I'm trying to write a new policy for PvPGN.
When I try to start the service via the init script I get: Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared libraries: libm.so.6: cannot open shared object file: Permission denied [FAILED]
And: host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc: denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0 ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403): arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0 a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd" exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
Policy RPM selinux-policy-3.3.1-84.fc9
If I run the service from the command line without the init script, it works. I'm sure I'm missing something stuipid, just can't figure out what it is. Can't figure out why it works without the initscript, and throws selinux errors when run from the init script.
Thanks in advance for any help.
Fred Wittekind IV
# config /etc/pvpgn -d gen_context(system_u:object_r:pvpgn_etc_t,s0) /etc/pvpgn/.* -- gen_context(system_u:object_r:pvpgn_etc_t,s0) /usr/bin/bnbot -- gen_context(system_u:object_r:pvpgn_exec_t,s0) /usr/bin/bncdb -- gen_context(system_u:object_r:pvpgn_exec_t,s0) /usr/bin/bnchat -- gen_context(system_u:object_r:pvpgn_exec_t,s0) /usr/bin/bnftp -- gen_context(system_u:object_r:pvpgn_exec_t,s0) /usr/bin/bni2tga -- gen_context(system_u:object_r:pvpgn_exec_t,s0) /usr/bin/bnibuild -- gen_context(system_u:object_r:pvpgn_exec_t,s0) /usr/bin/bniextract -- gen_context(system_u:object_r:pvpgn_exec_t,s0) /usr/bin/bnilist -- gen_context(system_u:object_r:pvpgn_exec_t,s0) /usr/bin/bnpass -- gen_context(system_u:object_r:pvpgn_exec_t,s0) /usr/bin/bnstat -- gen_context(system_u:object_r:pvpgn_exec_t,s0) /usr/bin/tgainfo -- gen_context(system_u:object_r:pvpgn_exec_t,s0) /usr/sbin/bnetd -- gen_context(system_u:object_r:pvpgn_exec_t,s0) /usr/sbin/bntrackd -- gen_context(system_u:object_r:pvpgn_exec_t,s0) /usr/sbin/d2cs -- gen_context(system_u:object_r:pvpgn_exec_t,s0) /usr/sbin/d2dbs -- gen_context(system_u:object_r:pvpgn_exec_t,s0) /var/lib/pvpgn -d gen_context(system_u:object_r:pvpgn_var_lib_t,s0) /var/lib/pvpgn/.* gen_context(system_u:object_r:pvpgn_var_lib_t,s0) /var/log/pvpgn -d gen_context(system_u:object_r:pvpgn_log_t,s0) /var/log/pvpgn/.* -- gen_context(system_u:object_r:pvpgn_log_t,s0) /var/run/pvpgn -d gen_context(system_u:object_r:pvpgn_var_run_t,s0) /var/run/pvpgn/.* -- gen_context(system_u:object_r:pvpgn_var_run_t,s0)
module pvpgn 1.0.0;
require { class fd use; class process { fork signal_perms transition noatsecure siginh rlimitinh }; class fifo_file { read write getattr lock ioctl append }; class filesystem { getattr }; class dir { manage_dir_perms relabelfrom }; class file { manage_file_perms execute execute_no_trans entrypoint execmod }; class chr_file { manage_file_perms }; class lnk_file { read getattr lock ioctl }; class unix_stream_socket { create_stream_socket_perms connectto }; class sock_file { rw_file_perms }; class netif { packet_perms }; attribute port_type; class tcp_socket { create_stream_socket_perms recv_msg send_msg node_bind name_bind name_connect recvfrom }; class udp_socket { create_stream_socket_perms recv_msg send_msg node_bind name_bind recvfrom }; class node { packet_perms }; class rawip_socket { recvfrom }; class association { sendto recvfrom }; class packet { send recv }; class capability { setgid setuid }; }
type pvpgn_t; type pvpgn_exec_t; domain_type(pvpgn_t) init_daemon_domain(pvpgn_t, pvpgn_exec_t)
type pvpgn_etc_t; files_type(pvpgn_etc_t)
type pvpgn_var_run_t; files_type(pvpgn_var_run_t) files_pid_file(pvpgn_var_run_t) files_pid_filetrans(pvpgn_t,pvpgn_var_run_t,file)
type pvpgn_var_lib_t; files_type(pvpgn_var_lib_t) manage_dirs_pattern(pvpgn_t, pvpgn_var_lib_t, pvpgn_var_lib_t) manage_files_pattern(pvpgn_t, pvpgn_var_lib_t, pvpgn_var_lib_t) files_var_lib_filetrans(pvpgn_t,pvpgn_var_lib_t,file)
type pvpgn_log_t; files_type(pvpgn_log_t) logging_log_filetrans(pvpgn_t, pvpgn_log_t, { file dir })
# Database connections mysql_stream_connect(pvpgn_t) postgresql_stream_connect(pvpgn_t)
# allow pvpgn_t self:capability { setgid setuid }; allow pvpgn_t self:process { fork signal_perms };
# Network corenet_tcp_sendrecv_generic_if(pvpgn_t) corenet_udp_sendrecv_generic_if(pvpgn_t) corenet_udp_bind_generic_port(pvpgn_t) corenet_tcp_bind_generic_port(pvpgn_t) corenet_tcp_sendrecv_all_nodes(pvpgn_t) corenet_udp_sendrecv_all_nodes(pvpgn_t) corenet_all_recvfrom_unlabeled(pvpgn_t) corenet_all_recvfrom_netlabel(pvpgn_t)
On Wed, 10 Sep 2008 19:47:22 -0400 Fred Wittekind rom@twister.dyndns.org wrote:
I'm trying to write a new policy for PvPGN.
When I try to start the service via the init script I get: Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared libraries: libm.so.6: cannot open shared object file: Permission denied [FAILED]
And: host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc: denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0 ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403): arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0 a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd" exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
Add to your policy:
libs_use_shared_libs(pvpgn_t)
Policy RPM selinux-policy-3.3.1-84.fc9
If I run the service from the command line without the init script, it works. I'm sure I'm missing something stuipid, just can't figure out what it is. Can't figure out why it works without the initscript, and throws selinux errors when run from the init script.
When you run the service directly from the command line, it doesn't transition to pvpgn_t, running unconfined instead, hence no SELinux issues.
Paul.
Paul Howarth wrote:
On Wed, 10 Sep 2008 19:47:22 -0400 Fred Wittekind rom@twister.dyndns.org wrote:
I'm trying to write a new policy for PvPGN.
When I try to start the service via the init script I get: Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared libraries: libm.so.6: cannot open shared object file: Permission denied [FAILED]
And: host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc: denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0 ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403): arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0 a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd" exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
Add to your policy:
libs_use_shared_libs(pvpgn_t)
Thanks, that got me pointed in the right direction, I was sure there was a simple way to do it, I just wasn't seeing it.
Policy RPM selinux-policy-3.3.1-84.fc9
If I run the service from the command line without the init script, it works. I'm sure I'm missing something stuipid, just can't figure out what it is. Can't figure out why it works without the initscript, and throws selinux errors when run from the init script.
When you run the service directly from the command line, it doesn't transition to pvpgn_t, running unconfined instead, hence no SELinux issues.
That explains it. Just because I like to know how things work, what makes the initscript different? Is it something in the policy, or something in the functions file?
Paul.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Fred Wittekind wrote:
Paul Howarth wrote:
On Wed, 10 Sep 2008 19:47:22 -0400 Fred Wittekind rom@twister.dyndns.org wrote:
I'm trying to write a new policy for PvPGN.
When I try to start the service via the init script I get: Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared libraries: libm.so.6: cannot open shared object file: Permission denied [FAILED]
And: host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc: denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0 ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403): arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0 a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd" exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
Add to your policy:
libs_use_shared_libs(pvpgn_t)
Thanks, that got me pointed in the right direction, I was sure there was a simple way to do it, I just wasn't seeing it.
Policy RPM selinux-policy-3.3.1-84.fc9
If I run the service from the command line without the init script, it works. I'm sure I'm missing something stuipid, just can't figure out what it is. Can't figure out why it works without the initscript, and throws selinux errors when run from the init script.
When you run the service directly from the command line, it doesn't transition to pvpgn_t, running unconfined instead, hence no SELinux issues.
That explains it. Just because I like to know how things work, what makes the initscript different? Is it something in the policy, or something in the functions file?
Paul.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The interface
init_daemon_domain(pvpgn_t, pvpgn_exec_t)
Defines a transition rule that says
Init Scripts executing apps labeled pvbpgn_exec_t should transition to pvpgn_t.
initrc_t -> pvpgn_exec_t -> pvpgn_t
If an unconfined_t user executes these same applications it will stay in the context of the user account, since there is no transition defined for unconfined_t -> pvpgn_exec_t -> pvpgn_t. I don't want to have that many transitions from the unconfined user, since this would tend to surprise the user. We tell the user SELinux will not blocked unconfined users and then they run one app and suddenly it is confined.
One transition that for the unconfined user is over init scripts.
unconfined_t -> initrc_exec_t -> initrc_t
All scripts in /etc/init.d/ are defined with an initscript context (initrc_exec_t) and allow this transition.
So an unconfined user executing system pvpvn restart would execute the init script and the init script would finally start pvpvn running in the correct context.
unconfined_t -> initrc_exec_t -> initrc_t -> pvpgn_exec_t -> pvpgn_t
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Fred Wittekind wrote:
I'm trying to write a new policy for PvPGN.
When I try to start the service via the init script I get: Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared libraries: libm.so.6: cannot open shared object file: Permission denied [FAILED]
And: host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc: denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0 ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403): arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0 a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd" exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
Policy RPM selinux-policy-3.3.1-84.fc9
If I run the service from the command line without the init script, it works. I'm sure I'm missing something stuipid, just can't figure out what it is. Can't figure out why it works without the initscript, and throws selinux errors when run from the init script.
Thanks in advance for any help.
Fred Wittekind IV
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Fred if you use policy_module(pvpgn, 1.0.0)
You will get all of the gen_require stuff for free.
corenet_udp_bind_generic_port(pvpgn_t) corenet_tcp_bind_generic_port(pvpgn_t)
You really should define a port and then allow pvpgn bind to the specific port. (Unless pvpgn binds to random ports?)
If this is on Fedora 10 you might want to add
permissive pvpgn_t;
Which will allow the daemon to run in permissive mode while you are testing.
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Fred Wittekind wrote:
I'm trying to write a new policy for PvPGN.
When I try to start the service via the init script I get: Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared libraries: libm.so.6: cannot open shared object file: Permission denied [FAILED]
And: host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc: denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0 ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403): arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0 a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd" exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
Policy RPM selinux-policy-3.3.1-84.fc9
If I run the service from the command line without the init script, it works. I'm sure I'm missing something stuipid, just can't figure out what it is. Can't figure out why it works without the initscript, and throws selinux errors when run from the init script.
Thanks in advance for any help.
Fred Wittekind IV
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Fred if you use policy_module(pvpgn, 1.0.0) You will get all of the gen_require stuff for free.
Quite helpful, thanks.
corenet_udp_bind_generic_port(pvpgn_t) corenet_tcp_bind_generic_port(pvpgn_t)
You really should define a port and then allow pvpgn bind to the specific port. (Unless pvpgn binds to random ports?)
Wanted to, but couldn't quite figure out how to define a specific port. Using source rpm for policy as a reference, but, it appears to use macros for all the ports it needs.
If this is on Fedora 10 you might want to add
permissive pvpgn_t;
Which will allow the daemon to run in permissive mode while you are testing.
It's Fedora 9, thanks though.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjJFb4ACgkQrlYvE4MpobP73gCdF0SzLu6vwQKvlxlzZpisGmcp uS0An3qN7yVmjTrhtaKxytQKICcP9oQQ =dg/y -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Fred Wittekind wrote:
Daniel J Walsh wrote: Fred Wittekind wrote:
I'm trying to write a new policy for PvPGN.
When I try to start the service via the init script I get: Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared libraries: libm.so.6: cannot open shared object file: Permission denied [FAILED]
And: host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc: denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0 ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403): arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0 a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd" exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
Policy RPM selinux-policy-3.3.1-84.fc9
If I run the service from the command line without the init script, it works. I'm sure I'm missing something stuipid, just can't figure out what it is. Can't figure out why it works without the initscript, and throws selinux errors when run from the init script.
Thanks in advance for any help.
Fred Wittekind IV
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Fred if you use policy_module(pvpgn, 1.0.0) You will get all of the gen_require stuff for free.
Quite helpful, thanks.
corenet_udp_bind_generic_port(pvpgn_t) corenet_tcp_bind_generic_port(pvpgn_t)
type pvpgn_port_t; ports_type(pvpgn_port_t)
allow pvpgn_t pbpgn_port_t:tcp_socket name_bind; allow pvpgn_t pbpgn_port_t:udp_socket name_bind;
Then you need to add the ports definition using semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
You really should define a port and then allow pvpgn bind to the specific port. (Unless pvpgn binds to random ports?)
Wanted to, but couldn't quite figure out how to define a specific port. Using source rpm for policy as a reference, but, it appears to use macros for all the ports it needs.
If this is on Fedora 10 you might want to add
permissive pvpgn_t;
Which will allow the daemon to run in permissive mode while you are testing.
It's Fedora 9, thanks though.
Well that should show up in Fedora 9 whenever they move to the kernel-2.6.27 kernel
Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Fred Wittekind wrote:
Daniel J Walsh wrote: Fred Wittekind wrote:
I'm trying to write a new policy for PvPGN.
When I try to start the service via the init script I get: Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared libraries: libm.so.6: cannot open shared object file: Permission denied [FAILED]
And: host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc: denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0 ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403): arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0 a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd" exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
Policy RPM selinux-policy-3.3.1-84.fc9
If I run the service from the command line without the init script, it works. I'm sure I'm missing something stuipid, just can't figure out what it is. Can't figure out why it works without the initscript, and throws selinux errors when run from the init script.
Thanks in advance for any help.
Fred Wittekind IV
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Fred if you use policy_module(pvpgn, 1.0.0) You will get all of the gen_require stuff for free.
Quite helpful, thanks.
corenet_udp_bind_generic_port(pvpgn_t) corenet_tcp_bind_generic_port(pvpgn_t)
type pvpgn_port_t; ports_type(pvpgn_port_t)
allow pvpgn_t pbpgn_port_t:tcp_socket name_bind; allow pvpgn_t pbpgn_port_t:udp_socket name_bind;
Then you need to add the ports definition using semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
Assuming this policy files is going to be included into a rpm I'm making for pvpgn, what's best practice for handling adding the port numbers. Add semanage statements for the port numbers to the %post section? Or is there a way to encode the port numbers into the policy file?
You really should define a port and then allow pvpgn bind to the specific port. (Unless pvpgn binds to random ports?)
Wanted to, but couldn't quite figure out how to define a specific port. Using source rpm for policy as a reference, but, it appears to use macros for all the ports it needs.
If this is on Fedora 10 you might want to add
permissive pvpgn_t;
Which will allow the daemon to run in permissive mode while you are testing.
It's Fedora 9, thanks though.
Well that should show up in Fedora 9 whenever they move to the kernel-2.6.27 kernel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjJIF4ACgkQrlYvE4MpobOXcACg5nX3J9InfRUZ+bWK3ECMqkBw l6QAn2JO8BOwXMzxLE570FxoqT7B5k10 =Sedm -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Fred Wittekind wrote:
Daniel J Walsh wrote: Fred Wittekind wrote:
Daniel J Walsh wrote: Fred Wittekind wrote:
> I'm trying to write a new policy for PvPGN. > > When I try to start the service via the init script I get: > Starting PvPGN game server: /usr/sbin/bnetd: error while loading > shared > libraries: libm.so.6: cannot open shared object file: Permission > denied > [FAILED] > > And: > host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc: > denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0 > ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=dir > > host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403): > arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0 > a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd" > exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 > key=(null) > > Policy RPM selinux-policy-3.3.1-84.fc9 > > > If I run the service from the command line without the init > script, it > works. I'm sure I'm missing something stuipid, just can't figure out > what it is. Can't figure out why it works without the initscript, > and > throws selinux errors when run from the init script. > > Thanks in advance for any help. > > Fred Wittekind IV > > > ------------------------------------------------------------------------ > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list >
Fred if you use policy_module(pvpgn, 1.0.0) You will get all of the gen_require stuff for free.
Quite helpful, thanks.
corenet_udp_bind_generic_port(pvpgn_t) corenet_tcp_bind_generic_port(pvpgn_t)
type pvpgn_port_t; ports_type(pvpgn_port_t)
allow pvpgn_t pbpgn_port_t:tcp_socket name_bind; allow pvpgn_t pbpgn_port_t:udp_socket name_bind;
Then you need to add the ports definition using semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
Assuming this policy files is going to be included into a rpm I'm making for pvpgn, what's best practice for handling adding the port numbers. Add semanage statements for the port numbers to the %post section? Or is there a way to encode the port numbers into the policy file?
Yes I would execute the something like the following in your post
# semodule -i pvpgn.pp # restorecon -R -v PGPGNPATHS ... # semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
You can not define a port in a module currently.
You really should define a port and then allow pvpgn bind to the specific port. (Unless pvpgn binds to random ports?)
Wanted to, but couldn't quite figure out how to define a specific port. Using source rpm for policy as a reference, but, it appears to use macros for all the ports it needs.
If this is on Fedora 10 you might want to add
permissive pvpgn_t;
Which will allow the daemon to run in permissive mode while you are testing.
It's Fedora 9, thanks though.
Well that should show up in Fedora 9 whenever they move to the kernel-2.6.27 kernel
Your question this morning has triggered me to write a blog entry.
http://danwalsh.livejournal.com/23944.html
Daniel J Walsh wrote:
Then you need to add the ports definition using semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
It would be nice if someone could explain what this actually does, so that I (and others) can figure out what implications it has. E.g. is it persistent? Where is the information stored? Etc, etc.
I'm not very fond of magic. :)
Regards Ingemar
selinux@lists.fedoraproject.org