Bug 249764
Summary: | SELinux interfered with wireless nic acquiring address from dhcp server | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Thurston <dangerousdrdave> | ||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Ben Levenson <benl> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 7 | ||||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | i686 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-08-14 12:32:02 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
David Thurston
2007-07-26 21:12:01 UTC
Created attachment 160075 [details]
SELinux Alert file
I think the best thing to do here would be for you to add these rules directly. grep dhpc /var/log/audit/audit.log | audit2allow -M mydhcp semodule -i mydhcp.pp Yes, once I figured out how to use audit2allow I added a module for the RutilT utility. I also built a module for SWAT (Samba Web Administrative Tool) if any one needs it. I must say that SELinux is a royal pain. It took me Hours to build the Module for SWAT using Audit2allow, because the avs denials came layer after layer: I'd get one set of denials allowed only to be confronted with another set of newly exposed requests. I can't believe that nobody has done a module for SWAT. Is it now the responsibility of the programmer to provide an SELinux module for their software? Would you trust such a module? Sounds like we're asking for someone to build a backdoor to SELinux and "Package" it with some useful utility or such. Open source or no, who has time (or the knowledge) to check every SELinux module provided? Is there an easier way? There is a policy for swat. What was the path to the swat executable? THe swat policy comes with the samba policy. # ls -lZ /usr/sbin/swat -rwxr-xr-x root root system_u:object_r:swat_exec_t /usr/sbin/swat [root@Service ~]# whereis swat swat: /usr/sbin/swat /usr/share/swat /usr/share/man/man8/swat.8.gz [root@Service ~]# ls -lZ /usr/sbin/swat -rwxr-xr-x root root system_u:object_r:swat_exec_t /usr/sbin/swat [root@Service ~]# Here is the swat.te I had to build in order for SELinux to stop complaining: module swat 1.0; require { class capability { sys_resource net_bind_service }; class dir { write add_name create setattr remove_name }; class file { lock read getattr create write execute_no_trans unlink setattr rename }; class process { signal signull setrlimit }; class sock_file { create unlink }; class tcp_socket name_bind; class udp_socket name_bind; class unix_stream_socket connectto; type initrc_var_run_t; type nmbd_exec_t; type nmbd_port_t; type nmbd_t; type nmbd_var_run_t; type samba_log_t; type samba_secrets_t; type samba_var_t; type smbd_exec_t; type smbd_port_t; type smbd_t; type smbd_var_run_t; type swat_t; type winbind_exec_t; type winbind_var_run_t; role system_r; }; allow swat_t initrc_var_run_t:file { read write }; allow swat_t nmbd_exec_t:file execute_no_trans; allow swat_t nmbd_port_t:udp_socket name_bind; allow swat_t nmbd_t:process { signal signull }; allow swat_t nmbd_var_run_t:file { lock read unlink }; allow swat_t samba_log_t:dir { write add_name create setattr }; allow swat_t samba_log_t:file { create getattr }; allow swat_t samba_secrets_t:file { read write lock getattr setattr }; allow swat_t samba_var_t:dir { write add_name remove_name }; allow swat_t samba_var_t:file { read getattr create lock write setattr rename unlink }; allow swat_t self:capability { sys_resource net_bind_service }; allow swat_t self:process setrlimit; allow swat_t self:unix_stream_socket connectto; allow swat_t smbd_exec_t:file { execute_no_trans read }; allow swat_t smbd_port_t:tcp_socket name_bind; allow swat_t smbd_t:process signal; allow swat_t smbd_var_run_t:file { lock unlink }; allow swat_t winbind_exec_t:file { execute_no_trans read }; allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; Most of this had to do withy starting and stoping smbd, nmbd, and winbind using SWAT. I am not sure this is correct. If swat is simply restarting the daemons then you probably need something like domtrans_pattern(swat_t, winbind_exec_t, winbind_t) domtrans_pattern(swat_t, nmbd_exec_t, nmbd_t) domtrans_pattern(swat_t, smbd_exec_t, smbd_t) |