Need some help with a new policy module

Daniel J Walsh dwalsh at redhat.com
Thu Sep 11 12:57:34 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fred Wittekind wrote:
> I'm trying to write a new policy for PvPGN.
> 
> When I try to start the service via the init script I get:
> Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
> libraries: libm.so.6: cannot open shared object file: Permission denied
>                                                           [FAILED]
> 
> And:
> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc: 
> denied  { search } for  pid=3526 comm="bnetd" name="usr" dev=dm-0
> ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir
> 
> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
> exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
> 
> Policy RPM                    selinux-policy-3.3.1-84.fc9
> 
> 
> If I run the service from the command line without the init script, it
> works.  I'm sure I'm missing something stuipid, just can't figure out
> what it is.  Can't figure out why it works without the initscript, and
> throws selinux errors when run from the init script.
> 
> Thanks in advance for any help.
> 
> Fred Wittekind IV
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Fred if you use policy_module(pvpgn, 1.0.0)

You will get all of the gen_require stuff for free.

corenet_udp_bind_generic_port(pvpgn_t)
corenet_tcp_bind_generic_port(pvpgn_t)

You really should define a port and then allow pvpgn bind to the
specific port.  (Unless pvpgn binds to random ports?)

If this is on Fedora 10 you might want to add

permissive pvpgn_t;

Which will allow the daemon to run in permissive mode while you are testing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJFb4ACgkQrlYvE4MpobP73gCdF0SzLu6vwQKvlxlzZpisGmcp
uS0An3qN7yVmjTrhtaKxytQKICcP9oQQ
=dg/y
-----END PGP SIGNATURE-----

More information about the selinux mailing list