[selinux] Re: Conflict between local module and local fcontext
Robin Lee Powell
rlpowell at digitalkingdom.org
Wed Jul 29 07:03:42 UTC 2015
On Tue, Jul 28, 2015 at 12:07:51AM -0700, Robin Lee Powell wrote:
> On Mon, Jul 27, 2015 at 08:29:29PM -0700, Robin Lee Powell wrote:
> > On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote:
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Robin Lee Powell" <rlpowell at digitalkingdom.org>
> > > > To: selinux at lists.fedoraproject.org
> > > > Sent: Monday, July 27, 2015 6:05:51 PM
> > > > Subject: Conflict between local module and local fcontext
> > > >
> > > >
> > > > So I have a custom module that includes:
> > > >
> > > > type lojban_logger_t;
> > > > type lojban_logger_exec_t;
> > > >
> > > > application_domain( lojban_logger_t, lojban_logger_exec_t)
> > > > init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
> > > >
> > > > (not sure if those are redundant?) and:
> > > >
> > > > /srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0
> > > >
> > > > I've made a variety of changes with "semodule fcontext", including:
> > > >
> > > > /srv/lojban system_u:object_r:httpd_user_content_t:s0
> > > > /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0
> > > >
> > > > As a result, the changes in my module are ignored, and the files
> > > > end up with httpd_user_content_t
> > > >
> > > > So I tried:
> > > >
> > > > $ sudo semanage fcontext -a -t lojban_logger_t '/srv/lojban/irclogs(/.*)?'
> > > > ValueError: Type lojban_logger_t is invalid, must be a file or device type
> > > >
> > > > Uhh.
> > > >
> > > > I guess this means that the custom module's types can't be seen by
> > > > semanage?
> > > >
> > > > So, what's the correct solution here?
> > > >
> > >
> > > 1) Define a new type that is usable for log files in the .te
> > >
> > > type logjban_logger_log_t;
> > > logging_log_type(logjban_logger_log_t)
> > >
> > > 2) Add this label to the path in the .fc
> > >
> > > /srv/lojban/irclogs(/.*)? system_u:object_r:logjban_logger_log_t:s0
> >
> > Unless I'm missing something, this won't help at all; the semanage
> > fcontext rule will win, and they'll end up with httpd_user_content_t
> > per the rule for /srv/lojban(/.*)? , because semanage fcontext rules
> > *always* win over module rules.
>
> Ah, I see what you're saying; that way at least I'd *have* a file
> type, that I could then add with semanage. I'll try that, thanks.
So I did that, and now:
rlpowell at jukni> sudo semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?'
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
OSError: No such file or directory
rlpowell at jukni>
Here's the policy:
policy_module(MYLOCAL_lojbanlogger, 1.6.0)
########################################
#
# Declarations
#
type lojban_logger_t;
type lojban_logger_logs_t;
type lojban_logger_exec_t;
gen_require(`
type httpd_t;
type setfiles_t;
type unconfined_t;
type staff_t;
')
#============= lojban_logger_t ==============
manage_dirs_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t)
manage_files_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t)
# Be a file type and a domain
application_domain( lojban_logger_t, lojban_logger_exec_t )
# File type
logging_log_file(lojban_logger_logs_t)
# Be an init/systemd daemon
init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
# connect to ircd
corenet_tcp_connect_ircd_port(lojban_logger_t)
More information about the selinux
mailing list