-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fred Wittekind wrote:
Daniel J Walsh wrote:
Fred Wittekind wrote:
>>> Daniel J Walsh wrote:
>>> Fred Wittekind wrote:
>>>
>>>
>>>>>> I'm trying to write a new policy for PvPGN.
>>>>>>
>>>>>> When I try to start the service via the init script I get:
>>>>>> Starting PvPGN game server: /usr/sbin/bnetd: error while loading
>>>>>> shared
>>>>>> libraries: libm.so.6: cannot open shared object file: Permission
>>>>>> denied
>>>>>>
[FAILED]
>>>>>>
>>>>>> And:
>>>>>> host=twister.dragon type=AVC msg=audit(1221090145.148:30403):
avc:
>>>>>> denied { search } for pid=3526 comm="bnetd"
name="usr" dev=dm-0
>>>>>> ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
>>>>>> tcontext=system_u:object_r:usr_t:s0 tclass=dir
>>>>>>
>>>>>> host=twister.dragon type=SYSCALL
msg=audit(1221090145.148:30403):
>>>>>> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190
a1=bfaad1f0
>>>>>> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0
euid=0
>>>>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151
comm="bnetd"
>>>>>> exe="/usr/sbin/bnetd"
subj=unconfined_u:system_r:pvpgn_t:s0
>>>>>> key=(null)
>>>>>>
>>>>>> Policy RPM selinux-policy-3.3.1-84.fc9
>>>>>>
>>>>>>
>>>>>> If I run the service from the command line without the init
>>>>>> script, it
>>>>>> works. I'm sure I'm missing something stuipid, just
can't figure out
>>>>>> what it is. Can't figure out why it works without the
initscript,
>>>>>> and
>>>>>> throws selinux errors when run from the init script.
>>>>>>
>>>>>> Thanks in advance for any help.
>>>>>>
>>>>>> Fred Wittekind IV
>>>>>>
>>>>>>
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> --
>>>>>> fedora-selinux-list mailing list
>>>>>> fedora-selinux-list(a)redhat.com
>>>>>>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>>
>>> Fred if you use policy_module(pvpgn, 1.0.0)
>>> You will get all of the gen_require stuff for free.
>>>
>>>> Quite helpful, thanks.
>>>>
>>> corenet_udp_bind_generic_port(pvpgn_t)
>>> corenet_tcp_bind_generic_port(pvpgn_t)
>>>
>>>
type pvpgn_port_t;
ports_type(pvpgn_port_t)
allow pvpgn_t pbpgn_port_t:tcp_socket name_bind;
allow pvpgn_t pbpgn_port_t:udp_socket name_bind;
Then you need to add the ports definition using
semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
> Assuming this policy files is going to be included into a rpm I'm making
> for pvpgn, what's best practice for handling adding the port numbers.
> Add semanage statements for the port numbers to the %post section? Or
> is there a way to encode the port numbers into the policy file?
Yes I would execute the something like the following in your post
# semodule -i pvpgn.pp
# restorecon -R -v PGPGNPATHS ...
# semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
You can not define a port in a module currently.
>>> You really should define a port and then allow pvpgn bind
to the
>>> specific port. (Unless pvpgn binds to random ports?)
>>>
>>>> Wanted to, but couldn't quite figure out how to define a specific
>>>> port. Using source rpm for policy as a reference, but, it appears to
>>>> use
>>>> macros for all the ports it needs.
>>>>
>>> If this is on Fedora 10 you might want to add
>>>
>>> permissive pvpgn_t;
>>>
>>> Which will allow the daemon to run in permissive mode while you are
>>> testing.
>>>
>>>> It's Fedora 9, thanks though.
>>>>
>>>>
Well that should show up in Fedora 9 whenever they move to the
kernel-2.6.27 kernel
>
Your question this morning has triggered me to write a blog entry.
http://danwalsh.livejournal.com/23944.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAkjJMDQACgkQrlYvE4MpobNHuwCgquwqLy3OaLPm8OR1Wduuq294
u14AoJIW2CDtNQXo6CUCq+ICDkIPMNCT
=q33W
-----END PGP SIGNATURE-----