"invalid security context" in custom policy

Tue Apr 28 19:11:05 UTC 2015

I am trying to confine a custom web application using type enforcement plus MCS
to protect multiple instances of the web app from each other. I can compile the
policy ok but when I insert it I get this error:

# semodule -i myapp.pp
libsepol.context_from_record: invalid security context: "myapp_u:myapp_r:myapp_api_t:s0"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert myapp_u:myapp_r:myapp_api_t:s0 to sid
invalid context myapp_u:myapp_r:myapp_api_t:s0
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!

I'm sure I've seen this problem before but can't recall how it was fixed. I
know it's something fairly simple. 

Here's myapp.te:

module myapp 1.0;

# Import some things we will need from other modules/default policy
require {
        sensitivity s0;
        category c0, c1, c2, c3, c4, c5, c6, c7, c8, c9, c10;
        category c1023;
}

# Role and type for our app
role myapp_r;
type myapp_t;

# Glide file context
type myapp_bin_t;
type myapp_api_t;
type myapp_conf_t;
type myapp_release_t;
type myapp_incoming_t;
type myapp_lib_t;
type myapp_logs_t;
type myapp_scripts_t;
type myapp_tmp_t;
type myapp_tomcat_t;
type myapp_util_t;
type myapp_var_t;
type myapp_exec_t;
type myapp_webapps_t;

# Assign type attributes
corecmd_executable_file(myapp_bin_t)
corecmd_executable_file(myapp_exec_t)
#logging_log_file(myapp_logs_t)

# Generate one user per myapp instance with user and category matching the port
# it will bind to, only as convention, they don't technically have to match.

gen_user(myapp_u,  myapp_t, myapp_r, s0, s0 - mls_systemhigh, c0.c1023)
gen_user(p16000_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c0)
gen_user(p16001_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c1)
gen_user(p16002_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c2)
gen_user(p16003_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c3)
gen_user(p16004_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c4)
gen_user(p16005_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c5)
gen_user(p16006_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c6)
gen_user(p16007_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c7)
gen_user(p16008_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c8)
gen_user(p16009_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c9)
gen_user(p16010_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c10)

And while I'm posting I may as well ask: When I uncomment the
logging_log_file(mypp_logs_t) type attribute above I get this error:

Compiling targeted myapp module
/usr/bin/checkmodule:  loading policy configuration from tmp/myapp.tmp
myapp.te":42:ERROR 'unknown class filesystem used in rule' at token ';' on line 1301:
    allow myapp_logs_t tmp_t:filesystem associate;
#line 42
    /usr/bin/checkmodule:  error(s) encountered while parsing configuration
    make: *** [tmp/myapp.mod] Error 1

All tips are greatly appreciated!

-- 
Tracy Reed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150428/dd117e98/attachment.sig>