hi all,
in fc7 rawhide, with target policy 2.5.9-2, will prevent mono from doing something.
avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03 egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500 gid=500 inode=55866 item=0 items=1 mode=0100644 name="make-it-fail" obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500 path="/proc/3185/make-it-fail" pid=3091 rdev=00:00 scontext=user_u:system_r:mono_t:s0 sgid=500 subj=user_u:system_r:mono_t:s0 suid=500 tclass=file tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500 avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03 egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500 gid=500 inode=55852 item=0 items=1 mode=0100600 name="mem" obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500 path="/proc/3185/mem" pid=3091 rdev=00:00 scontext=user_u:system_r:mono_t:s0 sgid=500 subj=user_u:system_r:mono_t:s0 suid=500 tclass=file tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500 avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03 egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500 gid=500 inode=55864 item=0 items=1 mode=0100644 name="oom_adj" obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500 path="/proc/3185/oom_adj" pid=3091 rdev=00:00 scontext=user_u:system_r:mono_t:s0 sgid=500 subj=user_u:system_r:mono_t:s0 suid=500 tclass=file tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500 avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03 egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500 gid=500 inode=55865 item=0 items=1 mode=0100644 name="loginuid" obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500 path="/proc/3185/loginuid" pid=3091 rdev=00:00 scontext=user_u:system_r:mono_t:s0 sgid=500 subj=user_u:system_r:mono_t:s0 suid=500 tclass=file tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500 avc: denied { setattr } for comm="beagled" cwd="/home/yangshao" dev=00:03 egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500 gid=500 inode=160224 item=0 items=1 mode=0100644 name="oom_adj" obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500 path="/proc/3117/oom_adj" pid=3091 rdev=00:00 scontext=user_u:system_r:mono_t:s0 sgid=500 subj=user_u:system_r:mono_t:s0 suid=500 tclass=file tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500 ......
as i know, this problem happens from target policy 2.5.8-8.
i wrote a loadable module, after installing, such problems had not happened again until now.
there is only a ".te" file in this module:
" module mymono 1.0;
require { type unconfined_t; type mono_t; class file { write setattr }; }
#============= mono_t ============== allow mono_t unconfined_t:file { write setattr };
"
can anyone can guide me if the '.te' file has something wrong.
i know, in reference policy, we should use interface, but i am a newbie for selinux policy, i don't know how to begin writing policy using interface?
selinux@lists.fedoraproject.org