Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
Perforce server under selinux
Fredrik.Jansson at columbitech
Sep 8, 2004, 7:55 AM
Post #1 of 2 (1488 views)
Permalink
Hi!

I am trying to get p4d running in enforcing mode. The problem seem to be
that p4d can't read and write from sockets:

audit(1094655218.690:0): avc: denied { write } for pid=19802
exe=/usr/sbin/p4d path=socket:[52370] dev=sockfs ino=52370
scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
tclass=tcp_socket
audit(1094655218.691:0): avc: denied { read } for pid=19870
exe=/usr/sbin/p4d path=socket:[52370] dev=sockfs ino=52370
scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
tclass=tcp_socket
audit(1094655218.691:0): avc: denied { read } for pid=19870
exe=/usr/sbin/p4d path=socket:[52370] dev=sockfs ino=52370
scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
tclass=tcp_socket

Is there any way I can modify the policies to allow this?

Best regards
Fredrik Jansson

--
gentoo-hardened@gentoo.org mailing list
Re: Perforce server under selinux [ In reply to ]
method at gentoo
Sep 8, 2004, 8:36 AM
Post #2 of 2 (1482 views)
Permalink
Anytime you launch a daemon from initscripts it will need a policy. This
is because it needs to run in it's own domain with only the privileges
it needs. Launching it from the initscripts without a policy will cause
it to run in the init domain which has no privileges beyond launching
apps into their own domain.

So the answer is, you will have to write or find a policy for this
daemon, so that it runs in it's own domain before it will function with
selinux.

Joshua Brindle

Jansson Fredrik wrote:

> Hi!
>
> I am trying to get p4d running in enforcing mode. The problem seem to be
> that p4d can't read and write from sockets:
>
> audit(1094655218.690:0): avc: denied { write } for pid=19802
> exe=/usr/sbin/p4d path=socket:[52370] dev=sockfs ino=52370
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
> tclass=tcp_socket
> audit(1094655218.691:0): avc: denied { read } for pid=19870
> exe=/usr/sbin/p4d path=socket:[52370] dev=sockfs ino=52370
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
> tclass=tcp_socket
> audit(1094655218.691:0): avc: denied { read } for pid=19870
> exe=/usr/sbin/p4d path=socket:[52370] dev=sockfs ino=52370
> scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t
> tclass=tcp_socket
>
> Is there any way I can modify the policies to allow this?
>
> Best regards
> Fredrik Jansson
>
> --
> gentoo-hardened@gentoo.org mailing list
>
>


--
gentoo-hardened@gentoo.org mailing list

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal