Need some help with a new policy module

Daniel J Walsh dwalsh at redhat.com
Thu Sep 11 13:42:54 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fred Wittekind wrote:
> Daniel J Walsh wrote:
> Fred Wittekind wrote:
>  
>>>> I'm trying to write a new policy for PvPGN.
>>>>
>>>> When I try to start the service via the init script I get:
>>>> Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
>>>> libraries: libm.so.6: cannot open shared object file: Permission denied
>>>>                                                           [FAILED]
>>>>
>>>> And:
>>>> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
>>>> denied  { search } for  pid=3526 comm="bnetd" name="usr" dev=dm-0
>>>> ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
>>>> tcontext=system_u:object_r:usr_t:s0 tclass=dir
>>>>
>>>> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
>>>> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
>>>> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
>>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
>>>> exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
>>>>
>>>> Policy RPM                    selinux-policy-3.3.1-84.fc9
>>>>
>>>>
>>>> If I run the service from the command line without the init script, it
>>>> works.  I'm sure I'm missing something stuipid, just can't figure out
>>>> what it is.  Can't figure out why it works without the initscript, and
>>>> throws selinux errors when run from the init script.
>>>>
>>>> Thanks in advance for any help.
>>>>
>>>> Fred Wittekind IV
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> -- 
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>     
> 
> Fred if you use policy_module(pvpgn, 1.0.0)
> You will get all of the gen_require stuff for free.
>   
>> Quite helpful, thanks.
> corenet_udp_bind_generic_port(pvpgn_t)
> corenet_tcp_bind_generic_port(pvpgn_t)
> 
type pvpgn_port_t;
ports_type(pvpgn_port_t)

allow pvpgn_t pbpgn_port_t:tcp_socket name_bind;
allow pvpgn_t pbpgn_port_t:udp_socket name_bind;

Then you need to add the ports definition using
semanage port -a -t pvpgn_port_t -Ptcp PORTNUM

> You really should define a port and then allow pvpgn bind to the
> specific port.  (Unless pvpgn binds to random ports?)
>   
>> Wanted to, but couldn't quite figure out how to define a specific port. 
>> Using source rpm for policy as a reference, but, it appears to use
>> macros for all the ports it needs.
> If this is on Fedora 10 you might want to add
> 
> permissive pvpgn_t;
> 
> Which will allow the daemon to run in permissive mode while you are
> testing.
>   
>> It's Fedora 9, thanks though.
>>
Well that should show up in Fedora 9 whenever they move to the
kernel-2.6.27 kernel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJIF4ACgkQrlYvE4MpobOXcACg5nX3J9InfRUZ+bWK3ECMqkBw
l6QAn2JO8BOwXMzxLE570FxoqT7B5k10
=Sedm
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list