Need some help with a new policy module

Daniel J Walsh dwalsh at redhat.com
Thu Sep 11 14:50:28 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fred Wittekind wrote:
> Daniel J Walsh wrote:
> Fred Wittekind wrote:
>  
>>>> Daniel J Walsh wrote:
>>>> Fred Wittekind wrote:
>>>>  
>>>>    
>>>>>>> I'm trying to write a new policy for PvPGN.
>>>>>>>
>>>>>>> When I try to start the service via the init script I get:
>>>>>>> Starting PvPGN game server: /usr/sbin/bnetd: error while loading
>>>>>>> shared
>>>>>>> libraries: libm.so.6: cannot open shared object file: Permission
>>>>>>> denied
>>>>>>>                                                           [FAILED]
>>>>>>>
>>>>>>> And:
>>>>>>> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:
>>>>>>> denied  { search } for  pid=3526 comm="bnetd" name="usr" dev=dm-0
>>>>>>> ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0
>>>>>>> tcontext=system_u:object_r:usr_t:s0 tclass=dir
>>>>>>>
>>>>>>> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403):
>>>>>>> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0
>>>>>>> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0
>>>>>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd"
>>>>>>> exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0
>>>>>>> key=(null)
>>>>>>>
>>>>>>> Policy RPM                    selinux-policy-3.3.1-84.fc9
>>>>>>>
>>>>>>>
>>>>>>> If I run the service from the command line without the init
>>>>>>> script, it
>>>>>>> works.  I'm sure I'm missing something stuipid, just can't figure out
>>>>>>> what it is.  Can't figure out why it works without the initscript,
>>>>>>> and
>>>>>>> throws selinux errors when run from the init script.
>>>>>>>
>>>>>>> Thanks in advance for any help.
>>>>>>>
>>>>>>> Fred Wittekind IV
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> fedora-selinux-list mailing list
>>>>>>> fedora-selinux-list at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>>>               
>>>> Fred if you use policy_module(pvpgn, 1.0.0)
>>>> You will get all of the gen_require stuff for free.
>>>>      
>>>>> Quite helpful, thanks.
>>>>>       
>>>> corenet_udp_bind_generic_port(pvpgn_t)
>>>> corenet_tcp_bind_generic_port(pvpgn_t)
>>>>
>>>>     
> type pvpgn_port_t;
> ports_type(pvpgn_port_t)
> 
> allow pvpgn_t pbpgn_port_t:tcp_socket name_bind;
> allow pvpgn_t pbpgn_port_t:udp_socket name_bind;
> 
> Then you need to add the ports definition using
> semanage port -a -t pvpgn_port_t -Ptcp PORTNUM
>   
>> Assuming this policy files is going to be included into a rpm I'm making
>> for pvpgn, what's best practice for handling adding the port numbers. 
>> Add semanage statements for the port numbers to the %post section?  Or
>> is there a way to encode the port numbers into the policy file?
>  
Yes I would execute the something like the following in your post

# semodule -i pvpgn.pp
# restorecon -R -v PGPGNPATHS ...
# semanage port -a -t pvpgn_port_t -Ptcp PORTNUM

You can not define a port in a module currently.

>>>> You really should define a port and then allow pvpgn bind to the
>>>> specific port.  (Unless pvpgn binds to random ports?)
>>>>      
>>>>> Wanted to, but couldn't quite figure out how to define a specific
>>>>> port. Using source rpm for policy as a reference, but, it appears to
>>>>> use
>>>>> macros for all the ports it needs.
>>>>>       
>>>> If this is on Fedora 10 you might want to add
>>>>
>>>> permissive pvpgn_t;
>>>>
>>>> Which will allow the daemon to run in permissive mode while you are
>>>> testing.
>>>>      
>>>>> It's Fedora 9, thanks though.
>>>>>
>>>>>       
> Well that should show up in Fedora 9 whenever they move to the
> kernel-2.6.27 kernel
>>

Your question this morning has triggered me to write a blog entry.

http://danwalsh.livejournal.com/23944.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJMDQACgkQrlYvE4MpobNHuwCgquwqLy3OaLPm8OR1Wduuq294
u14AoJIW2CDtNQXo6CUCq+ICDkIPMNCT
=q33W
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list