proc_net .... kudzu.te, rpcd.te, mozilla_macros.te

Daniel J Walsh dwalsh at redhat.com
Mon Nov 29 16:52:06 UTC 2004 

Tom London wrote:

>Running strict/enforcing, latest Rawhide.
>
>Looks like some changes to policy
>for proc_net_t is causing some denials.
>
>Nov 28 09:06:51 fedora kernel: audit(1101661600.402:0): avc:  denied 
>{ search } for  pid=1520 exe=/usr/sbin/kudzu name=net dev=proc
>ino=-268435434 scontext=system_u:system_r:kudzu_t
>tcontext=system_u:object_r:proc_net_t tclass=dir
>Nov 28 10:28:12 fedora kernel: audit(1101666486.919:0): avc:  denied 
>{ search } for  pid=1843 exe=/usr/sbin/rpc.idmapd name=net dev=proc
>ino=-268435434 scontext=system_u:system_r:rpcd_t
>tcontext=system_u:object_r:proc_net_t tclass=dir
>Nov 28 10:29:38 fedora kernel: audit(1101666578.571:0): avc:  denied 
>{ read } for  pid=3146 exe=/bin/netstat name=net dev=proc
>ino=-268435434 scontext=user_u:user_r:user_mozilla_t
>tcontext=system_u:object_r:proc_net_t tclass=dir
>Nov 28 10:29:39 fedora kernel: audit(1101666579.074:0): avc:  denied 
>{ search } for  pid=3146 exe=/bin/netstat name=net dev=proc
>ino=-268435434 scontext=user_u:user_r:user_mozilla_t
>tcontext=system_u:object_r:proc_net_t tclass=dir
>
>Made the following changes to
>kudzu.te, rpcd.te and mozilla_macros.te
>
>Please correct as needed.... 
>   tom
>
>--- SAVE/kudzu.te       2004-11-28 10:23:18.000000000 -0800
>+++ ./kudzu.te  2004-11-28 10:25:43.000000000 -0800
>@@ -18,7 +18,8 @@
> allow kudzu_t modules_object_t:dir r_dir_perms;
> allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
> allow kudzu_t mouse_device_t:chr_file { read write };
>-allow kudzu_t proc_t:file { getattr read };
>+allow kudzu_t proc_net_t:dir r_dir_perms;
>+allow kudzu_t { proc_t proc_net_t }:file { getattr read };
> allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file
>rw_file_perms;
> allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
> allow kudzu_t { bin_t sbin_t }:dir { getattr search };
>--- SAVE/rpcd.te        2004-11-28 10:43:20.801436658 -0800
>+++ ./rpcd.te   2004-11-28 10:45:04.285886135 -0800
>@@ -126,3 +126,4 @@
> r_dir_file(rpcd_t, rpc_pipefs_t)
> allow rpcd_t rpc_pipefs_t:sock_file { read write };
> dontaudit rpcd_t selinux_config_t:dir { search };
>+allow rpcd_t proc_net_t:dir search;
>--- SAVE/mozilla_macros.te      2004-11-28 10:47:54.527909494 -0800
>+++ ./mozilla_macros.te 2004-11-28 10:47:57.741626903 -0800
>@@ -48,6 +48,7 @@
> # for bash
> allow $1_mozilla_t device_t:dir r_dir_perms;
> allow $1_mozilla_t devpts_t:dir r_dir_perms;
>+allow $1_mozilla_t proc_net_t:dir r_dir_perms;
>+allow $1_mozilla_t proc_net_t:file r_file_perms;
> allow $1_mozilla_t proc_t:file { getattr read };
> dontaudit $1_mozilla_t tty_device_t:chr_file getattr;
>
>  
>
Added to policy-1.19.6-1

More information about the fedora-selinux-list mailing list