On Wed, 2010-04-07 at 23:01 +0200, Dominick Grift wrote:
On Wed, Apr 07, 2010 at 09:51:24PM +0100, Arthur Dent wrote:
> On Wed, 2010-04-07 at 22:26 +0200, Dominick Grift wrote:
> > On Wed, Apr 07, 2010 at 08:02:21PM +0100, Arthur Dent wrote:
> > > On Wed, 2010-04-07 at 18:45 +0200, Dominick Grift wrote:
> > > > On Wed, Apr 07, 2010 at 03:23:55PM +0100, Arthur Dent wrote:
> > > > > Hello all,
> > > > >
> > > > >
> > > Have I missed something or misunderstood something?
> >
> > Yes it seems that the domain transition did not happen. are the modules
installed:
> >
> > semodule -l | grep myapache
> > semodule -l | grep mlogc
>
> # semodule -l | grep myapache
> myapache 1.0.0
>
> # semodule -l | grep mlogc
> mlogc 1.0.0
>
>
> > Is the context of mlogc executable file proper?
> >
> > ls -alZ /usr/bin/mlogc
>
> # ls -alZ /usr/bin/mlogc
> -rwxr-xr-x. root root system_u:object_r:mlogc_exec_t:s0 /usr/bin/mlogc
>
> > Something seems to have gone not as planned
>
> Well all of that seems OK - I'm not sure why it's not working?
>
> Thanks for your help so far though - it's much appreciated...
You could try to remove the optional_policy(` tag and its closing ') tag, that might
expose any errors if you build without those.
can you paste you modules? so that i can review them?
# cat mlogc.te
policy_module(mlogc, 1.0.0)
type mlogc_t;
type mlogc_exec_t;
application_domain(mlogc_t, mlogc_exec_t)
role system_r types mlogc_t;
permissive mlogc_t;
####################################################################
# cat mlogc.fc
/usr/bin/mlogc -- gen_context(system_u:object_r:mlogc_exec_t, s0)
####################################################################
# cat mlogc.if
## <summary>The ModSecurity Log Collector</summary>
########################################
## <summary>
## Execute MLOGC in the MLOGC domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mlogc_domtrans',`
gen_require(`
type mlogc_t, mlogc_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, mlogc_exec_t, mlogc_t)
')
####################################################################
# cat myapche.te
policy_module(myapache, 1.0.0)
optional_policy(`
gen_require(`
type httpd_t;
')
mlogc_domtrans(httpd_t)
')
####################################################################
Is that right?
Thank again. I do appreciate your help.
Mark