Need some help with a new policy module

Fred Wittekind rom at twister.dyndns.org
Thu Sep 11 13:57:15 UTC 2008 

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Fred Wittekind wrote:
>   
>> Daniel J Walsh wrote:
>> Fred Wittekind wrote:
>>  
>>     
>>>>> I'm trying to write a new policy for PvPGN.
>>>>>
>>>>> When I try to start the service via the init script I get:
>>>>> Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
>>>>> libraries: libm.so.6: cannot open shared object file: Permission denied
>>>>>                                                           [FAILED]
>>>>>
>>>>> And:
>>>>> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
>>>>> denied  { search } for  pid=3526 comm="bnetd" name="usr" dev=dm-0
>>>>> ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
>>>>> tcontext=system_u:object_r:usr_t:s0 tclass=dir
>>>>>
>>>>> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
>>>>> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
>>>>> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
>>>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
>>>>> exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
>>>>>
>>>>> Policy RPM                    selinux-policy-3.3.1-84.fc9
>>>>>
>>>>>
>>>>> If I run the service from the command line without the init script, it
>>>>> works.  I'm sure I'm missing something stuipid, just can't figure out
>>>>> what it is.  Can't figure out why it works without the initscript, and
>>>>> throws selinux errors when run from the init script.
>>>>>
>>>>> Thanks in advance for any help.
>>>>>
>>>>> Fred Wittekind IV
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> -- 
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>     
>>>>>           
>> Fred if you use policy_module(pvpgn, 1.0.0)
>> You will get all of the gen_require stuff for free.
>>   
>>     
>>> Quite helpful, thanks.
>>>       
>> corenet_udp_bind_generic_port(pvpgn_t)
>> corenet_tcp_bind_generic_port(pvpgn_t)
>>
>>     
> type pvpgn_port_t;
> ports_type(pvpgn_port_t)
>
> allow pvpgn_t pbpgn_port_t:tcp_socket name_bind;
> allow pvpgn_t pbpgn_port_t:udp_socket name_bind;
>
> Then you need to add the ports definition using
> semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
>   
Assuming this policy files is going to be included into a rpm I'm making 
for pvpgn, what's best practice for handling adding the port numbers.  
Add semanage statements for the port numbers to the %post section?  Or 
is there a way to encode the port numbers into the policy file?
>   
>> You really should define a port and then allow pvpgn bind to the
>> specific port.  (Unless pvpgn binds to random ports?)
>>   
>>     
>>> Wanted to, but couldn't quite figure out how to define a specific port. 
>>> Using source rpm for policy as a reference, but, it appears to use
>>> macros for all the ports it needs.
>>>       
>> If this is on Fedora 10 you might want to add
>>
>> permissive pvpgn_t;
>>
>> Which will allow the daemon to run in permissive mode while you are
>> testing.
>>   
>>     
>>> It's Fedora 9, thanks though.
>>>
>>>       
> Well that should show up in Fedora 9 whenever they move to the
> kernel-2.6.27 kernel
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkjJIF4ACgkQrlYvE4MpobOXcACg5nX3J9InfRUZ+bWK3ECMqkBw
> l6QAn2JO8BOwXMzxLE570FxoqT7B5k10
> =Sedm
> -----END PGP SIGNATURE-----
>
>

More information about the selinux mailing list