Hi Robin,
Could you attach output of:
$ rpm -q selinux-policy
$ rpm -q policycoreutils
Thank you!
On 07/29/2015 09:03 AM, Robin Lee Powell wrote:
On Tue, Jul 28, 2015 at 12:07:51AM -0700, Robin Lee Powell wrote:
> On Mon, Jul 27, 2015 at 08:29:29PM -0700, Robin Lee Powell wrote:
>> On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote:
>>>
>>> ----- Original Message -----
>>>> From: "Robin Lee Powell" <rlpowell(a)digitalkingdom.org>
>>>> To: selinux(a)lists.fedoraproject.org
>>>> Sent: Monday, July 27, 2015 6:05:51 PM
>>>> Subject: Conflict between local module and local fcontext
>>>>
>>>>
>>>> So I have a custom module that includes:
>>>>
>>>> type lojban_logger_t;
>>>> type lojban_logger_exec_t;
>>>>
>>>> application_domain( lojban_logger_t, lojban_logger_exec_t)
>>>> init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
>>>>
>>>> (not sure if those are redundant?) and:
>>>>
>>>> /srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0
>>>>
>>>> I've made a variety of changes with "semodule fcontext",
including:
>>>>
>>>> /srv/lojban system_u:object_r:httpd_user_content_t:s0
>>>> /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0
>>>>
>>>> As a result, the changes in my module are ignored, and the files
>>>> end up with httpd_user_content_t
>>>>
>>>> So I tried:
>>>>
>>>> $ sudo semanage fcontext -a -t lojban_logger_t
'/srv/lojban/irclogs(/.*)?'
>>>> ValueError: Type lojban_logger_t is invalid, must be a file or device
type
>>>>
>>>> Uhh.
>>>>
>>>> I guess this means that the custom module's types can't be seen
by
>>>> semanage?
>>>>
>>>> So, what's the correct solution here?
>>>>
>>> 1) Define a new type that is usable for log files in the .te
>>>
>>> type logjban_logger_log_t;
>>> logging_log_type(logjban_logger_log_t)
>>>
>>> 2) Add this label to the path in the .fc
>>>
>>> /srv/lojban/irclogs(/.*)? system_u:object_r:logjban_logger_log_t:s0
>> Unless I'm missing something, this won't help at all; the semanage
>> fcontext rule will win, and they'll end up with httpd_user_content_t
>> per the rule for /srv/lojban(/.*)? , because semanage fcontext rules
>> *always* win over module rules.
> Ah, I see what you're saying; that way at least I'd *have* a file
> type, that I could then add with semanage. I'll try that, thanks.
So I did that, and now:
rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t
'/srv/lojban/irclogs(/.*)?'
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
OSError: No such file or directory
rlpowell@jukni>
Here's the policy:
policy_module(MYLOCAL_lojbanlogger, 1.6.0)
########################################
#
# Declarations
#
type lojban_logger_t;
type lojban_logger_logs_t;
type lojban_logger_exec_t;
gen_require(`
type httpd_t;
type setfiles_t;
type unconfined_t;
type staff_t;
')
#============= lojban_logger_t ==============
manage_dirs_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t)
manage_files_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t)
# Be a file type and a domain
application_domain( lojban_logger_t, lojban_logger_exec_t )
# File type
logging_log_file(lojban_logger_logs_t)
# Be an init/systemd daemon
init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
# connect to ircd
corenet_tcp_connect_ircd_port(lojban_logger_t)
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux