So I have a custom module that includes:
type lojban_logger_t; type lojban_logger_exec_t;
application_domain( lojban_logger_t, lojban_logger_exec_t) init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
(not sure if those are redundant?) and:
/srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0
I've made a variety of changes with "semodule fcontext", including:
/srv/lojban system_u:object_r:httpd_user_content_t:s0 /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0
As a result, the changes in my module are ignored, and the files end up with httpd_user_content_t
So I tried:
$ sudo semanage fcontext -a -t lojban_logger_t '/srv/lojban/irclogs(/.*)?' ValueError: Type lojban_logger_t is invalid, must be a file or device type
Uhh.
I guess this means that the custom module's types can't be seen by semanage?
So, what's the correct solution here?
----- Original Message -----
From: "Robin Lee Powell" rlpowell@digitalkingdom.org To: selinux@lists.fedoraproject.org Sent: Monday, July 27, 2015 6:05:51 PM Subject: Conflict between local module and local fcontext
So I have a custom module that includes:
type lojban_logger_t; type lojban_logger_exec_t;
application_domain( lojban_logger_t, lojban_logger_exec_t) init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
(not sure if those are redundant?) and:
/srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0
I've made a variety of changes with "semodule fcontext", including:
/srv/lojban system_u:object_r:httpd_user_content_t:s0 /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0
As a result, the changes in my module are ignored, and the files end up with httpd_user_content_t
So I tried:
$ sudo semanage fcontext -a -t lojban_logger_t '/srv/lojban/irclogs(/.*)?' ValueError: Type lojban_logger_t is invalid, must be a file or device type
Uhh.
I guess this means that the custom module's types can't be seen by semanage?
So, what's the correct solution here?
1) Define a new type that is usable for log files in the .te
type logjban_logger_log_t; logging_log_type(logjban_logger_log_t)
2) Add this label to the path in the .fc
/srv/lojban/irclogs(/.*)? system_u:object_r:logjban_logger_log_t:s0
-- http://intelligence.org/ : Our last, best hope for a fantastic future. .i ko na cpedu lo nu stidi vau loi jbopre .i dafsku lu na go'i li'u .e lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote:
----- Original Message -----
From: "Robin Lee Powell" rlpowell@digitalkingdom.org To: selinux@lists.fedoraproject.org Sent: Monday, July 27, 2015 6:05:51 PM Subject: Conflict between local module and local fcontext
So I have a custom module that includes:
type lojban_logger_t; type lojban_logger_exec_t;
application_domain( lojban_logger_t, lojban_logger_exec_t) init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
(not sure if those are redundant?) and:
/srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0
I've made a variety of changes with "semodule fcontext", including:
/srv/lojban system_u:object_r:httpd_user_content_t:s0 /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0
As a result, the changes in my module are ignored, and the files end up with httpd_user_content_t
So I tried:
$ sudo semanage fcontext -a -t lojban_logger_t '/srv/lojban/irclogs(/.*)?' ValueError: Type lojban_logger_t is invalid, must be a file or device type
Uhh.
I guess this means that the custom module's types can't be seen by semanage?
So, what's the correct solution here?
- Define a new type that is usable for log files in the .te
type logjban_logger_log_t; logging_log_type(logjban_logger_log_t)
- Add this label to the path in the .fc
/srv/lojban/irclogs(/.*)? system_u:object_r:logjban_logger_log_t:s0
Unless I'm missing something, this won't help at all; the semanage fcontext rule will win, and they'll end up with httpd_user_content_t per the rule for /srv/lojban(/.*)? , because semanage fcontext rules *always* win over module rules.
On Mon, Jul 27, 2015 at 08:29:29PM -0700, Robin Lee Powell wrote:
On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote:
----- Original Message -----
From: "Robin Lee Powell" rlpowell@digitalkingdom.org To: selinux@lists.fedoraproject.org Sent: Monday, July 27, 2015 6:05:51 PM Subject: Conflict between local module and local fcontext
So I have a custom module that includes:
type lojban_logger_t; type lojban_logger_exec_t;
application_domain( lojban_logger_t, lojban_logger_exec_t) init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
(not sure if those are redundant?) and:
/srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0
I've made a variety of changes with "semodule fcontext", including:
/srv/lojban system_u:object_r:httpd_user_content_t:s0 /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0
As a result, the changes in my module are ignored, and the files end up with httpd_user_content_t
So I tried:
$ sudo semanage fcontext -a -t lojban_logger_t '/srv/lojban/irclogs(/.*)?' ValueError: Type lojban_logger_t is invalid, must be a file or device type
Uhh.
