Need some help with a new policy module

Daniel J Walsh dwalsh at redhat.com
Thu Sep 11 13:54:35 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fred Wittekind wrote:
> Paul Howarth wrote:
>> On Wed, 10 Sep 2008 19:47:22 -0400
>> Fred Wittekind <rom at twister.dyndns.org> wrote:
>>
>>  
>>> I'm trying to write a new policy for PvPGN.
>>>
>>> When I try to start the service via the init script I get:
>>> Starting PvPGN game server: /usr/sbin/bnetd: error while loading
>>> shared libraries: libm.so.6: cannot open shared object file:
>>> Permission denied [FAILED]
>>>
>>> And:
>>> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc: 
>>> denied  { search } for  pid=3526 comm="bnetd" name="usr" dev=dm-0
>>> ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
>>> tcontext=system_u:object_r:usr_t:s0 tclass=dir
>>>
>>> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
>>> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
>>> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
>>> exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
>>>     
>>
>> Add to your policy:
>>
>> libs_use_shared_libs(pvpgn_t)
>>   
> Thanks, that got me pointed in the right direction, I was sure there was
> a simple way to do it, I just wasn't seeing it.
>>  
>>> Policy RPM                    selinux-policy-3.3.1-84.fc9
>>>
>>>
>>> If I run the service from the command line without the init script,
>>> it works.  I'm sure I'm missing something stuipid, just can't figure
>>> out what it is.  Can't figure out why it works without the
>>> initscript, and throws selinux errors when run from the init script.
>>>     
>>
>> When you run the service directly from the command line, it doesn't
>> transition to pvpgn_t, running unconfined instead, hence no SELinux
>> issues.
>>   
> That explains it.  Just because I like to know how things work, what
> makes the initscript different?  Is it something in the policy, or
> something in the functions file?
>> Paul.
>>
>>   
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


The interface

init_daemon_domain(pvpgn_t, pvpgn_exec_t)

Defines a transition rule that says

Init Scripts executing apps labeled pvbpgn_exec_t should transition to
pvpgn_t.

initrc_t             -> pvpgn_exec_t -> pvpgn_t

If an unconfined_t user executes these same applications it will stay in
the context of the user account, since there is no transition defined
for unconfined_t -> pvpgn_exec_t -> pvpgn_t.  I don't want to have that
many transitions from the unconfined user, since this would tend to
surprise the user.  We tell the user SELinux will not blocked unconfined
users and then they run one app and suddenly it is confined.

One transition that for the unconfined user is over init scripts.

unconfined_t -> initrc_exec_t -> initrc_t

All scripts in /etc/init.d/ are defined with an initscript context
(initrc_exec_t) and allow this transition.

So an unconfined user executing system pvpvn restart would execute the
init script and the init script would finally start pvpvn running in the
 correct context.

unconfined_t -> initrc_exec_t -> initrc_t -> pvpgn_exec_t -> pvpgn_t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJIxsACgkQrlYvE4MpobMAKwCbBPVT+Lo+05t7WL1uCgcxdnEt
wrcAnAjZmiFbdW6SUHEBHN8AmK9Tv3Vi
=GN3X
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list