6:47 p.m.
I'm trying to write a new policy for PvPGN.
When I try to start the service via the init script I get:
Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
libraries: libm.so.6: cannot open shared object file: Permission denied
[FAILED]
And:
host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0
ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=dir
host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
Policy RPM selinux-policy-3.3.1-84.fc9
If I run the service from the command line without the init script, it
works. I'm sure I'm missing something stuipid, just can't figure out
what it is. Can't figure out why it works without the initscript, and
throws selinux errors when run from the init script.
Thanks in advance for any help.
Fred Wittekind IV
# config
/etc/pvpgn -d gen_context(system_u:object_r:pvpgn_etc_t,s0)
/etc/pvpgn/.* -- gen_context(system_u:object_r:pvpgn_etc_t,s0)
/usr/bin/bnbot -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bncdb -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bnchat -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bnftp -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bni2tga -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bnibuild -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bniextract -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bnilist -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bnpass -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/bnstat -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/bin/tgainfo -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/sbin/bnetd -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/sbin/bntrackd -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/sbin/d2cs -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/usr/sbin/d2dbs -- gen_context(system_u:object_r:pvpgn_exec_t,s0)
/var/lib/pvpgn -d gen_context(system_u:object_r:pvpgn_var_lib_t,s0)
/var/lib/pvpgn/.* gen_context(system_u:object_r:pvpgn_var_lib_t,s0)
/var/log/pvpgn -d gen_context(system_u:object_r:pvpgn_log_t,s0)
/var/log/pvpgn/.* -- gen_context(system_u:object_r:pvpgn_log_t,s0)
/var/run/pvpgn -d gen_context(system_u:object_r:pvpgn_var_run_t,s0)
/var/run/pvpgn/.* -- gen_context(system_u:object_r:pvpgn_var_run_t,s0)
module pvpgn 1.0.0;
require {
class fd use;
class process { fork signal_perms transition noatsecure siginh rlimitinh };
class fifo_file { read write getattr lock ioctl append };
class filesystem { getattr };
class dir { manage_dir_perms relabelfrom };
class file { manage_file_perms execute execute_no_trans entrypoint execmod };
class chr_file { manage_file_perms };
class lnk_file { read getattr lock ioctl };
class unix_stream_socket { create_stream_socket_perms connectto };
class sock_file { rw_file_perms };
class netif { packet_perms };
attribute port_type;
class tcp_socket { create_stream_socket_perms recv_msg send_msg node_bind name_bind
name_connect recvfrom };
class udp_socket { create_stream_socket_perms recv_msg send_msg node_bind name_bind
recvfrom };
class node { packet_perms };
class rawip_socket { recvfrom };
class association { sendto recvfrom };
class packet { send recv };
class capability { setgid setuid };
}
type pvpgn_t;
type pvpgn_exec_t;
domain_type(pvpgn_t)
init_daemon_domain(pvpgn_t, pvpgn_exec_t)
type pvpgn_etc_t;
files_type(pvpgn_etc_t)
type pvpgn_var_run_t;
files_type(pvpgn_var_run_t)
files_pid_file(pvpgn_var_run_t)
files_pid_filetrans(pvpgn_t,pvpgn_var_run_t,file)
type pvpgn_var_lib_t;
files_type(pvpgn_var_lib_t)
manage_dirs_pattern(pvpgn_t, pvpgn_var_lib_t, pvpgn_var_lib_t)
manage_files_pattern(pvpgn_t, pvpgn_var_lib_t, pvpgn_var_lib_t)
files_var_lib_filetrans(pvpgn_t,pvpgn_var_lib_t,file)
type pvpgn_log_t;
files_type(pvpgn_log_t)
logging_log_filetrans(pvpgn_t, pvpgn_log_t, { file dir })
# Database connections
mysql_stream_connect(pvpgn_t)
postgresql_stream_connect(pvpgn_t)
#
allow pvpgn_t self:capability { setgid setuid };
allow pvpgn_t self:process { fork signal_perms };
# Network
corenet_tcp_sendrecv_generic_if(pvpgn_t)
corenet_udp_sendrecv_generic_if(pvpgn_t)
corenet_udp_bind_generic_port(pvpgn_t)
corenet_tcp_bind_generic_port(pvpgn_t)
corenet_tcp_sendrecv_all_nodes(pvpgn_t)
corenet_udp_sendrecv_all_nodes(pvpgn_t)
corenet_all_recvfrom_unlabeled(pvpgn_t)
corenet_all_recvfrom_netlabel(pvpgn_t)
1:09 a.m.