I guess this means that the custom module's types can't be seen by semanage?
So, what's the correct solution here?
- Define a new type that is usable for log files in the .te
type logjban_logger_log_t; logging_log_type(logjban_logger_log_t)
- Add this label to the path in the .fc
/srv/lojban/irclogs(/.*)? system_u:object_r:logjban_logger_log_t:s0
Unless I'm missing something, this won't help at all; the semanage fcontext rule will win, and they'll end up with httpd_user_content_t per the rule for /srv/lojban(/.*)? , because semanage fcontext rules *always* win over module rules.
Ah, I see what you're saying; that way at least I'd *have* a file type, that I could then add with semanage. I'll try that, thanks.
On Tue, Jul 28, 2015 at 12:07:51AM -0700, Robin Lee Powell wrote:
On Mon, Jul 27, 2015 at 08:29:29PM -0700, Robin Lee Powell wrote:
On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote:
----- Original Message -----
From: "Robin Lee Powell" rlpowell@digitalkingdom.org To: selinux@lists.fedoraproject.org Sent: Monday, July 27, 2015 6:05:51 PM Subject: Conflict between local module and local fcontext
So I have a custom module that includes:
type lojban_logger_t; type lojban_logger_exec_t;
application_domain( lojban_logger_t, lojban_logger_exec_t) init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
(not sure if those are redundant?) and:
/srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0
I've made a variety of changes with "semodule fcontext", including:
/srv/lojban system_u:object_r:httpd_user_content_t:s0 /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0
As a result, the changes in my module are ignored, and the files end up with httpd_user_content_t
So I tried:
$ sudo semanage fcontext -a -t lojban_logger_t '/srv/lojban/irclogs(/.*)?' ValueError: Type lojban_logger_t is invalid, must be a file or device type
Uhh.
I guess this means that the custom module's types can't be seen by semanage?
So, what's the correct solution here?
- Define a new type that is usable for log files in the .te
type logjban_logger_log_t; logging_log_type(logjban_logger_log_t)
- Add this label to the path in the .fc
/srv/lojban/irclogs(/.*)? system_u:object_r:logjban_logger_log_t:s0
Unless I'm missing something, this won't help at all; the semanage fcontext rule will win, and they'll end up with httpd_user_content_t per the rule for /srv/lojban(/.*)? , because semanage fcontext rules *always* win over module rules.
Ah, I see what you're saying; that way at least I'd *have* a file type, that I could then add with semanage. I'll try that, thanks.
So I did that, and now:
rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?' libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory rlpowell@jukni>
Here's the policy:
policy_module(MYLOCAL_lojbanlogger, 1.6.0)
######################################## # # Declarations #
type lojban_logger_t; type lojban_logger_logs_t; type lojban_logger_exec_t;
gen_require(` type httpd_t; type setfiles_t; type unconfined_t; type staff_t; ')
#============= lojban_logger_t ==============
manage_dirs_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t) manage_files_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t)
# Be a file type and a domain application_domain( lojban_logger_t, lojban_logger_exec_t )
# File type logging_log_file(lojban_logger_logs_t)
# Be an init/systemd daemon init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
# connect to ircd corenet_tcp_connect_ircd_port(lojban_logger_t)
Hi Robin, Could you attach output of: $ rpm -q selinux-policy $ rpm -q policycoreutils
Thank you!
On 07/29/2015 09:03 AM, Robin Lee Powell wrote:
On Tue, Jul 28, 2015 at 12:07:51AM -0700, Robin Lee Powell wrote:
On Mon, Jul 27, 2015 at 08:29:29PM -0700, Robin Lee Powell wrote:
On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote:
----- Original Message -----
From: "Robin Lee Powell" rlpowell@digitalkingdom.org To: selinux@lists.fedoraproject.org Sent: Monday, July 27, 2015 6:05:51 PM Subject: Conflict between local module and local fcontext
So I have a custom module that includes:
type lojban_logger_t; type lojban_logger_exec_t;
application_domain( lojban_logger_t, lojban_logger_exec_t) init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
(not sure if those are redundant?) and:
/srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0
I've made a variety of changes with "semodule fcontext", including:
/srv/lojban system_u:object_r:httpd_user_content_t:s0 /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0
As a result, the changes in my module are ignored, and the files end up with httpd_user_content_t
So I tried:
$ sudo semanage fcontext -a -t lojban_logger_t '/srv/lojban/irclogs(/.*)?' ValueError: Type lojban_logger_t is invalid, must be a file or device type
Uhh.
I guess this means that the custom module's types can't be seen by semanage?
So, what's the correct solution here?
- Define a new type that is usable for log files in the .te
type logjban_logger_log_t; logging_log_type(logjban_logger_log_t)
- Add this label to the path in the .fc
/srv/lojban/irclogs(/.*)? system_u:object_r:logjban_logger_log_t:s0
Unless I'm missing something, this won't help at all; the semanage fcontext rule will win, and they'll end up with httpd_user_content_t per the rule for /srv/lojban(/.*)? , because semanage fcontext rules *always* win over module rules.
Ah, I see what you're saying; that way at least I'd *have* a file type, that I could then add with semanage. I'll try that, thanks.
So I did that, and now:
rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?' libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory rlpowell@jukni>
Here's the policy:
policy_module(MYLOCAL_lojbanlogger, 1.6.0) ######################################## # # Declarations # type lojban_logger_t; type lojban_logger_logs_t; type lojban_logger_exec_t; gen_require(` type httpd_t; type setfiles_t; type unconfined_t; type staff_t; ') #============= lojban_logger_t ============== manage_dirs_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t) manage_files_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t) # Be a file type and a domain application_domain( lojban_logger_t, lojban_logger_exec_t ) # File type logging_log_file(lojban_logger_logs_t) # Be an init/systemd daemon init_daemon_domain(lojban_logger_t, lojban_logger_exec_t) # connect to ircd corenet_tcp_connect_ircd_port(lojban_logger_t)
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
rlpowell@jukni> rpm -q selinux-policy selinux-policy-3.13.1-128.1.fc22.noarch rlpowell@jukni> rpm -q policycoreutils policycoreutils-2.3-16.fc22.x86_64 rlpowell@jukni>
On Wed, Jul 29, 2015 at 09:59:43AM +0200, Lukas Vrabec wrote:
Hi Robin, Could you attach output of: $ rpm -q selinux-policy $ rpm -q policycoreutils
Thank you!
On 07/29/2015 09:03 AM, Robin Lee Powell wrote:
On Tue, Jul 28, 2015 at 12:07:51AM -0700, Robin Lee Powell wrote:
On Mon, Jul 27, 2015 at 08:29:29PM -0700, Robin Lee Powell wrote:
On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote:
----- Original Message -----
From: "Robin Lee Powell" rlpowell@digitalkingdom.org To: selinux@lists.fedoraproject.org Sent: Monday, July 27, 2015 6:05:51 PM Subject: Conflict between local module and local fcontext
So I have a custom module that includes:
type lojban_logger_t; type lojban_logger_exec_t;
application_domain( lojban_logger_t, lojban_logger_exec_t) init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
(not sure if those are redundant?) and:
/srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0
I've made a variety of changes with "semodule fcontext", including:
/srv/lojban system_u:object_r:httpd_user_content_t:s0 /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0
As a result, the changes in my module are ignored, and the files end up with httpd_user_content_t
So I tried:
$ sudo semanage fcontext -a -t lojban_logger_t '/srv/lojban/irclogs(/.*)?' ValueError: Type lojban_logger_t is invalid, must be a file or device type
Uhh.
I guess this means that the custom module's types can't be seen by semanage?
So, what's the correct solution here?
- Define a new type that is usable for log files in the .te
type logjban_logger_log_t; logging_log_type(logjban_logger_log_t)
- Add this label to the path in the .fc
/srv/lojban/irclogs(/.*)? system_u:object_r:logjban_logger_log_t:s0
Unless I'm missing something, this won't help at all; the semanage fcontext rule will win, and they'll end up with httpd_user_content_t per the rule for /srv/lojban(/.*)? , because semanage fcontext rules *always* win over module rules.
Ah, I see what you're saying; that way at least I'd *have* a file type, that I could then add with semanage. I'll try that, thanks.
So I did that, and now:
rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?' libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory rlpowell@jukni>
Here's the policy:
policy_module(MYLOCAL_lojbanlogger, 1.6.0) ######################################## # # Declarations # type lojban_logger_t; type lojban_logger_logs_t; type lojban_logger_exec_t; gen_require(` type httpd_t; type setfiles_t; type unconfined_t; type staff_t; ') #============= lojban_logger_t ============== manage_dirs_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t) manage_files_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t) # Be a file type and a domain application_domain( lojban_logger_t, lojban_logger_exec_t ) # File type logging_log_file(lojban_logger_logs_t) # Be an init/systemd daemon init_daemon_domain(lojban_logger_t, lojban_logger_exec_t) # connect to ircd corenet_tcp_connect_ircd_port(lojban_logger_t)
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Please could you update selinux-policy package and try it again? I tried reproduce it and I cannot see your issue.
On 07/29/2015 10:01 AM, Robin Lee Powell wrote:
rlpowell@jukni> rpm -q selinux-policy selinux-policy-3.13.1-128.1.fc22.noarch rlpowell@jukni> rpm -q policycoreutils policycoreutils-2.3-16.fc22.x86_64 rlpowell@jukni>
On Wed, Jul 29, 2015 at 09:59:43AM +0200, Lukas Vrabec wrote:
Hi Robin, Could you attach output of: $ rpm -q selinux-policy $ rpm -q policycoreutils
Thank you!
On 07/29/2015 09:03 AM, Robin Lee Powell wrote:
On Tue, Jul 28, 2015 at 12:07:51AM -0700, Robin Lee Powell wrote:
On Mon, Jul 27, 2015 at 08:29:29PM -0700, Robin Lee Powell wrote:
On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote:
----- Original Message ----- > From: "Robin Lee Powell" rlpowell@digitalkingdom.org > To: selinux@lists.fedoraproject.org > Sent: Monday, July 27, 2015 6:05:51 PM > Subject: Conflict between local module and local fcontext > > > So I have a custom module that includes: > > type lojban_logger_t; > type lojban_logger_exec_t; > > application_domain( lojban_logger_t, lojban_logger_exec_t) > init_daemon_domain(lojban_logger_t, lojban_logger_exec_t) > > (not sure if those are redundant?) and: > > /srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0 > > I've made a variety of changes with "semodule fcontext", including: > > /srv/lojban system_u:object_r:httpd_user_content_t:s0 > /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0 > > As a result, the changes in my module are ignored, and the files > end up with httpd_user_content_t > > So I tried: > > $ sudo semanage fcontext -a -t lojban_logger_t '/srv/lojban/irclogs(/.*)?' > ValueError: Type lojban_logger_t is invalid, must be a file or device type > > Uhh. > > I guess this means that the custom module's types can't be seen by > semanage? > > So, what's the correct solution here? >
- Define a new type that is usable for log files in the .te
type logjban_logger_log_t; logging_log_type(logjban_logger_log_t)
- Add this label to the path in the .fc
/srv/lojban/irclogs(/.*)? system_u:object_r:logjban_logger_log_t:s0
Unless I'm missing something, this won't help at all; the semanage fcontext rule will win, and they'll end up with httpd_user_content_t per the rule for /srv/lojban(/.*)? , because semanage fcontext rules *always* win over module rules.
Ah, I see what you're saying; that way at least I'd *have* a file type, that I could then add with semanage. I'll try that, thanks.
So I did that, and now:
rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?' libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory rlpowell@jukni>
Here's the policy:
policy_module(MYLOCAL_lojbanlogger, 1.6.0) ######################################## # # Declarations # type lojban_logger_t; type lojban_logger_logs_t; type lojban_logger_exec_t; gen_require(` type httpd_t; type setfiles_t; type unconfined_t; type staff_t; ') #============= lojban_logger_t ============== manage_dirs_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t) manage_files_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t) # Be a file type and a domain application_domain( lojban_logger_t, lojban_logger_exec_t ) # File type logging_log_file(lojban_logger_logs_t) # Be an init/systemd daemon init_daemon_domain(lojban_logger_t, lojban_logger_exec_t) # connect to ircd corenet_tcp_connect_ircd_port(lojban_logger_t)
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
rlpowell@jukni> rpm -q policycoreutils policycoreutils-2.3-17.fc22.x86_64 rlpowell@jukni> rpm -q selinux-policy selinux-policy-3.13.1-128.6.fc22.noarch rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?' libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory rlpowell@jukni>
I've got other local mods installed, but I don't know how any of them could be relevant.
What does that error even *mean*?
On Wed, Jul 29, 2015 at 10:32:25AM +0200, Lukas Vrabec wrote:
Please could you update selinux-policy package and try it again? I tried reproduce it and I cannot see your issue.
On 07/29/2015 10:01 AM, Robin Lee Powell wrote:
rlpowell@jukni> rpm -q selinux-policy selinux-policy-3.13.1-128.1.fc22.noarch rlpowell@jukni> rpm -q policycoreutils policycoreutils-2.3-16.fc22.x86_64 rlpowell@jukni>
On Wed, Jul 29, 2015 at 09:59:43AM +0200, Lukas Vrabec wrote:
Hi Robin, Could you attach output of: $ rpm -q selinux-policy $ rpm -q policycoreutils
Thank you!
On 07/29/2015 09:03 AM, Robin Lee Powell wrote:
On Tue, Jul 28, 2015 at 12:07:51AM -0700, Robin Lee Powell wrote:
On Mon, Jul 27, 2015 at 08:29:29PM -0700, Robin Lee Powell wrote:
On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote: >----- Original Message ----- >>From: "Robin Lee Powell" rlpowell@digitalkingdom.org >>To: selinux@lists.fedoraproject.org >>Sent: Monday, July 27, 2015 6:05:51 PM >>Subject: Conflict between local module and local fcontext >> >> >>So I have a custom module that includes: >> >> type lojban_logger_t; >> type lojban_logger_exec_t; >> >> application_domain( lojban_logger_t, lojban_logger_exec_t) >> init_daemon_domain(lojban_logger_t, lojban_logger_exec_t) >> >>(not sure if those are redundant?) and: >> >> /srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0 >> >>I've made a variety of changes with "semodule fcontext", including: >> >> /srv/lojban system_u:object_r:httpd_user_content_t:s0 >> /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0 >> >>As a result, the changes in my module are ignored, and the files >>end up with httpd_user_content_t >> >>So I tried: >> >> $ sudo semanage fcontext -a -t lojban_logger_t '/srv/lojban/irclogs(/.*)?' >> ValueError: Type lojban_logger_t is invalid, must be a file or device type >> >>Uhh. >> >>I guess this means that the custom module's types can't be seen by >>semanage? >> >>So, what's the correct solution here? >> >1) Define a new type that is usable for log files in the .te > >type logjban_logger_log_t; >logging_log_type(logjban_logger_log_t) > >2) Add this label to the path in the .fc > >/srv/lojban/irclogs(/.*)? system_u:object_r:logjban_logger_log_t:s0 Unless I'm missing something, this won't help at all; the semanage fcontext rule will win, and they'll end up with httpd_user_content_t per the rule for /srv/lojban(/.*)? , because semanage fcontext rules *always* win over module rules.
Ah, I see what you're saying; that way at least I'd *have* a file type, that I could then add with semanage. I'll try that, thanks.
So I did that, and now:
rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?' libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory rlpowell@jukni>
Here's the policy:
policy_module(MYLOCAL_lojbanlogger, 1.6.0) ######################################## # # Declarations # type lojban_logger_t; type lojban_logger_logs_t; type lojban_logger_exec_t; gen_require(` type httpd_t; type setfiles_t; type unconfined_t; type staff_t; ') #============= lojban_logger_t ============== manage_dirs_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t) manage_files_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t) # Be a file type and a domain application_domain( lojban_logger_t, lojban_logger_exec_t ) # File type logging_log_file(lojban_logger_logs_t) # Be an init/systemd daemon init_daemon_domain(lojban_logger_t, lojban_logger_exec_t) # connect to ircd corenet_tcp_connect_ircd_port(lojban_logger_t)
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I removed this line:
/srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_logs_t:s0
from the module's .fc file, since that was the only other use of lojban_logger_logs_t , and that line was non-functional as previously described, and now the fcontext command works.
Yay!, but I don't get it at all.
On Wed, Jul 29, 2015 at 03:24:50AM -0700, Robin Lee Powell wrote:
rlpowell@jukni> rpm -q policycoreutils policycoreutils-2.3-17.fc22.x86_64 rlpowell@jukni> rpm -q selinux-policy selinux-policy-3.13.1-128.6.fc22.noarch rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?' libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory rlpowell@jukni>
I've got other local mods installed, but I don't know how any of them could be relevant.
What does that error even *mean*?
On Wed, Jul 29, 2015 at 10:32:25AM +0200, Lukas Vrabec wrote:
Please could you update selinux-policy package and try it again? I tried reproduce it and I cannot see your issue.
On 07/29/2015 10:01 AM, Robin Lee Powell wrote:
rlpowell@jukni> rpm -q selinux-policy selinux-policy-3.13.1-128.1.fc22.noarch rlpowell@jukni> rpm -q policycoreutils policycoreutils-2.3-16.fc22.x86_64 rlpowell@jukni>
On Wed, Jul 29, 2015 at 09:59:43AM +0200, Lukas Vrabec wrote:
Hi Robin, Could you attach output of: $ rpm -q selinux-policy $ rpm -q policycoreutils
Thank you!
