Quoting Dominick Grift :
On Fri, 2013-11-15 at 16:09 +0100, Gabriele Pohl wrote:
When I use audit2allow a second time (grep on a fresh rotated
audit.log file)
I get this:
#!!!! This avc is a constraint violation. You will need to add an
attribute to either the source or target type to make it work.
#Contraint rule:
allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
--------------------------------
How can I solve the issue?
See if this additional module does the trick:
cat >> mytest.te <<EOF
policy_module(mytest, 1.0.0)
gen_require(\` type munin_disk_plugin_t; ')
mcs_file_read_all(munin_disk_plugin_t)
EOF
make -f /usr/share/selinux/devel/Makefile mytest.pp
sudo semodule -i mytest.pp
thanks for you support!
I tried it:
# cat diskstats-grift-pol.te
policy_module(diskstats-grift, 1.0.0)
gen_require(\` type munin_disk_plugin_t; ')
mcs_file_read_all(munin_disk_plugin_t)
# make -f /usr/share/selinux/devel/Makefile diskstats-grift-pol.pp
Compiling targeted diskstats-grift-pol module
/usr/bin/checkmodule: loading policy configuration from
tmp/diskstats-grift-pol.tmp
diskstats-grift-pol.te":2:WARNING 'unrecognized character' at token
'\' on line 3217:
#line 2
\ type munin_disk_plugin_t;
diskstats-grift-pol.te":2:WARNING 'unrecognized character' at token
'\' on line 3217:
#line 2
\ type munin_disk_plugin_t;
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to
tmp/diskstats-grift-pol.mod
Creating targeted diskstats-grift-pol.pp policy package
rm tmp/diskstats-grift-pol.mod tmp/diskstats-grift-pol.mod.fc
I have a new module diskstats-grift-pol.pp now,
but didn't apply it yet because of the warnings.
ok to apply or do you have a recipe to avoid the warnings?
Gabriele
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
