Need some help with a new policy module

Fred Wittekind rom at twister.dyndns.org
Thu Sep 11 13:06:53 UTC 2008


Paul Howarth wrote:
> On Wed, 10 Sep 2008 19:47:22 -0400
> Fred Wittekind <rom at twister.dyndns.org> wrote:
>
>   
>> I'm trying to write a new policy for PvPGN.
>>
>> When I try to start the service via the init script I get:
>> Starting PvPGN game server: /usr/sbin/bnetd: error while loading
>> shared libraries: libm.so.6: cannot open shared object file:
>> Permission denied [FAILED]
>>
>> And:
>> host=twister.dragon type=AVC msg=audit(1221090145.148:30403): avc:  
>> denied  { search } for  pid=3526 comm="bnetd" name="usr" dev=dm-0 
>> ino=3284993 scontext=unconfined_u:system_r:pvpgn_t:s0 
>> tcontext=system_u:object_r:usr_t:s0 tclass=dir
>>
>> host=twister.dragon type=SYSCALL msg=audit(1221090145.148:30403): 
>> arch=40000003 syscall=195 success=no exit=-13 a0=bfaad190 a1=bfaad1f0 
>> a2=ca3fc0 a3=8 items=0 ppid=3525 pid=3526 auid=500 uid=0 gid=0 euid=0 
>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=151 comm="bnetd" 
>> exe="/usr/sbin/bnetd" subj=unconfined_u:system_r:pvpgn_t:s0 key=(null)
>>     
>
> Add to your policy:
>
> libs_use_shared_libs(pvpgn_t)
>   
Thanks, that got me pointed in the right direction, I was sure there was 
a simple way to do it, I just wasn't seeing it.
>   
>> Policy RPM                    selinux-policy-3.3.1-84.fc9
>>
>>
>> If I run the service from the command line without the init script,
>> it works.  I'm sure I'm missing something stuipid, just can't figure
>> out what it is.  Can't figure out why it works without the
>> initscript, and throws selinux errors when run from the init script.
>>     
>
> When you run the service directly from the command line, it doesn't
> transition to pvpgn_t, running unconfined instead, hence no SELinux
> issues.
>   
That explains it.  Just because I like to know how things work, what 
makes the initscript different?  Is it something in the policy, or 
something in the functions file?
> Paul.
>
>   




More information about the fedora-selinux-list mailing list