Fedora 21, unable to add new file context

Mon Mar 9 14:33:24 UTC 2015

On 03/07/2015 08:50 PM, Mark Montague wrote:
> Fedora 21 with selinux-policy-targeted-3.13.1-105.3
>
> I've installed a local policy for PHP-FPM based off of 
> https://github.com/prometheanfire/selinux-modules which defines 
> several new types (to avoid conflicting with httpd_t type aliases in 
> Fedora).  I can't include everything in the .fc file for the local 
> policy because I need to change the file contexts defined in other 
> modules, so I set local contexts using semanage.  This was working 
> fine in Fedora 20, but here is what happens in Fedora 21:
>
> [root at ice ~]# semanage fcontext -a -t phpfcgi_exec_t 
> /usr/sbin/php-fpm  # this works fine
> [root at ice ~]# semanage fcontext -a -t phpfcgi_var_run_t 
> "/var/run/php-fpm(/.*)?"  # fails
> libsemanage.dbase_llist_query: could not query record value (No such 
> file or directory).
> OSError: No such file or directory
> [root at ice ~]# semanage fcontext -a -t phpfcgi_var_run_t 
> "/var/run/php-fpm"  # but this works
> [root at ice ~]#
>
> Does anyone have any idea why the first and third commands above work, 
> but the second one no longer works under Fedora 21?  The error message 
> isn't very helpful.  I've searched the web and looked at the 
> libsemanage source code, but neither was helpful. I've also run strace 
> on the commands that succeed and compared the output to running strace 
> on the command that failed, but I don't see any system calls that shed 
> light on the problem (including nothing just prior to the write() 
> calls for the error message that returns ENOENT).
>
> Here is some additional information.  Note that I can add file context 
> patterns very similar to the one that is failing above without any 
> problems, such as "fcontext -a -f a -t selinux_config_t 
> '/var/lib/config(/.*)?'"
>
> [root at ice ~]# ls -ldZ /var/run/php-fpm
> drwxr-xr-x. root root system_u:object_r:httpd_var_run_t:s0 
> /var/run/php-fpm
> [root at ice ~]# semanage export
> boolean -D
> login -D
> interface -D
> user -D
> port -D
> node -D
> fcontext -D
> module -D
> boolean -m -0 abrt_upload_watch_anon_write
> boolean -m -0 auditadm_exec_content
> boolean -m -0 boinc_execmem
> boolean -m -0 cron_userdomain_transition
> boolean -m -1 daemons_dump_core
> boolean -m -0 dbadm_exec_content
> boolean -m -1 deny_execmem
> boolean -m -1 deny_ptrace
> boolean -m -0 entropyd_use_audio
> boolean -m -0 gluster_export_all_rw
> boolean -m -0 gssd_read_tmp
> boolean -m -0 guest_exec_content
> boolean -m -0 httpd_builtin_scripting
> boolean -m -1 httpd_can_network_connect
> boolean -m -0 kerberos_enabled
> boolean -m -0 logadm_exec_content
> boolean -m -0 logging_syslogd_use_tty
> boolean -m -0 nfs_export_all_ro
> boolean -m -0 nfs_export_all_rw
> boolean -m -0 openvpn_can_network_connect
> boolean -m -0 openvpn_enable_homedirs
> boolean -m -1 polyinstantiation_enabled
> boolean -m -0 postfix_local_write_mail_spool
> boolean -m -0 postgresql_selinux_unconfined_dbadm
> boolean -m -0 postgresql_selinux_users_ddl
> boolean -m -0 privoxy_connect_any
> boolean -m -0 secadm_exec_content
> boolean -m -0 selinuxuser_direct_dri_enabled
> boolean -m -0 selinuxuser_execmod
> boolean -m -0 selinuxuser_execstack
> boolean -m -0 spamd_enable_home_dirs
> boolean -m -0 squid_connect_any
> boolean -m -0 telepathy_tcp_connect_generic_network_ports
> boolean -m -0 unconfined_chrome_sandbox_transition
> boolean -m -0 unconfined_login
> boolean -m -0 unconfined_mozilla_plugin_transition
> boolean -m -0 virt_use_usb
> boolean -m -0 xend_run_blktap
> boolean -m -0 xend_run_qemu
> boolean -m -0 xguest_connect_network
> boolean -m -0 xguest_exec_content
> boolean -m -0 xguest_mount_media
> boolean -m -0 xguest_use_bluetooth
> login -a -s guest_u -r 's0' __default__
> login -a -s staff_u -r 's0' markmont
> login -a -s unconfined_u -r 's0-s0:c0.c1023' root
> login -a -s system_u -r 's0-s0:c0.c1023' system_u
> user -a -L s0 -r s0-s0:c0.c1023 -R 'staff_r unconfined_r system_r' 
> staff_u
> fcontext -a -f a -t iptables_exec_t '/etc/systemd/ipset'
> fcontext -a -f a -t initrc_exec_t '/etc/systemd/selinux-lockdown'
> fcontext -a -f a -t tmp_t '/tmp/tmp-inst'
> fcontext -a -f a -t selinux_config_t '/var/lib/config(/.*)?'
> fcontext -a -f a -t tmp_t '/var/tmp/tmp-inst'
> module -d permissivedomains
> module -d unconfined
> module -d unlabelednet
> [root at ice ~]#
>
Could you please open a new bug against libsemanage for now?

Thank you.