On Wed, Apr 07, 2010 at 10:23:24PM +0100, Arthur Dent wrote:
On Wed, 2010-04-07 at 23:01 +0200, Dominick Grift wrote:
> On Wed, Apr 07, 2010 at 09:51:24PM +0100, Arthur Dent wrote:
> > On Wed, 2010-04-07 at 22:26 +0200, Dominick Grift wrote:
> > > On Wed, Apr 07, 2010 at 08:02:21PM +0100, Arthur Dent wrote:
> > > > On Wed, 2010-04-07 at 18:45 +0200, Dominick Grift wrote:
> > > > > On Wed, Apr 07, 2010 at 03:23:55PM +0100, Arthur Dent wrote:
> > > > > > Hello all,
> > > > > >
> > > > > >
> > > > Have I missed something or misunderstood something?
> > >
> > > Yes it seems that the domain transition did not happen. are the modules
installed:
> > >
> > > semodule -l | grep myapache
> > > semodule -l | grep mlogc
> >
> > # semodule -l | grep myapache
> > myapache 1.0.0
> >
> > # semodule -l | grep mlogc
> > mlogc 1.0.0
> >
> >
> > > Is the context of mlogc executable file proper?
> > >
> > > ls -alZ /usr/bin/mlogc
> >
> > # ls -alZ /usr/bin/mlogc
> > -rwxr-xr-x. root root system_u:object_r:mlogc_exec_t:s0 /usr/bin/mlogc
> >
> > > Something seems to have gone not as planned
> >
> > Well all of that seems OK - I'm not sure why it's not working?
> >
> > Thanks for your help so far though - it's much appreciated...
>
> You could try to remove the optional_policy(` tag and its closing ') tag, that
might expose any errors if you build without those.
>
> can you paste you modules? so that i can review them?
# cat mlogc.te
policy_module(mlogc, 1.0.0)
type mlogc_t;
type mlogc_exec_t;
application_domain(mlogc_t, mlogc_exec_t)
role system_r types mlogc_t;
permissive mlogc_t;
####################################################################
# cat mlogc.fc
/usr/bin/mlogc -- gen_context(system_u:object_r:mlogc_exec_t, s0)
####################################################################
# cat mlogc.if
## <summary>The ModSecurity Log Collector</summary>
########################################
## <summary>
## Execute MLOGC in the MLOGC domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mlogc_domtrans',`
gen_require(`
type mlogc_t, mlogc_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, mlogc_exec_t, mlogc_t)
')
####################################################################
# cat myapche.te
policy_module(myapache, 1.0.0)
optional_policy(`
gen_require(`
type httpd_t;
')
mlogc_domtrans(httpd_t)
')
####################################################################
Is that right?
Thank again. I do appreciate your help.
Mark
Yes looks fine. try the following myapache.te instead:
policy_module(myapache, 1.0.0)
gen_require(`
type httpd_t;
')
mlogc_domtrans(httpd_t)
build, install
make -f /usr/share/selinux/devel/Makefile
sudo semodule -i *.pp
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux