FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-10-2008, 11:47 PM
Fred Wittekind
 
Default Need some help with a new policy module

I'm trying to write a new policy for PvPGN.

When I try to start the service via the init script I get:
Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
libraries: libm.so.6: cannot open shared object file: Permission denied

[FAILED]

And:
host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0
ino=3284993 scontext=unconfined_u:system_rvpgn_t:s0
tcontext=system_ubject_r:usr_t:s0 tclass=dir


host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
exe="/usr/sbin/bnetd" subj=unconfined_u:system_rvpgn_t:s0 key=(null)


Policy RPM selinux-policy-3.3.1-84.fc9


If I run the service from the command line without the init script, it
works. I'm sure I'm missing something stuipid, just can't figure out
what it is. Can't figure out why it works without the initscript, and
throws selinux errors when run from the init script.


Thanks in advance for any help.

Fred Wittekind IV
# config
/etc/pvpgn -d gen_context(system_ubject_rvpgn_etc_t,s0)
/etc/pvpgn/.* -- gen_context(system_ubject_rvpgn_etc_t,s0)
/usr/bin/bnbot -- gen_context(system_ubject_rvpgn_exec_t,s0)
/usr/bin/bncdb -- gen_context(system_ubject_rvpgn_exec_t,s0)
/usr/bin/bnchat -- gen_context(system_ubject_rvpgn_exec_t,s0)
/usr/bin/bnftp -- gen_context(system_ubject_rvpgn_exec_t,s0)
/usr/bin/bni2tga -- gen_context(system_ubject_rvpgn_exec_t,s0)
/usr/bin/bnibuild -- gen_context(system_ubject_rvpgn_exec_t,s0)
/usr/bin/bniextract -- gen_context(system_ubject_rvpgn_exec_t,s0)
/usr/bin/bnilist -- gen_context(system_ubject_rvpgn_exec_t,s0)
/usr/bin/bnpass -- gen_context(system_ubject_rvpgn_exec_t,s0)
/usr/bin/bnstat -- gen_context(system_ubject_rvpgn_exec_t,s0)
/usr/bin/tgainfo -- gen_context(system_ubject_rvpgn_exec_t,s0)
/usr/sbin/bnetd -- gen_context(system_ubject_rvpgn_exec_t,s0)
/usr/sbin/bntrackd -- gen_context(system_ubject_rvpgn_exec_t,s0)
/usr/sbin/d2cs -- gen_context(system_ubject_rvpgn_exec_t,s0)
/usr/sbin/d2dbs -- gen_context(system_ubject_rvpgn_exec_t,s0)
/var/lib/pvpgn -d gen_context(system_ubject_rvpgn_var_lib_t,s0)
/var/lib/pvpgn/.* gen_context(system_ubject_rvpgn_var_lib_t,s0)
/var/log/pvpgn -d gen_context(system_ubject_rvpgn_log_t,s0)
/var/log/pvpgn/.* -- gen_context(system_ubject_rvpgn_log_t,s0)
/var/run/pvpgn -d gen_context(system_ubject_rvpgn_var_run_t,s0)
/var/run/pvpgn/.* -- gen_context(system_ubject_rvpgn_var_run_t,s0)
module pvpgn 1.0.0;

require {
class fd use;
class process { fork signal_perms transition noatsecure siginh rlimitinh };
class fifo_file { read write getattr lock ioctl append };
class filesystem { getattr };
class dir { manage_dir_perms relabelfrom };
class file { manage_file_perms execute execute_no_trans entrypoint execmod };
class chr_file { manage_file_perms };
class lnk_file { read getattr lock ioctl };
class unix_stream_socket { create_stream_socket_perms connectto };
class sock_file { rw_file_perms };
class netif { packet_perms };
attribute port_type;
class tcp_socket { create_stream_socket_perms recv_msg send_msg node_bind name_bind name_connect recvfrom };
class udp_socket { create_stream_socket_perms recv_msg send_msg node_bind name_bind recvfrom };
class node { packet_perms };
class rawip_socket { recvfrom };
class association { sendto recvfrom };
class packet { send recv };
class capability { setgid setuid };
}

type pvpgn_t;
type pvpgn_exec_t;
domain_type(pvpgn_t)
init_daemon_domain(pvpgn_t, pvpgn_exec_t)

type pvpgn_etc_t;
files_type(pvpgn_etc_t)

type pvpgn_var_run_t;
files_type(pvpgn_var_run_t)
files_pid_file(pvpgn_var_run_t)
files_pid_filetrans(pvpgn_t,pvpgn_var_run_t,file)

type pvpgn_var_lib_t;
files_type(pvpgn_var_lib_t)
manage_dirs_pattern(pvpgn_t, pvpgn_var_lib_t, pvpgn_var_lib_t)
manage_files_pattern(pvpgn_t, pvpgn_var_lib_t, pvpgn_var_lib_t)
files_var_lib_filetrans(pvpgn_t,pvpgn_var_lib_t,fi le)

type pvpgn_log_t;
files_type(pvpgn_log_t)
logging_log_filetrans(pvpgn_t, pvpgn_log_t, { file dir })

# Database connections
mysql_stream_connect(pvpgn_t)
postgresql_stream_connect(pvpgn_t)

#
allow pvpgn_t self:capability { setgid setuid };
allow pvpgn_t selfrocess { fork signal_perms };

# Network
corenet_tcp_sendrecv_generic_if(pvpgn_t)
corenet_udp_sendrecv_generic_if(pvpgn_t)
corenet_udp_bind_generic_port(pvpgn_t)
corenet_tcp_bind_generic_port(pvpgn_t)
corenet_tcp_sendrecv_all_nodes(pvpgn_t)
corenet_udp_sendrecv_all_nodes(pvpgn_t)
corenet_all_recvfrom_unlabeled(pvpgn_t)
corenet_all_recvfrom_netlabel(pvpgn_t)
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-11-2008, 06:09 AM
Paul Howarth
 
Default Need some help with a new policy module

On Wed, 10 Sep 2008 19:47:22 -0400
Fred Wittekind <rom@twister.dyndns.org> wrote:

> I'm trying to write a new policy for PvPGN.
>
> When I try to start the service via the init script I get:
> Starting PvPGN game server: /usr/sbin/bnetd: error while loading
> shared libraries: libm.so.6: cannot open shared object file:
> Permission denied [FAILED]
>
> And:
> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
> denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0
> ino=3284993 scontext=unconfined_u:system_rvpgn_t:s0
> tcontext=system_ubject_r:usr_t:s0 tclass=dir
>
> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
> exe="/usr/sbin/bnetd" subj=unconfined_u:system_rvpgn_t:s0 key=(null)

Add to your policy:

libs_use_shared_libs(pvpgn_t)

> Policy RPM selinux-policy-3.3.1-84.fc9
>
>
> If I run the service from the command line without the init script,
> it works. I'm sure I'm missing something stuipid, just can't figure
> out what it is. Can't figure out why it works without the
> initscript, and throws selinux errors when run from the init script.

When you run the service directly from the command line, it doesn't
transition to pvpgn_t, running unconfined instead, hence no SELinux
issues.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-11-2008, 12:57 PM
Daniel J Walsh
 
Default Need some help with a new policy module

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fred Wittekind wrote:
> I'm trying to write a new policy for PvPGN.
>
> When I try to start the service via the init script I get:
> Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
> libraries: libm.so.6: cannot open shared object file: Permission denied
> [FAILED]
>
> And:
> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
> denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0
> ino=3284993 scontext=unconfined_u:system_rvpgn_t:s0
> tcontext=system_ubject_r:usr_t:s0 tclass=dir
>
> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
> exe="/usr/sbin/bnetd" subj=unconfined_u:system_rvpgn_t:s0 key=(null)
>
> Policy RPM selinux-policy-3.3.1-84.fc9
>
>
> If I run the service from the command line without the init script, it
> works. I'm sure I'm missing something stuipid, just can't figure out
> what it is. Can't figure out why it works without the initscript, and
> throws selinux errors when run from the init script.
>
> Thanks in advance for any help.
>
> Fred Wittekind IV
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Fred if you use policy_module(pvpgn, 1.0.0)

You will get all of the gen_require stuff for free.

corenet_udp_bind_generic_port(pvpgn_t)
corenet_tcp_bind_generic_port(pvpgn_t)

You really should define a port and then allow pvpgn bind to the
specific port. (Unless pvpgn binds to random ports?)

