On 06/01/2009 01:05 PM, Brian Ginn wrote:
I am attempting to get myapp to exec /sbin/swapon
audit2allow says I need:
allow myapp_t fixed_disk_device_t:blk_file { read write };
This compiles, but semodule won't install it:
[root@domingo ~]# semodule -i /nethome/user/bginn/src/pb6/pb/selinux/myapp.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { write };
libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { read };
libsepol.check_assertions: 2 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
[root@domingo ~]#
I don't see any constraint, or class permission that would affect this.
I do see that modules/kernel/storage.te contains:
neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
Could these be causing my problem?
Is there a domain transition or other policy that would allow myapp to exec /sbin/swapon ?
Probably best to do
fstools_domtrans(myapp_t)
If you want to allow myapp_t to edit fixed disks, you need to use this
interface.
storage_manage_fixed_disk(myapp_t)
Thanks,
Brian
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