On Wed, 10 Sep 2008 19:47:22 -0400
Fred Wittekind <rom(a)twister.dyndns.org> wrote:
I'm trying to write a new policy for PvPGN.
When I try to start the service via the init script I get:
Starting PvPGN game server: /usr/sbin/bnetd: error while loading
shared libraries: libm.so.6: cannot open shared object file:
Permission denied [FAILED]
And:
host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0
ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=dir
host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
Add to your policy:
libs_use_shared_libs(pvpgn_t)
Policy RPM selinux-policy-3.3.1-84.fc9
If I run the service from the command line without the init script,
it works. I'm sure I'm missing something stuipid, just can't figure
out what it is. Can't figure out why it works without the
initscript, and throws selinux errors when run from the init script.
When you run the service directly from the command line, it doesn't
transition to pvpgn_t, running unconfined instead, hence no SELinux
issues.
Paul.
8:06 a.m.
Paul Howarth wrote:
On Wed, 10 Sep 2008 19:47:22 -0400
Fred Wittekind <rom(a)twister.dyndns.org> wrote:
> I'm trying to write a new policy for PvPGN.
>
> When I try to start the service via the init script I get:
> Starting PvPGN game server: /usr/sbin/bnetd: error while loading
> shared libraries: libm.so.6: cannot open shared object file:
> Permission denied [FAILED]
>
> And:
> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
> denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0
> ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir
>
> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
> exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
>
Add to your policy:
libs_use_shared_libs(pvpgn_t)
Thanks, that got me pointed in the right direction, I was sure there was
a simple way to do it, I just wasn't seeing it.
> Policy RPM selinux-policy-3.3.1-84.fc9
>
>
> If I run the service from the command line without the init script,
> it works. I'm sure I'm missing something stuipid, just can't figure
> out what it is. Can't figure out why it works without the
> initscript, and throws selinux errors when run from the init script.
>
When you run the service directly from the command line, it doesn't
transition to pvpgn_t, running unconfined instead, hence no SELinux
issues.
That explains it. Just because I like to know how things work, what
makes the initscript different? Is it something in the policy, or
something in the functions file?
Paul.
8:54 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fred Wittekind wrote:
Paul Howarth wrote:
> On Wed, 10 Sep 2008 19:47:22 -0400
> Fred Wittekind <rom(a)twister.dyndns.org> wrote:
>
>
>> I'm trying to write a new policy for PvPGN.
>>
>> When I try to start the service via the init script I get:
>> Starting PvPGN game server: /usr/sbin/bnetd: error while loading
>> shared libraries: libm.so.6: cannot open shared object file:
>> Permission denied [FAILED]
>>
>> And:
>> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
>> denied { search } for pid=3526 comm="bnetd" name="usr"
dev=dm-0
>> ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
>> tcontext=system_u:object_r:usr_t:s0 tclass=dir
>>
>> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
>> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
>> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
>> exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
>>
>
> Add to your policy:
>
> libs_use_shared_libs(pvpgn_t)
>
Thanks, that got me pointed in the right direction, I was sure there was
a simple way to do it, I just wasn't seeing it.
>
>> Policy RPM selinux-policy-3.3.1-84.fc9
>>
>>
>> If I run the service from the command line without the init script,
>> it works. I'm sure I'm missing something stuipid, just can't figure
>> out what it is. Can't figure out why it works without the
>> initscript, and throws selinux errors when run from the init script.
>>
>
> When you run the service directly from the command line, it doesn't
> transition to pvpgn_t, running unconfined instead, hence no SELinux
> issues.
>
That explains it. Just because I like to know how things work, what
makes the initscript different? Is it something in the policy, or
something in the functions file?
> Paul.
>
>
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The interface
init_daemon_domain(pvpgn_t, pvpgn_exec_t)
Defines a transition rule that says
Init Scripts executing apps labeled pvbpgn_exec_t should transition to
pvpgn_t.
initrc_t -> pvpgn_exec_t -> pvpgn_t
If an unconfined_t user executes these same applications it will stay in
the context of the user account, since there is no transition defined
for unconfined_t -> pvpgn_exec_t -> pvpgn_t. I don't want to have that
many transitions from the unconfined user, since this would tend to
surprise the user. We tell the user SELinux will not blocked unconfined
users and then they run one app and suddenly it is confined.
One transition that for the unconfined user is over init scripts.
unconfined_t -> initrc_exec_t -> initrc_t
All scripts in /etc/init.d/ are defined with an initscript context
(initrc_exec_t) and allow this transition.
So an unconfined user executing system pvpvn restart would execute the
init script and the init script would finally start pvpvn running in the
correct context.
unconfined_t -> initrc_exec_t -> initrc_t -> pvpgn_exec_t -> pvpgn_t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjJIxsACgkQrlYvE4MpobMAKwCbBPVT+Lo+05t7WL1uCgcxdnEt
wrcAnAjZmiFbdW6SUHEBHN8AmK9Tv3Vi
=GN3X
-----END PGP SIGNATURE-----
7:57 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fred Wittekind wrote:
I'm trying to write a new policy for PvPGN.
When I try to start the service via the init script I get:
Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
libraries: libm.so.6: cannot open shared object file: Permission denied
[FAILED]
And:
host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0
ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=dir
host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
Policy RPM selinux-policy-3.3.1-84.fc9
If I run the service from the command line without the init script, it
works. I'm sure I'm missing something stuipid, just can't figure out
what it is. Can't figure out why it works without the initscript, and
throws selinux errors when run from the init script.
Thanks in advance for any help.
Fred Wittekind IV
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Fred if you use policy_module(pvpgn, 1.0.0)
You will get all of the gen_require stuff for free.
corenet_udp_bind_generic_port(pvpgn_t)
corenet_tcp_bind_generic_port(pvpgn_t)
You really should define a port and then allow pvpgn bind to the
specific port. (Unless pvpgn binds to random ports?)
If this is on Fedora 10 you might want to add
permissive pvpgn_t;
Which will allow the daemon to run in permissive mode while you are testing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjJFb4ACgkQrlYvE4MpobP73gCdF0SzLu6vwQKvlxlzZpisGmcp
uS0An3qN7yVmjTrhtaKxytQKICcP9oQQ
=dg/y
-----END PGP SIGNATURE-----
8:17 a.m.
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fred Wittekind wrote:
> I'm trying to write a new policy for PvPGN.
>
> When I try to start the service via the init script I get:
> Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
> libraries: libm.so.6: cannot open shared object file: Permission denied
> [FAILED]
>
> And:
> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
> denied { search } for pid=3526 comm="bnetd" name="usr"
dev=dm-0
> ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir
>
> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
> exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
>
> Policy RPM selinux-policy-3.3.1-84.fc9
>
>
> If I run the service from the command line without the init script, it
> works. I'm sure I'm missing something stuipid, just can't figure out
> what it is. Can't figure out why it works without the initscript, and
> throws selinux errors when run from the init script.
>
> Thanks in advance for any help.
>
> Fred Wittekind IV
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
Fred if you use policy_module(pvpgn, 1.0.0)
You will get all of the gen_require stuff for free.
Quite helpful, thanks.
corenet_udp_bind_generic_port(pvpgn_t)
corenet_tcp_bind_generic_port(pvpgn_t)
You really should define a port and then allow pvpgn bind to the
specific port. (Unless pvpgn binds to random ports?)
Wanted to, but couldn't quite figure out how to define a specific port.
Using source rpm for policy as a reference, but, it appears to use
macros for all the ports it needs.
If this is on Fedora 10 you might want to add
permissive pvpgn_t;
Which will allow the daemon to run in permissive mode while you are testing.
It's Fedora 9, thanks though.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjJFb4ACgkQrlYvE4MpobP73gCdF0SzLu6vwQKvlxlzZpisGmcp
uS0An3qN7yVmjTrhtaKxytQKICcP9oQQ
=dg/y
-----END PGP SIGNATURE-----
8:42 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fred Wittekind wrote:
Daniel J Walsh wrote:
Fred Wittekind wrote:
>>> I'm trying to write a new policy for PvPGN.
>>>
>>> When I try to start the service via the init script I get:
>>> Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
>>> libraries: libm.so.6: cannot open shared object file: Permission denied
>>> [FAILED]
>>>
>>> And:
>>> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
>>> denied { search } for pid=3526 comm="bnetd" name="usr"
dev=dm-0
>>> ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
>>> tcontext=system_u:object_r:usr_t:s0 tclass=dir
>>>
>>> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
>>> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
>>> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
>>> exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0
key=(null)
>>>
>>> Policy RPM selinux-policy-3.3.1-84.fc9
>>>
>>>
>>> If I run the service from the command line without the init script, it
>>> works. I'm sure I'm missing something stuipid, just can't figure
out
>>> what it is. Can't figure out why it works without the initscript, and
>>> throws selinux errors when run from the init script.
>>>
>>> Thanks in advance for any help.
>>>
>>> Fred Wittekind IV
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list(a)redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
Fred if you use policy_module(pvpgn, 1.0.0)
You will get all of the gen_require stuff for free.
> Quite helpful, thanks.
corenet_udp_bind_generic_port(pvpgn_t)
corenet_tcp_bind_generic_port(pvpgn_t)
type pvpgn_port_t;
ports_type(pvpgn_port_t)
allow pvpgn_t pbpgn_port_t:tcp_socket name_bind;
allow pvpgn_t pbpgn_port_t:udp_socket name_bind;
Then you need to add the ports definition using
semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
You really should define a port and then allow pvpgn bind to the
specific port. (Unless pvpgn binds to random ports?)
> Wanted to, but couldn't quite figure out how to define a specific port.
> Using source rpm for policy as a reference, but, it appears to use
> macros for all the ports it needs.
If this is on Fedora 10 you might want to add
permissive pvpgn_t;
Which will allow the daemon to run in permissive mode while you are
testing.
> It's Fedora 9, thanks though.
>
Well that should show up in Fedora 9 whenever they move to the
kernel-2.6.27 kernel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjJIF4ACgkQrlYvE4MpobOXcACg5nX3J9InfRUZ+bWK3ECMqkBw
l6QAn2JO8BOwXMzxLE570FxoqT7B5k10
=Sedm
-----END PGP SIGNATURE-----
8:57 a.m.
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fred Wittekind wrote:
> Daniel J Walsh wrote:
> Fred Wittekind wrote:
>
>
>>>> I'm trying to write a new policy for PvPGN.
>>>>
>>>> When I try to start the service via the init script I get:
>>>> Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
>>>> libraries: libm.so.6: cannot open shared object file: Permission denied
>>>> [FAILED]
>>>>
>>>> And:
>>>> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
>>>> denied { search } for pid=3526 comm="bnetd"
name="usr" dev=dm-0
>>>> ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
>>>> tcontext=system_u:object_r:usr_t:s0 tclass=dir
>>>>
>>>> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
>>>> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
>>>> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
>>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151
comm="bnetd"
>>>> exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0
key=(null)
>>>>
>>>> Policy RPM selinux-policy-3.3.1-84.fc9
>>>>
>>>>
>>>> If I run the service from the command line without the init script, it
>>>> works. I'm sure I'm missing something stuipid, just can't
figure out
>>>> what it is. Can't figure out why it works without the initscript,
and
>>>> throws selinux errors when run from the init script.
>>>>
>>>> Thanks in advance for any help.
>>>>
>>>> Fred Wittekind IV
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list(a)redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
>>>>
> Fred if you use policy_module(pvpgn, 1.0.0)
> You will get all of the gen_require stuff for free.
>
>
>> Quite helpful, thanks.
>>
> corenet_udp_bind_generic_port(pvpgn_t)
> corenet_tcp_bind_generic_port(pvpgn_t)
>
>
type pvpgn_port_t;
ports_type(pvpgn_port_t)
allow pvpgn_t pbpgn_port_t:tcp_socket name_bind;
allow pvpgn_t pbpgn_port_t:udp_socket name_bind;
Then you need to add the ports definition using
semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
Assuming this policy files is going to be included into a rpm I'm making
for pvpgn, what's best practice for handling adding the port numbers.
Add semanage statements for the port numbers to the %post section? Or
is there a way to encode the port numbers into the policy file?
> You really should define a port and then allow pvpgn bind to the
> specific port. (Unless pvpgn binds to random ports?)
>
>
>> Wanted to, but couldn't quite figure out how to define a specific port.
>> Using source rpm for policy as a reference, but, it appears to use
>> macros for all the ports it needs.
>>
> If this is on Fedora 10 you might want to add
>
> permissive pvpgn_t;
>
> Which will allow the daemon to run in permissive mode while you are
> testing.
>
>
>> It's Fedora 9, thanks though.
>>
>>
Well that should show up in Fedora 9 whenever they move to the
kernel-2.6.27 kernel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjJIF4ACgkQrlYvE4MpobOXcACg5nX3J9InfRUZ+bWK3ECMqkBw
l6QAn2JO8BOwXMzxLE570FxoqT7B5k10
=Sedm
-----END PGP SIGNATURE-----
9:50 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fred Wittekind wrote:
Daniel J Walsh wrote:
Fred Wittekind wrote:
>>> Daniel J Walsh wrote:
>>> Fred Wittekind wrote:
>>>
>>>
>>>>>> I'm trying to write a new policy for PvPGN.
>>>>>>
>>>>>> When I try to start the service via the init script I get:
>>>>>> Starting PvPGN game server: /usr/sbin/bnetd: error while loading
>>>>>> shared
>>>>>> libraries: libm.so.6: cannot open shared object file: Permission
>>>>>> denied
>>>>>>
[FAILED]
>>>>>>
>>>>>> And:
>>>>>> host=twister.dragon type=AVC msg=audit(1221090145.148:30403):
avc:
>>>>>> denied { search } for pid=3526 comm="bnetd"
name="usr" dev=dm-0
>>>>>> ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
>>>>>> tcontext=system_u:object_r:usr_t:s0 tclass=dir
>>>>>>
>>>>>> host=twister.dragon type=SYSCALL
msg=audit(1221090145.148:30403):
>>>>>> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190
a1=bfaad1f0
>>>>>> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0
euid=0
>>>>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151
comm="bnetd"
>>>>>> exe="/usr/sbin/bnetd"
subj=unconfined_u:system_r:pvpgn_t:s0
>>>>>> key=(null)
>>>>>>
>>>>>> Policy RPM selinux-policy-3.3.1-84.fc9
>>>>>>
>>>>>>
>>>>>> If I run the service from the command line without the init
>>>>>> script, it
>>>>>> works. I'm sure I'm missing something stuipid, just
can't figure out
>>>>>> what it is. Can't figure out why it works without the
initscript,
>>>>>> and
>>>>>> throws selinux errors when run from the init script.
>>>>>>
>>>>>> Thanks in advance for any help.
>>>>>>
>>>>>> Fred Wittekind IV
>>>>>>
>>>>>>
>>>>>>
------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> --
>>>>>> fedora-selinux-list mailing list
>>>>>> fedora-selinux-list(a)redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>>
>>> Fred if you use policy_module(pvpgn, 1.0.0)
>>> You will get all of the gen_require stuff for free.
>>>
>>>> Quite helpful, thanks.
>>>>
>>> corenet_udp_bind_generic_port(pvpgn_t)
>>> corenet_tcp_bind_generic_port(pvpgn_t)
>>>
>>>
type pvpgn_port_t;
ports_type(pvpgn_port_t)
allow pvpgn_t pbpgn_port_t:tcp_socket name_bind;
allow pvpgn_t pbpgn_port_t:udp_socket name_bind;
Then you need to add the ports definition using
semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
> Assuming this policy files is going to be included into a rpm I'm making
> for pvpgn, what's best practice for handling adding the port numbers.
> Add semanage statements for the port numbers to the %post section? Or
> is there a way to encode the port numbers into the policy file?
Yes I would execute the something like the following in your post
# semodule -i pvpgn.pp
# restorecon -R -v PGPGNPATHS ...
# semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
You can not define a port in a module currently.
>>> You really should define a port and then allow pvpgn bind
to the
>>> specific port. (Unless pvpgn binds to random ports?)
>>>
>>>> Wanted to, but couldn't quite figure out how to define a specific
>>>> port. Using source rpm for policy as a reference, but, it appears to
>>>> use
>>>> macros for all the ports it needs.
>>>>
>>> If this is on Fedora 10 you might want to add
>>>
>>> permissive pvpgn_t;
>>>
>>> Which will allow the daemon to run in permissive mode while you are
>>> testing.
>>>
>>>> It's Fedora 9, thanks though.
>>>>
>>>>
Well that should show up in Fedora 9 whenever they move to the
kernel-2.6.27 kernel
>
Your question this morning has triggered me to write a blog entry.
http://danwalsh.livejournal.com/23944.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjJMDQACgkQrlYvE4MpobNHuwCgquwqLy3OaLPm8OR1Wduuq294
u14AoJIW2CDtNQXo6CUCq+ICDkIPMNCT
=q33W
-----END PGP SIGNATURE-----
7:08 a.m.
Daniel J Walsh wrote:
Then you need to add the ports definition using
semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
It would be nice if someone could explain what this actually does, so
that I (and others) can figure out what implications it has. E.g. is it
persistent? Where is the information stored? Etc, etc.
I'm not very fond of magic. :)
Regards
Ingemar
5698
days inactive
5700
days old
selinux@lists.fedoraproject.org
9 comments
4 participants
participants (4)
-
Daniel J Walsh -
Fred Wittekind -
Ingemar Nilsson -
Paul Howarth