If this is on Fedora 10 you might want to add

permissive pvpgn_t;

Which will allow the daemon to run in permissive mode while you are testing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJFb4ACgkQrlYvE4MpobP73gCdF0SzLu6vwQ KvlxlzZpisGmcp
uS0An3qN7yVmjTrhtaKxytQKICcP9oQQ
=dg/y
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-11-2008, 01:06 PM
Fred Wittekind
 
Default Need some help with a new policy module

Paul Howarth wrote:

On Wed, 10 Sep 2008 19:47:22 -0400
Fred Wittekind <rom@twister.dyndns.org> wrote:



I'm trying to write a new policy for PvPGN.

When I try to start the service via the init script I get:
Starting PvPGN game server: /usr/sbin/bnetd: error while loading
shared libraries: libm.so.6: cannot open shared object file:
Permission denied [FAILED]

And:
host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0
ino=3284993 scontext=unconfined_u:system_rvpgn_t:s0
tcontext=system_ubject_r:usr_t:s0 tclass=dir


host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
exe="/usr/sbin/bnetd" subj=unconfined_u:system_rvpgn_t:s0 key=(null)



Add to your policy:

libs_use_shared_libs(pvpgn_t)

Thanks, that got me pointed in the right direction, I was sure there was
a simple way to do it, I just wasn't seeing it.


Policy RPM selinux-policy-3.3.1-84.fc9


If I run the service from the command line without the init script,
it works. I'm sure I'm missing something stuipid, just can't figure
out what it is. Can't figure out why it works without the
initscript, and throws selinux errors when run from the init script.



When you run the service directly from the command line, it doesn't
transition to pvpgn_t, running unconfined instead, hence no SELinux
issues.

That explains it. Just because I like to know how things work, what
makes the initscript different? Is it something in the policy, or
something in the functions file?

Paul.




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-11-2008, 01:17 PM
Fred Wittekind
 
Default Need some help with a new policy module

Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fred Wittekind wrote:


I'm trying to write a new policy for PvPGN.

When I try to start the service via the init script I get:
Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
libraries: libm.so.6: cannot open shared object file: Permission denied
[FAILED]

And:
host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0

ino=3284993 scontext=unconfined_u:system_rvpgn_t:s0
tcontext=system_ubject_r:usr_t:s0 tclass=dir

host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
exe="/usr/sbin/bnetd" subj=unconfined_u:system_rvpgn_t:s0 key=(null)

Policy RPM selinux-policy-3.3.1-84.fc9


If I run the service from the command line without the init script, it
works. I'm sure I'm missing something stuipid, just can't figure out
what it is. Can't figure out why it works without the initscript, and
throws selinux errors when run from the init script.

Thanks in advance for any help.

Fred Wittekind IV


------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list



Fred if you use policy_module(pvpgn, 1.0.0)
You will get all of the gen_require stuff for free.


Quite helpful, thanks.

corenet_udp_bind_generic_port(pvpgn_t)
corenet_tcp_bind_generic_port(pvpgn_t)

You really should define a port and then allow pvpgn bind to the
specific port. (Unless pvpgn binds to random ports?)

Wanted to, but couldn't quite figure out how to define a specific port.
Using source rpm for policy as a reference, but, it appears to use
macros for all the ports it needs.

If this is on Fedora 10 you might want to add

permissive pvpgn_t;

Which will allow the daemon to run in permissive mode while you are testing.


It's Fedora 9, thanks though.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJFb4ACgkQrlYvE4MpobP73gCdF0SzLu6vwQ KvlxlzZpisGmcp
uS0An3qN7yVmjTrhtaKxytQKICcP9oQQ
=dg/y
-----END PGP SIGNATURE-----




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-11-2008, 01:42 PM
Daniel J Walsh
 
