Quoting Dominick Grift:
On Fri, 2013-11-15 at 15:34 +0100, Dominick Grift wrote:
>
> #============= munin_disk_plugin_t ==============
> allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
> --------------------------------
>
In theory you should add a rule like the above yes, but it is probably
not enough
Actually hit send too soon.
In Fedora that might indeed do the trick
This is a CentOS server and it was not sufficient, as it seemed.
Applied the policy but AVC denials didn't stop..
Nov 15 15:48:06 servername setroubleshoot: SELinux is preventing
/usr/bin/perl from getattr access on the blk_file /dev/dm-3. For
complete SELinux messages. run sealert -l
2b08f291-13be-4b09-878a-96cccc4c336d
When I use audit2allow a second time (grep on a fresh rotated audit.log file)
I get this:
--------------------------------
# cat diskwatch-pol2.te
module diskwatch-pol2 1.0;
require {
type svirt_image_t;
type munin_disk_plugin_t;
class blk_file getattr;
}
#============= munin_disk_plugin_t ==============
#!!!! This avc is a constraint violation. You will need to add an
attribute to either the source or target type to make it work.
#Contraint rule:
allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
--------------------------------
How can I solve the issue?
Gabriele
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
