[selinux] Re: Conflict between local module and local fcontext
Lukas Vrabec
lvrabec at redhat.com
Wed Jul 29 07:59:43 UTC 2015
Hi Robin,
Could you attach output of:
$ rpm -q selinux-policy
$ rpm -q policycoreutils
Thank you!
On 07/29/2015 09:03 AM, Robin Lee Powell wrote:
> On Tue, Jul 28, 2015 at 12:07:51AM -0700, Robin Lee Powell wrote:
>> On Mon, Jul 27, 2015 at 08:29:29PM -0700, Robin Lee Powell wrote:
>>> On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote:
>>>>
>>>> ----- Original Message -----
>>>>> From: "Robin Lee Powell" <rlpowell at digitalkingdom.org>
>>>>> To: selinux at lists.fedoraproject.org
>>>>> Sent: Monday, July 27, 2015 6:05:51 PM
>>>>> Subject: Conflict between local module and local fcontext
>>>>>
>>>>>
>>>>> So I have a custom module that includes:
>>>>>
>>>>> type lojban_logger_t;
>>>>> type lojban_logger_exec_t;
>>>>>
>>>>> application_domain( lojban_logger_t, lojban_logger_exec_t)
>>>>> init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
>>>>>
>>>>> (not sure if those are redundant?) and:
>>>>>
>>>>> /srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0
>>>>>
>>>>> I've made a variety of changes with "semodule fcontext", including:
>>>>>
>>>>> /srv/lojban system_u:object_r:httpd_user_content_t:s0
>>>>> /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0
>>>>>
>>>>> As a result, the changes in my module are ignored, and the files
>>>>> end up with httpd_user_content_t
>>>>>
>>>>> So I tried:
>>>>>
>>>>> $ sudo semanage fcontext -a -t lojban_logger_t '/srv/lojban/irclogs(/.*)?'
>>>>> ValueError: Type lojban_logger_t is invalid, must be a file or device type
>>>>>
>>>>> Uhh.
>>>>>
>>>>> I guess this means that the custom module's types can't be seen by
>>>>> semanage?
>>>>>
>>>>> So, what's the correct solution here?
>>>>>
>>>> 1) Define a new type that is usable for log files in the .te
>>>>
>>>> type logjban_logger_log_t;
>>>> logging_log_type(logjban_logger_log_t)
>>>>
>>>> 2) Add this label to the path in the .fc
>>>>
>>>> /srv/lojban/irclogs(/.*)? system_u:object_r:logjban_logger_log_t:s0
>>> Unless I'm missing something, this won't help at all; the semanage
>>> fcontext rule will win, and they'll end up with httpd_user_content_t
>>> per the rule for /srv/lojban(/.*)? , because semanage fcontext rules
>>> *always* win over module rules.
>> Ah, I see what you're saying; that way at least I'd *have* a file
>> type, that I could then add with semanage. I'll try that, thanks.
> So I did that, and now:
>
> rlpowell at jukni> sudo semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?'
> libsemanage.dbase_llist_query: could not query record value (No such file or directory).
> OSError: No such file or directory
> rlpowell at jukni>
>
> Here's the policy:
>
> policy_module(MYLOCAL_lojbanlogger, 1.6.0)
>
> ########################################
> #
> # Declarations
> #
>
> type lojban_logger_t;
> type lojban_logger_logs_t;
> type lojban_logger_exec_t;
>
> gen_require(`
> type httpd_t;
> type setfiles_t;
> type unconfined_t;
> type staff_t;
> ')
>
> #============= lojban_logger_t ==============
>
> manage_dirs_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t)
> manage_files_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t)
>
> # Be a file type and a domain
> application_domain( lojban_logger_t, lojban_logger_exec_t )
>
> # File type
> logging_log_file(lojban_logger_logs_t)
>
> # Be an init/systemd daemon
> init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
>
> # connect to ircd
> corenet_tcp_connect_ircd_port(lojban_logger_t)
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
More information about the selinux
mailing list