Hi,
(My second post in this list in two years of lurking.)
My machines run F-13.
My selinux packages are:
selinux-policy-3.7.19-23.fc13.noarch
selinux-policy-targeted-3.7.19-23.fc13.noarch
I want to trigger the services aiccu and radvd from NetworkManager, to get a Sixxs IPv6 tunnel and announce a Sixxs IPv6 subnet on the
LAN. For that, I have created this file:
$ cat /etc/NetworkManager/dispatcher.d/20-aiccu
#!/bin/sh
if [ "$2" = "up" ] ; then
/sbin/service aiccu start && /sbin/service radvd start || :
fi
if [ "$2" = "down" ] ; then
/sbin/service radvd stop || :
/sbin/service aiccu stop || :
fi
It works in permissive mode but, I had to create the following local.te module using audit2allow in order to get that work in enforcing
mode:
==================================================================
module local 1.1;
require {
type insmod_exec_t;
type modules_conf_t;
type urandom_device_t;
type syslogd_t;
type ifconfig_exec_t;
type sysfs_t;
type port_t;
type modules_dep_t;
type shell_exec_t;
type bin_t;
type devlog_t;
type proc_t;
type random_device_t;
type console_device_t;
type modules_object_t;
type aiccu_t;
class tun_socket create;
class chr_file { read open };
class capability { net_admin sys_module sys_tty_config };
class tcp_socket { write name_connect connect shutdown read create };
class file { execute read execute_no_trans getattr open };
class sock_file write;
class netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr };
class lnk_file read;
class unix_dgram_socket { write create connect sendto };
class udp_socket { write read create connect };
class dir read;
}
#============= aiccu_t ==============
allow aiccu_t bin_t:lnk_file read;
allow aiccu_t devlog_t:sock_file write;
allow aiccu_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
allow aiccu_t insmod_exec_t:file { read getattr open execute execute_no_trans };
allow aiccu_t modules_conf_t:dir read;
allow aiccu_t modules_conf_t:file { read getattr open };
allow aiccu_t modules_dep_t:file { read getattr open };
allow aiccu_t modules_object_t:file { read open };
allow aiccu_t port_t:tcp_socket name_connect;
allow aiccu_t proc_t:file { read getattr open };
allow aiccu_t random_device_t:chr_file read;
allow aiccu_t self:capability net_admin;
allow aiccu_t self:netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr };
allow aiccu_t self:tcp_socket { read write create connect shutdown };
allow aiccu_t self:tun_socket create;
allow aiccu_t self:udp_socket { write read create connect };
allow aiccu_t self:unix_dgram_socket { write create connect };
allow aiccu_t shell_exec_t:file { read execute open getattr execute_no_trans };
allow aiccu_t sysfs_t:file { read getattr open };
allow aiccu_t syslogd_t:unix_dgram_socket sendto;
#!!!! This avc can be allowed using the boolean 'global_ssp'
allow aiccu_t urandom_device_t:chr_file { read open };
allow aiccu_t console_device_t:chr_file open;
allow aiccu_t modules_object_t:file getattr;
allow aiccu_t self:capability { sys_module sys_tty_config };
==================================================================
The AVC audit log is attached (compressed with bzip2). To get it, I used this sort of command:
cnetworkmanager -o off; DATE=`date '+%H:%M'`; cnetworkmanager -o on; sleep 10; sudo sh -c "/sbin/ausearch -ts $DATE -m avc | tee
/root/audit.log"
This shell one-liner disables the network, stores the current time in $DATE, then enables the network, and uses ausearch (after a sleep
of 10 seconds) to get AVCs starting from the time $DATE.
I do not understand the AVC. Both aiccu and radvd have their own modules. I am not really used to selinux context transitions. I wonder
if it is possible that the AVCs are because radvd is running in the selinux context aiccu_t.
--
Laurent Rineau
http://fedoraproject.org/wiki/LaurentRineau
Attachment:
aiccu-avc.log.bz2
Description: application/bzip
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