On 07/29/2015 09:03 AM, Robin Lee Powell wrote:
On Tue, Jul 28, 2015 at 12:07:51AM -0700, Robin Lee Powell wrote:
On Mon, Jul 27, 2015 at 08:29:29PM -0700, Robin Lee Powell wrote: >On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote: >>----- Original Message ----- >>>From: "Robin Lee Powell" rlpowell@digitalkingdom.org >>>To: selinux@lists.fedoraproject.org >>>Sent: Monday, July 27, 2015 6:05:51 PM >>>Subject: Conflict between local module and local fcontext >>> >>> >>>So I have a custom module that includes: >>> >>> type lojban_logger_t; >>> type lojban_logger_exec_t; >>> >>> application_domain( lojban_logger_t, lojban_logger_exec_t) >>> init_daemon_domain(lojban_logger_t, lojban_logger_exec_t) >>> >>>(not sure if those are redundant?) and: >>> >>> /srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0 >>> >>>I've made a variety of changes with "semodule fcontext", including: >>> >>> /srv/lojban system_u:object_r:httpd_user_content_t:s0 >>> /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0 >>> >>>As a result, the changes in my module are ignored, and the files >>>end up with httpd_user_content_t >>> >>>So I tried: >>> >>> $ sudo semanage fcontext -a -t lojban_logger_t '/srv/lojban/irclogs(/.*)?' >>> ValueError: Type lojban_logger_t is invalid, must be a file or device type >>> >>>Uhh. >>> >>>I guess this means that the custom module's types can't be seen by >>>semanage? >>> >>>So, what's the correct solution here? >>> >>1) Define a new type that is usable for log files in the .te >> >>type logjban_logger_log_t; >>logging_log_type(logjban_logger_log_t) >> >>2) Add this label to the path in the .fc >> >>/srv/lojban/irclogs(/.*)? system_u:object_r:logjban_logger_log_t:s0 >Unless I'm missing something, this won't help at all; the semanage >fcontext rule will win, and they'll end up with httpd_user_content_t >per the rule for /srv/lojban(/.*)? , because semanage fcontext rules >*always* win over module rules. Ah, I see what you're saying; that way at least I'd *have* a file type, that I could then add with semanage. I'll try that, thanks.
So I did that, and now:
rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?' libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory rlpowell@jukni>
Here's the policy:
policy_module(MYLOCAL_lojbanlogger, 1.6.0) ######################################## # # Declarations # type lojban_logger_t; type lojban_logger_logs_t; type lojban_logger_exec_t; gen_require(` type httpd_t; type setfiles_t; type unconfined_t; type staff_t; ') #============= lojban_logger_t ============== manage_dirs_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t) manage_files_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t) # Be a file type and a domain application_domain( lojban_logger_t, lojban_logger_exec_t ) # File type logging_log_file(lojban_logger_logs_t) # Be an init/systemd daemon init_daemon_domain(lojban_logger_t, lojban_logger_exec_t) # connect to ircd corenet_tcp_connect_ircd_port(lojban_logger_t)
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- http://intelligence.org/ : Our last, best hope for a fantastic future. .i ko na cpedu lo nu stidi vau loi jbopre .i dafsku lu na go'i li'u .e lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
----- Original Message -----
From: "Robin Lee Powell" rlpowell@digitalkingdom.org To: "Lukas Vrabec" lvrabec@redhat.com, selinux@lists.fedoraproject.org Sent: Wednesday, July 29, 2015 6:29:16 AM Subject: Re: [selinux] Re: Conflict between local module and local fcontext
I removed this line:
/srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_logs_t:s0
from the module's .fc file, since that was the only other use of lojban_logger_logs_t , and that line was non-functional as previously described, and now the fcontext command works.
Yay!, but I don't get it at all.
The purpose of that line in the .fc is to have you avoid running `semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?'` since the label for all files in that path dir has been predefined.
On Wed, Jul 29, 2015 at 03:24:50AM -0700, Robin Lee Powell wrote:
rlpowell@jukni> rpm -q policycoreutils policycoreutils-2.3-17.fc22.x86_64 rlpowell@jukni> rpm -q selinux-policy selinux-policy-3.13.1-128.6.fc22.noarch rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?' libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory rlpowell@jukni>
I've got other local mods installed, but I don't know how any of them could be relevant.
What does that error even *mean*?
On Wed, Jul 29, 2015 at 10:32:25AM +0200, Lukas Vrabec wrote:
Please could you update selinux-policy package and try it again? I tried reproduce it and I cannot see your issue.
