Re: Problem with aiccu and radvd in /etc/NetworkManager/dispatcher.d/*

Laurent Rineau <laurent.rineau__fedora@xxxxxxxxxxxxxx> · Thu, 10 Jun 2010 17:23:01 +0200

Hi Dominick. Thanks for your answer. I have followed your recommendations (see 
below).

On Wednesday 09 June 2010 17:58:58 Dominick Grift wrote:
> lets create a policy patch:
> 
> echo "policy_module(myaiccu, 1.0.0)" > myaiccu.te;
> echo "require { type aiccu_t; }" >> myaiccu.te;
> echo "sysnet_domtrans_ifconfig(aiccu_t)" >> myaiccu.te;
> echo "modutils_domtrans_insmod_uncond(aiccu_t) >> myaiccu.te;
> echo "corecmd_exec_shell(aiccu_t)" >> myaiccu.te;
> 
> see if it build:
> 
> make -f /usr/share/selinux/devel/Makefile myaiccu.pp
> 
> Install it:
> 
> sudo semodule -i myaiccu.pp

I have create myaiccu.te with:

  policy_module(myaiccu, 1.0.0)
  require { type aiccu_t; }
  sysnet_domtrans_ifconfig(aiccu_t)
  modutils_domtrans_insmod_uncond(aiccu_t)
  corecmd_exec_shell(aiccu_t)

and typed:
  sudo setenforce 0
  sudo semodule -d local
  sudo semodule -i myaiccu.pp
then I have disabled and reenabled the network.

I have had three AVC (attached full log), and audit2allow know only says:

  #============= aiccu_t ==============
  allow aiccu_t proc_t:file { read getattr open };

I have retried with a new myaiccu.te:

  policy_module(myaiccu, 1.0.1)
  require { type aiccu_t; 
            type proc_t;
            class file { read getattr open };
  }
  sysnet_domtrans_ifconfig(aiccu_t)
  modutils_domtrans_insmod_uncond(aiccu_t)
  corecmd_exec_shell(aiccu_t)
  allow aiccu_t proc_t:file { read getattr open };

and:
  sudo semodule -u myaiccu.pp
and then the disable/enable of the network gives no AVC.

I hope than can help you fix the aiccu module.

-- 
Laurent Rineau
http://fedoraproject.org/wiki/LaurentRineau
----
time->Thu Jun 10 17:12:20 2010
type=SYSCALL msg=audit(1276182740.754:592): arch=c000003e syscall=2 success=yes exit=3 a0=3786942300 a1=0 a2=1b6 a3=2 items=0 ppid=7234 pid=7422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:aiccu_t:s0 key=(null)
type=AVC msg=audit(1276182740.754:592): avc:  denied  { open } for  pid=7422 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:aiccu_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1276182740.754:592): avc:  denied  { read } for  pid=7422 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:aiccu_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Thu Jun 10 17:12:20 2010
type=SYSCALL msg=audit(1276182740.754:593): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff68dd8580 a2=7fff68dd8580 a3=2 items=0 ppid=7234 pid=7422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:aiccu_t:s0 key=(null)
type=AVC msg=audit(1276182740.754:593): avc:  denied  { getattr } for  pid=7422 comm="sh" path="/proc/meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:aiccu_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux