Re: getting myapp to exec /sbin/swapon

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/01/2009 01:05 PM, Brian Ginn wrote:
I am attempting to get myapp to exec /sbin/swapon

audit2allow says I need:
         allow myapp_t fixed_disk_device_t:blk_file { read write };

This compiles, but semodule won't install it:
[root@domingo ~]# semodule -i /nethome/user/bginn/src/pb6/pb/selinux/myapp.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { write };
libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { read };
libsepol.check_assertions: 2 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!
[root@domingo ~]#

I don't see any constraint, or class permission that would affect this.

I do see that modules/kernel/storage.te contains:
neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
Could these be causing my problem?

Is there a domain transition or other policy that would allow myapp to exec /sbin/swapon ?


Probably best to do

fstools_domtrans(myapp_t)


If you want to allow myapp_t to edit fixed disks, you need to use this interface.

storage_manage_fixed_disk(myapp_t)



Thanks,
Brian


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux