Problem with aiccu and radvd in /etc/NetworkManager/dispatcher.d/*
Dominick Grift
domg472 at gmail.com
Thu Jun 10 17:36:59 UTC 2010
On Thu, Jun 10, 2010 at 05:23:01PM +0200, Laurent Rineau wrote:
> Hi Dominick. Thanks for your answer. I have followed your recommendations (see
> below).
>
> On Wednesday 09 June 2010 17:58:58 Dominick Grift wrote:
> > lets create a policy patch:
> >
> > echo "policy_module(myaiccu, 1.0.0)" > myaiccu.te;
> > echo "require { type aiccu_t; }" >> myaiccu.te;
> > echo "sysnet_domtrans_ifconfig(aiccu_t)" >> myaiccu.te;
> > echo "modutils_domtrans_insmod_uncond(aiccu_t) >> myaiccu.te;
> > echo "corecmd_exec_shell(aiccu_t)" >> myaiccu.te;
> >
> > see if it build:
> >
> > make -f /usr/share/selinux/devel/Makefile myaiccu.pp
> >
> > Install it:
> >
> > sudo semodule -i myaiccu.pp
>
> I have create myaiccu.te with:
>
> policy_module(myaiccu, 1.0.0)
> require { type aiccu_t; }
> sysnet_domtrans_ifconfig(aiccu_t)
> modutils_domtrans_insmod_uncond(aiccu_t)
> corecmd_exec_shell(aiccu_t)
>
> and typed:
> sudo setenforce 0
> sudo semodule -d local
> sudo semodule -i myaiccu.pp
> then I have disabled and reenabled the network.
>
> I have had three AVC (attached full log), and audit2allow know only says:
>
> #============= aiccu_t ==============
> allow aiccu_t proc_t:file { read getattr open };
>
>
>
> I have retried with a new myaiccu.te:
>
> policy_module(myaiccu, 1.0.1)
i> require { type aiccu_t;
> type proc_t;
> class file { read getattr open };
> }
> sysnet_domtrans_ifconfig(aiccu_t)
> modutils_domtrans_insmod_uncond(aiccu_t)
> corecmd_exec_shell(aiccu_t)
> allow aiccu_t proc_t:file { read getattr open };
>
> and:
> sudo semodule -u myaiccu.pp
> and then the disable/enable of the network gives no AVC.
>
> I hope than can help you fix the aiccu module.
Hello,
Great thanks, if you want you can report the fix to this issue yourself to fedora's bugzilla in the selinux-policy component. You would mention the following:
sysnet_domtrans_ifconfig(aiccu_t)
modutils_domtrans_insmod(aiccu_t)
corecmd_exec_shell(aiccu_t)
kernel_read_system_state(aiccu_t)
And enclose the AVC denials that you've been seeying.
Thanks in advance.
> --
> Laurent Rineau
> http://fedoraproject.org/wiki/LaurentRineau
> ----
> time->Thu Jun 10 17:12:20 2010
> type=SYSCALL msg=audit(1276182740.754:592): arch=c000003e syscall=2 success=yes exit=3 a0=3786942300 a1=0 a2=1b6 a3=2 items=0 ppid=7234 pid=7422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:aiccu_t:s0 key=(null)
> type=AVC msg=audit(1276182740.754:592): avc: denied { open } for pid=7422 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:aiccu_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=AVC msg=audit(1276182740.754:592): avc: denied { read } for pid=7422 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:aiccu_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> ----
> time->Thu Jun 10 17:12:20 2010
> type=SYSCALL msg=audit(1276182740.754:593): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff68dd8580 a2=7fff68dd8580 a3=2 items=0 ppid=7234 pid=7422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:aiccu_t:s0 key=(null)
> type=AVC msg=audit(1276182740.754:593): avc: denied { getattr } for pid=7422 comm="sh" path="/proc/meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:aiccu_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100610/28e638bf/attachment.bin
More information about the selinux
mailing list