I am attempting to get myapp to exec /sbin/swapon
audit2allow says I need: allow myapp_t fixed_disk_device_t:blk_file { read write };
This compiles, but semodule won't install it: [root@domingo ~]# semodule -i /nethome/user/bginn/src/pb6/pb/selinux/myapp.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { read }; libsepol.check_assertions: 2 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! [root@domingo ~]#
I don't see any constraint, or class permission that would affect this.
I do see that modules/kernel/storage.te contains: neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read; neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write }; Could these be causing my problem?
Is there a domain transition or other policy that would allow myapp to exec /sbin/swapon ?
Thanks, Brian
On 06/01/2009 01:05 PM, Brian Ginn wrote:
I am attempting to get myapp to exec /sbin/swapon
audit2allow says I need: allow myapp_t fixed_disk_device_t:blk_file { read write };
This compiles, but semodule won't install it: [root@domingo ~]# semodule -i /nethome/user/bginn/src/pb6/pb/selinux/myapp.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { read }; libsepol.check_assertions: 2 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! [root@domingo ~]#
I don't see any constraint, or class permission that would affect this.
I do see that modules/kernel/storage.te contains: neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read; neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write }; Could these be causing my problem?
Is there a domain transition or other policy that would allow myapp to exec /sbin/swapon ?
Probably best to do
fstools_domtrans(myapp_t)
If you want to allow myapp_t to edit fixed disks, you need to use this interface.
storage_manage_fixed_disk(myapp_t)
Thanks, Brian
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org