fedora-selinux June 2009 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: getting myapp to exec /sbin/swapon

Re: getting myapp to exec /sbin/swapon

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Mon Jun 01 2009 - 17:11:35 GMT
To: Brian Ginn <BGinn@symark.com>


On 06/01/2009 01:05 PM, Brian Ginn wrote:
> I am attempting to get myapp to exec /sbin/swapon
>
> audit2allow says I need:
> allow myapp_t fixed_disk_device_t:blk_file { read write };
>
> This compiles, but semodule won't install it:
> [root@domingo ~]# semodule -i /nethome/user/bginn/src/pb6/pb/selinux/myapp.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { write };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { read };
> libsepol.check_assertions: 2 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
> [root@domingo ~]#
>
> I don't see any constraint, or class permission that would affect this.
>
> I do see that modules/kernel/storage.te contains:
> neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
> neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
> Could these be causing my problem?
>
> Is there a domain transition or other policy that would allow myapp to exec /sbin/swapon ?
>

Probably best to do

fstools_domtrans(myapp_t)

If you want to allow myapp_t to edit fixed disks, you need to use this interface.

storage_manage_fixed_disk(myapp_t)

>
>
> Thanks,
> Brian
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list