I'm trying to write a new policy for PvPGN.
When I try to start the service via the init script I get:
Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
libraries: libm.so.6: cannot open shared object file: Permission denied
[FAILED]
And:
host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0
ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=dir
host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
Policy RPM selinux-policy-3.3.1-84.fc9
If I run the service from the command line without the init script, it
works. I'm sure I'm missing something stuipid, just can't figure out
what it is. Can't figure out why it works without the initscript, and
throws selinux errors when run from the init script.
Thanks in advance for any help.
Fred Wittekind IV
# config
/etc/pvpgn -d gen_context(system_u:object_r:pvpgn_etc_t,s0)
/etc/pvpgn/.* -- gen_context(system_u:object_r:pvpgn_etc_t,s0)
/usr/bin/bnbot -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bncdb -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bnchat -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bnftp -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bni2tga -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bnibuild -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bniextract -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bnilist -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bnpass -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bnstat -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/tgainfo -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/sbin/bnetd -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/sbin/bntrackd -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/sbin/d2cs -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/sbin/d2dbs -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/var/lib/pvpgn -d gen_context(system_u:object_r:pvpgn_var_lib_t,s0)
/var/lib/pvpgn/.* gen_context(system_u:object_r:pvpgn_var_lib_t,s0)
/var/log/pvpgn -d gen_context(system_u:object_r:pvpgn_log_t,s0)
/var/log/pvpgn/.* -- gen_context(system_u:object_r:pvpgn_log_t,s0)
/var/run/pvpgn -d gen_context(system_u:object_r:pvpgn_var_run_t,s0)
/var/run/pvpgn/.* -- gen_context(system_u:object_r:pvpgn_var_run_t,s0)
module pvpgn 1.0.0;
require {
class fd use;
class process { fork signal_perms transition noatsecure siginh rlimitinh };
class fifo_file { read write getattr lock ioctl append };
class filesystem { getattr };
class dir { manage_dir_perms relabelfrom };
class file { manage_file_perms execute execute_no_trans entrypoint execmod };
class chr_file { manage_file_perms };
class lnk_file { read getattr lock ioctl };
class unix_stream_socket { create_stream_socket_perms connectto };
class sock_file { rw_file_perms };
class netif { packet_perms };
attribute port_type;
class tcp_socket { create_stream_socket_perms recv_msg send_msg node_bind name_bind name_connect recvfrom };
class udp_socket { create_stream_socket_perms recv_msg send_msg node_bind name_bind recvfrom };
class node { packet_perms };
class rawip_socket { recvfrom };
class association { sendto recvfrom };
class packet { send recv };
class capability { setgid setuid };
}
type pvpgn_t;
type pvpgn_exec_t;
domain_type(pvpgn_t)
init_daemon_domain(pvpgn_t, pvpgn_exec_t)
type pvpgn_etc_t;
files_type(pvpgn_etc_t)
type pvpgn_var_run_t;
files_type(pvpgn_var_run_t)
files_pid_file(pvpgn_var_run_t)
files_pid_filetrans(pvpgn_t,pvpgn_var_run_t,file)
type pvpgn_var_lib_t;
files_type(pvpgn_var_lib_t)
manage_dirs_pattern(pvpgn_t, pvpgn_var_lib_t, pvpgn_var_lib_t)
manage_files_pattern(pvpgn_t, pvpgn_var_lib_t, pvpgn_var_lib_t)
files_var_lib_filetrans(pvpgn_t,pvpgn_var_lib_t,file)
type pvpgn_log_t;
files_type(pvpgn_log_t)
logging_log_filetrans(pvpgn_t, pvpgn_log_t, { file dir })
# Database connections
mysql_stream_connect(pvpgn_t)
postgresql_stream_connect(pvpgn_t)
#
allow pvpgn_t self:capability { setgid setuid };
allow pvpgn_t self:process { fork signal_perms };
# Network
corenet_tcp_sendrecv_generic_if(pvpgn_t)
corenet_udp_sendrecv_generic_if(pvpgn_t)
corenet_udp_bind_generic_port(pvpgn_t)
corenet_tcp_bind_generic_port(pvpgn_t)
corenet_tcp_sendrecv_all_nodes(pvpgn_t)
corenet_udp_sendrecv_all_nodes(pvpgn_t)
corenet_all_recvfrom_unlabeled(pvpgn_t)
corenet_all_recvfrom_netlabel(pvpgn_t)