On 07/29/2015 10:01 AM, Robin Lee Powell wrote:
rlpowell@jukni> rpm -q selinux-policy selinux-policy-3.13.1-128.1.fc22.noarch rlpowell@jukni> rpm -q policycoreutils policycoreutils-2.3-16.fc22.x86_64 rlpowell@jukni>
On Wed, Jul 29, 2015 at 09:59:43AM +0200, Lukas Vrabec wrote:
Hi Robin, Could you attach output of: $ rpm -q selinux-policy $ rpm -q policycoreutils
Thank you!
On 07/29/2015 09:03 AM, Robin Lee Powell wrote:
On Tue, Jul 28, 2015 at 12:07:51AM -0700, Robin Lee Powell wrote: >On Mon, Jul 27, 2015 at 08:29:29PM -0700, Robin Lee Powell wrote: >>On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote: >>>----- Original Message ----- >>>>From: "Robin Lee Powell" rlpowell@digitalkingdom.org >>>>To: selinux@lists.fedoraproject.org >>>>Sent: Monday, July 27, 2015 6:05:51 PM >>>>Subject: Conflict between local module and local fcontext >>>> >>>> >>>>So I have a custom module that includes: >>>> >>>> type lojban_logger_t; >>>> type lojban_logger_exec_t; >>>> >>>> application_domain( lojban_logger_t, lojban_logger_exec_t) >>>> init_daemon_domain(lojban_logger_t, lojban_logger_exec_t) >>>> >>>>(not sure if those are redundant?) and: >>>> >>>> /srv/lojban/irclogs(/.*)? >>>> system_u:object_r:lojban_logger_t:s0 >>>> >>>>I've made a variety of changes with "semodule fcontext", >>>>including: >>>> >>>> /srv/lojban system_u:object_r:httpd_user_content_t:s0 >>>> /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0 >>>> >>>>As a result, the changes in my module are ignored, and the files >>>>end up with httpd_user_content_t >>>> >>>>So I tried: >>>> >>>> $ sudo semanage fcontext -a -t lojban_logger_t >>>> '/srv/lojban/irclogs(/.*)?' >>>> ValueError: Type lojban_logger_t is invalid, must be a file or >>>> device type >>>> >>>>Uhh. >>>> >>>>I guess this means that the custom module's types can't be seen by >>>>semanage? >>>> >>>>So, what's the correct solution here? >>>> >>>1) Define a new type that is usable for log files in the .te >>> >>>type logjban_logger_log_t; >>>logging_log_type(logjban_logger_log_t) >>> >>>2) Add this label to the path in the .fc >>> >>>/srv/lojban/irclogs(/.*)? >>>system_u:object_r:logjban_logger_log_t:s0 >>Unless I'm missing something, this won't help at all; the semanage >>fcontext rule will win, and they'll end up with httpd_user_content_t >>per the rule for /srv/lojban(/.*)? , because semanage fcontext rules >>*always* win over module rules. >Ah, I see what you're saying; that way at least I'd *have* a file >type, that I could then add with semanage. I'll try that, thanks. So I did that, and now:
rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?' libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory rlpowell@jukni>
Here's the policy:
policy_module(MYLOCAL_lojbanlogger, 1.6.0) ######################################## # # Declarations # type lojban_logger_t; type lojban_logger_logs_t; type lojban_logger_exec_t; gen_require(` type httpd_t; type setfiles_t; type unconfined_t; type staff_t; ') #============= lojban_logger_t ============== manage_dirs_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t) manage_files_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t) # Be a file type and a domain application_domain( lojban_logger_t, lojban_logger_exec_t ) # File type logging_log_file(lojban_logger_logs_t) # Be an init/systemd daemon init_daemon_domain(lojban_logger_t, lojban_logger_exec_t) # connect to ircd corenet_tcp_connect_ircd_port(lojban_logger_t)
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Lukas Vrabec SELinux Solutions Red Hat, Inc.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- http://intelligence.org/ : Our last, best hope for a fantastic future. .i ko na cpedu lo nu stidi vau loi jbopre .i dafsku lu na go'i li'u .e lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- http://intelligence.org/ : Our last, best hope for a fantastic future. .i ko na cpedu lo nu stidi vau loi jbopre .i dafsku lu na go'i li'u .e lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Wed, Jul 29, 2015 at 06:45:22AM -0400, Simon Sekidde wrote:
----- Original Message -----
From: "Robin Lee Powell" rlpowell@digitalkingdom.org To: "Lukas Vrabec" lvrabec@redhat.com, selinux@lists.fedoraproject.org Sent: Wednesday, July 29, 2015 6:29:16 AM Subject: Re: [selinux] Re: Conflict between local module and local fcontext
I removed this line:
/srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_logs_t:s0
from the module's .fc file, since that was the only other use of lojban_logger_logs_t , and that line was non-functional as previously described, and now the fcontext command works.
