On Wed, Apr 07, 2010 at 10:23:24PM +0100, Arthur Dent wrote: > On Wed, 2010-04-07 at 23:01 +0200, Dominick Grift wrote: > > On Wed, Apr 07, 2010 at 09:51:24PM +0100, Arthur Dent wrote: > > > On Wed, 2010-04-07 at 22:26 +0200, Dominick Grift wrote: > > > > On Wed, Apr 07, 2010 at 08:02:21PM +0100, Arthur Dent wrote: > > > > > On Wed, 2010-04-07 at 18:45 +0200, Dominick Grift wrote: > > > > > > On Wed, Apr 07, 2010 at 03:23:55PM +0100, Arthur Dent wrote: > > > > > > > Hello all, > > > > > > > > > > > > > > > > > > > Have I missed something or misunderstood something? > > > > > > > > Yes it seems that the domain transition did not happen. are the modules installed: > > > > > > > > semodule -l | grep myapache > > > > semodule -l | grep mlogc > > > > > > # semodule -l | grep myapache > > > myapache 1.0.0 > > > > > > # semodule -l | grep mlogc > > > mlogc 1.0.0 > > > > > > > > > > Is the context of mlogc executable file proper? > > > > > > > > ls -alZ /usr/bin/mlogc > > > > > > # ls -alZ /usr/bin/mlogc > > > -rwxr-xr-x. root root system_u:object_r:mlogc_exec_t:s0 /usr/bin/mlogc > > > > > > > Something seems to have gone not as planned > > > > > > Well all of that seems OK - I'm not sure why it's not working? > > > > > > Thanks for your help so far though - it's much appreciated... > > > > You could try to remove the optional_policy(` tag and its closing ') tag, that might expose any errors if you build without those. > > > > can you paste you modules? so that i can review them? > > # cat mlogc.te > policy_module(mlogc, 1.0.0) > > type mlogc_t; > type mlogc_exec_t; > application_domain(mlogc_t, mlogc_exec_t) > > role system_r types mlogc_t; > permissive mlogc_t; > > #################################################################### > > # cat mlogc.fc > /usr/bin/mlogc -- gen_context(system_u:object_r:mlogc_exec_t, s0) > > > #################################################################### > > # cat mlogc.if > ## <summary>The ModSecurity Log Collector</summary> > > ######################################## > ## <summary> > ## Execute MLOGC in the MLOGC domain. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`mlogc_domtrans',` > gen_require(` > type mlogc_t, mlogc_exec_t; > ') > > corecmd_search_bin($1) > domtrans_pattern($1, mlogc_exec_t, mlogc_t) > ') > > #################################################################### > > # cat myapche.te > policy_module(myapache, 1.0.0) > optional_policy(` > gen_require(` > type httpd_t; > ') > > mlogc_domtrans(httpd_t) > ') > > #################################################################### > > > Is that right? > > Thank again. I do appreciate your help. > > > Mark > Yes looks fine. try the following myapache.te instead: policy_module(myapache, 1.0.0) gen_require(` type httpd_t; ') mlogc_domtrans(httpd_t) build, install make -f /usr/share/selinux/devel/Makefile sudo semodule -i *.pp > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgpmFE9vrFBsN.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