Default Need some help with a new policy module

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fred Wittekind wrote:
> Daniel J Walsh wrote:
> Fred Wittekind wrote:
>
>>>> I'm trying to write a new policy for PvPGN.
>>>>
>>>> When I try to start the service via the init script I get:
>>>> Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
>>>> libraries: libm.so.6: cannot open shared object file: Permission denied
>>>> [FAILED]
>>>>
>>>> And:
>>>> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
>>>> denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0
>>>> ino=3284993 scontext=unconfined_u:system_rvpgn_t:s0
>>>> tcontext=system_ubject_r:usr_t:s0 tclass=dir
>>>>
>>>> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
>>>> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
>>>> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
>>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
>>>> exe="/usr/sbin/bnetd" subj=unconfined_u:system_rvpgn_t:s0 key=(null)
>>>>
>>>> Policy RPM selinux-policy-3.3.1-84.fc9
>>>>
>>>>
>>>> If I run the service from the command line without the init script, it
>>>> works. I'm sure I'm missing something stuipid, just can't figure out
>>>> what it is. Can't figure out why it works without the initscript, and
>>>> throws selinux errors when run from the init script.
>>>>
>>>> Thanks in advance for any help.
>>>>
>>>> Fred Wittekind IV
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
>
> Fred if you use policy_module(pvpgn, 1.0.0)
> You will get all of the gen_require stuff for free.
>
>> Quite helpful, thanks.
> corenet_udp_bind_generic_port(pvpgn_t)
> corenet_tcp_bind_generic_port(pvpgn_t)
>
type pvpgn_port_t;
ports_type(pvpgn_port_t)

allow pvpgn_t pbpgn_port_t:tcp_socket name_bind;
allow pvpgn_t pbpgn_port_t:udp_socket name_bind;

Then you need to add the ports definition using
semanage port -a -t pvpgn_port_t -Ptcp PORTNUM

> You really should define a port and then allow pvpgn bind to the
> specific port. (Unless pvpgn binds to random ports?)
>
>> Wanted to, but couldn't quite figure out how to define a specific port.
>> Using source rpm for policy as a reference, but, it appears to use
>> macros for all the ports it needs.
> If this is on Fedora 10 you might want to add
>
> permissive pvpgn_t;
>
> Which will allow the daemon to run in permissive mode while you are
> testing.
>
>> It's Fedora 9, thanks though.
>>
Well that should show up in Fedora 9 whenever they move to the
kernel-2.6.27 kernel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJIF4ACgkQrlYvE4MpobOXcACg5nX3J9InfR UZ+bWK3ECMqkBw
l6QAn2JO8BOwXMzxLE570FxoqT7B5k10
=Sedm
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-11-2008, 01:54 PM
Daniel J Walsh
 
Default Need some help with a new policy module

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fred Wittekind wrote:
> Paul Howarth wrote:
>> On Wed, 10 Sep 2008 19:47:22 -0400
>> Fred Wittekind <rom@twister.dyndns.org> wrote:
>>
>>
>>> I'm trying to write a new policy for PvPGN.
>>>
>>> When I try to start the service via the init script I get:
>>> Starting PvPGN game server: /usr/sbin/bnetd: error while loading
>>> shared libraries: libm.so.6: cannot open shared object file:
>>> Permission denied [FAILED]
>>>
>>> And:
>>> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
>>> denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0
>>> ino=3284993 scontext=unconfined_u:system_rvpgn_t:s0
>>> tcontext=system_ubject_r:usr_t:s0 tclass=dir
>>>
>>> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
>>> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
>>> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
>>> exe="/usr/sbin/bnetd" subj=unconfined_u:system_rvpgn_t:s0 key=(null)
>>>
>>
>> Add to your policy:
>>
>> libs_use_shared_libs(pvpgn_t)
>>
> Thanks, that got me pointed in the right direction, I was sure there was
> a simple way to do it, I just wasn't seeing it.
>>
>>> Policy RPM selinux-policy-3.3.1-84.fc9
>>>
>>>
>>> If I run the service from the command line without the init script,
>>> it works. I'm sure I'm missing something stuipid, just can't figure
>>> out what it is. Can't figure out why it works without the
>>> initscript, and throws selinux errors when run from the init script.
>>>
>>
>> When you run the service directly from the command line, it doesn't
>> transition to pvpgn_t, running unconfined instead, hence no SELinux
>> issues.
>>
> That explains it. Just because I like to know how things work, what
> makes the initscript different? Is it something in the policy, or
> something in the functions file?
>> Paul.
>>
>>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


The interface

init_daemon_domain(pvpgn_t, pvpgn_exec_t)

Defines a transition rule that says

Init Scripts executing apps labeled pvbpgn_exec_t should transition to
pvpgn_t.

initrc_t -> pvpgn_exec_t -> pvpgn_t

If an unconfined_t user executes these same applications it will stay in
the context of the user account, since there is no transition defined
for unconfined_t -> pvpgn_exec_t -> pvpgn_t. I don't want to have that
many transitions from the unconfined user, since this would tend to
surprise the user. We tell the user SELinux will not blocked unconfined
users and then they run one app and suddenly it is confined.

One transition that for the unconfined user is over init scripts.

unconfined_t -> initrc_exec_t -> initrc_t

All scripts in /etc/init.d/ are defined with an initscript context
(initrc_exec_t) and allow this transition.

So an unconfined user executing system pvpvn restart would execute the
init script and the init script would finally start pvpvn running in the
correct context.

unconfined_t -> initrc_exec_t -> initrc_t -> pvpgn_exec_t -> pvpgn_t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJIxsACgkQrlYvE4MpobMAKwCbBPVT+Lo+05 t7WL1uCgcxdnEt
wrcAnAjZmiFbdW6SUHEBHN8AmK9Tv3Vi
=GN3X
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-11-2008, 01:57 PM
Fred Wittekind
 
Default Need some help with a new policy module

Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fred Wittekind wrote:


Daniel J Walsh wrote:
Fred Wittekind wrote:



I'm trying to write a new policy for PvPGN.

When I try to start the service via the init script I get:
Starting PvPGN game server: /usr/sbin/bnetd: error while loading shared
libraries: libm.so.6: cannot open shared object file: Permission denied
[FAILED]

And:
host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0
ino=3284993 scontext=unconfined_u:system_rvpgn_t:s0
tcontext=system_ubject_r:usr_t:s0 tclass=dir

host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
exe="/usr/sbin/bnetd" subj=unconfined_u:system_rvpgn_t:s0 key=(null)

Policy RPM selinux-policy-3.3.1-84.fc9


If I run the service from the command line without the init script, it
works. I'm sure I'm missing something stuipid, just can't figure out
what it is. Can't figure out why it works without the initscript, and
throws selinux errors when run from the init script.

Thanks in advance for any help.

Fred Wittekind IV


------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list



Fred if you use policy_module(pvpgn, 1.0.0)
You will get all of the gen_require stuff for free.



Quite helpful, thanks.


corenet_udp_bind_generic_port(pvpgn_t)
corenet_tcp_bind_generic_port(pvpgn_t)



type pvpgn_port_t;
ports_type(pvpgn_port_t)

allow pvpgn_t pbpgn_port_t:tcp_socket name_bind;
allow pvpgn_t pbpgn_port_t:udp_socket name_bind;

Then you need to add the ports definition using
semanage port -a -t pvpgn_port_t -Ptcp PORTNUM

Assuming this policy files is going to be included into a rpm I'm making
for pvpgn, what's best practice for handling adding the port numbers.
Add semanage statements for the port numbers to the %post section? Or
is there a way to encode the port numbers into the policy file?


You really should define a port and then allow pvpgn bind to the
specific port. (Unless pvpgn binds to random ports?)


Wanted to, but couldn't quite figure out how to define a specific port.
Using source rpm for policy as a reference, but, it appears to use

macros for all the ports it needs.


If this is on Fedora 10 you might want to add

permissive pvpgn_t;

Which will allow the daemon to run in permissive mode while you are
testing.



It's Fedora 9, thanks though.



Well that should show up in Fedora 9 whenever they move to the
kernel-2.6.27 kernel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJIF4ACgkQrlYvE4MpobOXcACg5nX3J9InfR UZ+bWK3ECMqkBw
l6QAn2JO8BOwXMzxLE570FxoqT7B5k10
=Sedm
-----END PGP SIGNATURE-----




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-11-2008, 02:50 PM
Daniel J Walsh
 
