Problem with aiccu and radvd in /etc/NetworkManager/dispatcher.d/*
Laurent Rineau
laurent.rineau__fedora at normalesup.org
Thu Jun 10 15:23:01 UTC 2010
Hi Dominick. Thanks for your answer. I have followed your recommendations (see
below).
On Wednesday 09 June 2010 17:58:58 Dominick Grift wrote:
> lets create a policy patch:
>
> echo "policy_module(myaiccu, 1.0.0)" > myaiccu.te;
> echo "require { type aiccu_t; }" >> myaiccu.te;
> echo "sysnet_domtrans_ifconfig(aiccu_t)" >> myaiccu.te;
> echo "modutils_domtrans_insmod_uncond(aiccu_t) >> myaiccu.te;
> echo "corecmd_exec_shell(aiccu_t)" >> myaiccu.te;
>
> see if it build:
>
> make -f /usr/share/selinux/devel/Makefile myaiccu.pp
>
> Install it:
>
> sudo semodule -i myaiccu.pp
I have create myaiccu.te with:
policy_module(myaiccu, 1.0.0)
require { type aiccu_t; }
sysnet_domtrans_ifconfig(aiccu_t)
modutils_domtrans_insmod_uncond(aiccu_t)
corecmd_exec_shell(aiccu_t)
and typed:
sudo setenforce 0
sudo semodule -d local
sudo semodule -i myaiccu.pp
then I have disabled and reenabled the network.
I have had three AVC (attached full log), and audit2allow know only says:
#============= aiccu_t ==============
allow aiccu_t proc_t:file { read getattr open };
I have retried with a new myaiccu.te:
policy_module(myaiccu, 1.0.1)
require { type aiccu_t;
type proc_t;
class file { read getattr open };
}
sysnet_domtrans_ifconfig(aiccu_t)
modutils_domtrans_insmod_uncond(aiccu_t)
corecmd_exec_shell(aiccu_t)
allow aiccu_t proc_t:file { read getattr open };
and:
sudo semodule -u myaiccu.pp
and then the disable/enable of the network gives no AVC.
I hope than can help you fix the aiccu module.
--
Laurent Rineau
http://fedoraproject.org/wiki/LaurentRineau
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aiccu-audit.log
Type: text/x-log
Size: 1359 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100610/1df0efb6/attachment.bin
More information about the selinux
mailing list