Yay!, but I don't get it at all.
The purpose of that line in the .fc is to have you avoid running `semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?'` since the label for all files in that path dir has been predefined.
Yes, but:
1. it *doesn't work*, because I have an fcontent rule for /srv/loban(/.*)? that wins over the module in all cases
2. why does the fcontext command abort with:
libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory
when that .fc line exists?, especially when the .fc line doesn't even *do* anything?
It's #2 that I don't get. Seems like a bug to me? At the very least, the error message is not helpful.
On 07/29/2015 07:39 PM, Robin Lee Powell wrote:
On Wed, Jul 29, 2015 at 06:45:22AM -0400, Simon Sekidde wrote:
----- Original Message -----
From: "Robin Lee Powell" rlpowell@digitalkingdom.org To: "Lukas Vrabec" lvrabec@redhat.com, selinux@lists.fedoraproject.org Sent: Wednesday, July 29, 2015 6:29:16 AM Subject: Re: [selinux] Re: Conflict between local module and local fcontext
I removed this line:
/srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_logs_t:s0
from the module's .fc file, since that was the only other use of lojban_logger_logs_t , and that line was non-functional as previously described, and now the fcontext command works.
Yay!, but I don't get it at all.
The purpose of that line in the .fc is to have you avoid running `semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?'` since the label for all files in that path dir has been predefined.
Yes, but:
- it *doesn't work*, because I have an fcontent rule for
/srv/loban(/.*)? that wins over the module in all cases
- why does the fcontext command abort with:
libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory
when that .fc line exists?, especially when the .fc line doesn't even *do* anything?
It's #2 that I don't get. Seems like a bug to me? At the very least, the error message is not helpful.
The message is not helpful indeed. The problem seems to be that you try to add the same rule via semanage as you have already defined in .fc file.
You could try to use slightly different specified rules to overwrite your local modification:
# matchpathcon /srv/lojban/irclogs/a /srv/lojban/irclogs/a system_u:object_r:lojban_logger_logs_t:s0
# semanage fcontext -a -t httpd_user_content_t '/srv/lojban(/.*)?'
# matchpathcon /srv/lojban/irclogs{,/a} /srv/lojban/irclogs system_u:object_r:httpd_user_content_t:s0 /srv/lojban/irclogs/a system_u:object_r:httpd_user_content_t:s0
# semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs'
# matchpathcon /srv/lojban/irclogs{,/a} /srv/lojban/irclogs system_u:object_r:lojban_logger_logs_t:s0 /srv/lojban/irclogs/a system_u:object_r:httpd_user_content_t:s0
# semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs/(.*)'
# matchpathcon /srv/lojban/irclogs{,/a} /srv/lojban/irclogs system_u:object_r:lojban_logger_logs_t:s0 /srv/lojban/irclogs/a system_u:object_r:lojban_logger_logs_t:s0
On Thu, Jul 30, 2015 at 12:07:03PM +0200, Petr Lautrbach wrote:
On 07/29/2015 07:39 PM, Robin Lee Powell wrote:
On Wed, Jul 29, 2015 at 06:45:22AM -0400, Simon Sekidde wrote:
----- Original Message -----
From: "Robin Lee Powell" rlpowell@digitalkingdom.org To: "Lukas Vrabec" lvrabec@redhat.com, selinux@lists.fedoraproject.org Sent: Wednesday, July 29, 2015 6:29:16 AM Subject: Re: [selinux] Re: Conflict between local module and local fcontext
I removed this line:
/srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_logs_t:s0
from the module's .fc file, since that was the only other use of lojban_logger_logs_t , and that line was non-functional as previously described, and now the fcontext command works.
Yay!, but I don't get it at all.
The purpose of that line in the .fc is to have you avoid running `semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?'` since the label for all files in that path dir has been predefined.
Yes, but:
- it *doesn't work*, because I have an fcontent rule for
/srv/loban(/.*)? that wins over the module in all cases
- why does the fcontext command abort with:
libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory
when that .fc line exists?, especially when the .fc line doesn't even *do* anything?
It's #2 that I don't get. Seems like a bug to me? At the very least, the error message is not helpful.
The message is not helpful indeed. The problem seems to be that you try to add the same rule via semanage as you have already defined in .fc file.
You could try to use slightly different specified rules to overwrite your local modification:
OK, thanks.
selinux@lists.fedoraproject.org