>> corenet_udp_bind_generic_port(pvpgn_t)
>>>> corenet_tcp_bind_generic_port(pvpgn_t)
>>>>
>>>>
> type pvpgn_port_t;
> ports_type(pvpgn_port_t)
>
> allow pvpgn_t pbpgn_port_t:tcp_socket name_bind;
> allow pvpgn_t pbpgn_port_t:udp_socket name_bind;
>
> Then you need to add the ports definition using
> semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
>
>> Assuming this policy files is going to be included into a rpm I'm making
>> for pvpgn, what's best practice for handling adding the port numbers.
>> Add semanage statements for the port numbers to the %post section? Or
>> is there a way to encode the port numbers into the policy file?
>
Yes I would execute the something like the following in your post
# semodule -i pvpgn.pp
# restorecon -R -v PGPGNPATHS ...
# semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
You can not define a port in a module currently.
>>>> You really should define a port and then allow pvpgn bind to the
>>>> specific port. (Unless pvpgn binds to random ports?)
>>>>
>>>>> Wanted to, but couldn't quite figure out how to define a specific
>>>>> port. Using source rpm for policy as a reference, but, it appears to
>>>>> use
>>>>> macros for all the ports it needs.
>>>>>
>>>> If this is on Fedora 10 you might want to add
>>>>
>>>> permissive pvpgn_t;
>>>>
>>>> Which will allow the daemon to run in permissive mode while you are
>>>> testing.
>>>>
>>>>> It's Fedora 9, thanks though.
>>>>>
>>>>>
> Well that should show up in Fedora 9 whenever they move to the
> kernel-2.6.27 kernel
>>
Your question this morning has triggered me to write a blog entry.
http://danwalsh.livejournal.com/23944.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjJMDQACgkQrlYvE4MpobNHuwCgquwqLy3OaLPm8OR1Wduuq294
u14AoJIW2CDtNQXo6CUCq+ICDkIPMNCT
=q33W
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