Default Need some help with a new policy module

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fred Wittekind wrote:
> Daniel J Walsh wrote:
> Fred Wittekind wrote:
>
>>>> Daniel J Walsh wrote:
>>>> Fred Wittekind wrote:
>>>>
>>>>
>>>>>>> I'm trying to write a new policy for PvPGN.
>>>>>>>
>>>>>>> When I try to start the service via the init script I get:
>>>>>>> Starting PvPGN game server: /usr/sbin/bnetd: error while loading
>>>>>>> shared
>>>>>>> libraries: libm.so.6: cannot open shared object file: Permission
>>>>>>> denied
>>>>>>> [FAILED]
>>>>>>>
>>>>>>> And:
>>>>>>> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
>>>>>>> denied { search } for pid=3526 comm="bnetd" name="usr" dev=dm-0
>>>>>>> ino=3284993 scontext=unconfined_u:system_rvpgn_t:s0
>>>>>>> tcontext=system_ubject_r:usr_t:s0 tclass=dir
>>>>>>>
>>>>>>> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
>>>>>>> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
>>>>>>> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
>>>>>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
>>>>>>> exe="/usr/sbin/bnetd" subj=unconfined_u:system_rvpgn_t:s0
>>>>>>> key=(null)
>>>>>>>
>>>>>>> Policy RPM selinux-policy-3.3.1-84.fc9
>>>>>>>
>>>>>>>
>>>>>>> If I run the service from the command line without the init
>>>>>>> script, it
>>>>>>> works. I'm sure I'm missing something stuipid, just can't figure out
>>>>>>> what it is. Can't figure out why it works without the initscript,
>>>>>>> and
>>>>>>> throws selinux errors when run from the init script.
>>>>>>>
>>>>>>> Thanks in advance for any help.
>>>>>>>
>>>>>>> Fred Wittekind IV
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> fedora-selinux-list mailing list
>>>>>>> fedora-selinux-list@redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>>>
>>>> Fred if you use policy_module(pvpgn, 1.0.0)
>>>> You will get all of the gen_require stuff for free.
>>>>
>>>>> Quite helpful, thanks.
>>>>>
>>>> corenet_udp_bind_generic_port(pvpgn_t)
>>>> corenet_tcp_bind_generic_port(pvpgn_t)
>>>>
>>>>
> type pvpgn_port_t;
> ports_type(pvpgn_port_t)
>
> allow pvpgn_t pbpgn_port_t:tcp_socket name_bind;
> allow pvpgn_t pbpgn_port_t:udp_socket name_bind;
>
> Then you need to add the ports definition using
> semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
>
>> Assuming this policy files is going to be included into a rpm I'm making
>> for pvpgn, what's best practice for handling adding the port numbers.
>> Add semanage statements for the port numbers to the %post section? Or
>> is there a way to encode the port numbers into the policy file?
>
Yes I would execute the something like the following in your post

# semodule -i pvpgn.pp
# restorecon -R -v PGPGNPATHS ...
# semanage port -a -t pvpgn_port_t -Ptcp PORTNUM

You can not define a port in a module currently.

>>>> You really should define a port and then allow pvpgn bind to the
>>>> specific port. (Unless pvpgn binds to random ports?)
>>>>
>>>>> Wanted to, but couldn't quite figure out how to define a specific
>>>>> port. Using source rpm for policy as a reference, but, it appears to
>>>>> use
>>>>> macros for all the ports it needs.
>>>>>
>>>> If this is on Fedora 10 you might want to add
>>>>
>>>> permissive pvpgn_t;
>>>>
>>>> Which will allow the daemon to run in permissive mode while you are
>>>> testing.
>>>>
>>>>> It's Fedora 9, thanks though.
>>>>>
>>>>>
> Well that should show up in Fedora 9 whenever they move to the
> kernel-2.6.27 kernel
>>

Your question this morning has triggered me to write a blog entry.

http://danwalsh.livejournal.com/23944.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJMDQACgkQrlYvE4MpobNHuwCgquwqLy3OaL Pm8OR1Wduuq294
u14AoJIW2CDtNQXo6CUCq+ICDkIPMNCT
=q33W
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-12-2008, 12:08 PM
Ingemar Nilsson
 
Default Need some help with a new policy module

Daniel J Walsh wrote:


Then you need to add the ports definition using
semanage port -a -t pvpgn_port_t -Ptcp PORTNUM


It would be nice if someone could explain what this actually does, so
that I (and others) can figure out what implications it has. E.g. is it
persistent? Where is the information stored? Etc, etc.


I'm not very fond of magic.

Regards
Ingemar

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 01:47 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org