Re: Monitoring disk storage labeled with svirt_image_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2013-11-15 at 16:09 +0100, Gabriele Pohl wrote:

> 
> This is a CentOS server and it was not sufficient, as it seemed.
> Applied the policy but AVC denials didn't stop..
> 
> Nov 15 15:48:06 servername setroubleshoot: SELinux is preventing  
> /usr/bin/perl from getattr access on the blk_file /dev/dm-3. For  
> complete SELinux messages. run sealert -l  
> 2b08f291-13be-4b09-878a-96cccc4c336d
> 
> When I use audit2allow a second time (grep on a fresh rotated audit.log file)
> I get this:
> --------------------------------
> # cat diskwatch-pol2.te
> 
> module diskwatch-pol2 1.0;
> 
> require {
> 	type svirt_image_t;
> 	type munin_disk_plugin_t;
> 	class blk_file getattr;
> }
> 
> #============= munin_disk_plugin_t ==============
> 
> #!!!! This avc is a constraint violation.  You will need to add an  
> attribute to either the source or target type to make it work.
> #Contraint rule:
> allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
> 
> --------------------------------
> 
> How can I solve the issue?

See if this additional module does the trick:

cat >> mytest.te <<EOF
policy_module(mytest, 1.0.0)
gen_require(\` type munin_disk_plugin_t; ')
mcs_file_read_all(munin_disk_plugin_t)
EOF

make -f /usr/share/selinux/devel/Makefile mytest.pp
sudo semodule -i mytest.pp


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux