Monitoring disk storage labeled with svirt_image_t
Gabriele Pohl
gp at dipohl.com
Fri Nov 15 16:09:10 UTC 2013
Quoting Dominick Grift :
> On Fri, 2013-11-15 at 16:09 +0100, Gabriele Pohl wrote:
>> When I use audit2allow a second time (grep on a fresh rotated
>> audit.log file)
>> I get this:
>> #!!!! This avc is a constraint violation. You will need to add an
>> attribute to either the source or target type to make it work.
>> #Contraint rule:
>> allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
>>
>> --------------------------------
>>
>> How can I solve the issue?
>
> See if this additional module does the trick:
>
> cat >> mytest.te <<EOF
> policy_module(mytest, 1.0.0)
> gen_require(\` type munin_disk_plugin_t; ')
> mcs_file_read_all(munin_disk_plugin_t)
> EOF
>
> make -f /usr/share/selinux/devel/Makefile mytest.pp
> sudo semodule -i mytest.pp
thanks for you support!
I tried it:
# cat diskstats-grift-pol.te
policy_module(diskstats-grift, 1.0.0)
gen_require(\` type munin_disk_plugin_t; ')
mcs_file_read_all(munin_disk_plugin_t)
# make -f /usr/share/selinux/devel/Makefile diskstats-grift-pol.pp
Compiling targeted diskstats-grift-pol module
/usr/bin/checkmodule: loading policy configuration from
tmp/diskstats-grift-pol.tmp
diskstats-grift-pol.te":2:WARNING 'unrecognized character' at token
'\' on line 3217:
#line 2
\ type munin_disk_plugin_t;
diskstats-grift-pol.te":2:WARNING 'unrecognized character' at token
'\' on line 3217:
#line 2
\ type munin_disk_plugin_t;
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to
tmp/diskstats-grift-pol.mod
Creating targeted diskstats-grift-pol.pp policy package
rm tmp/diskstats-grift-pol.mod tmp/diskstats-grift-pol.mod.fc
I have a new module diskstats-grift-pol.pp now,
but didn't apply it yet because of the warnings.
ok to apply or do you have a recipe to avoid the warnings?
Gabriele
More information about the selinux
mailing list