Fedora 21 with selinux-policy-targeted-3.13.1-105.3
I've installed a local policy for PHP-FPM based off of
https://github.com/prometheanfire/selinux-modules which defines several
new types (to avoid conflicting with httpd_t type aliases in Fedora). I
can't include everything in the .fc file for the local policy because I
need to change the file contexts defined in other modules, so I set
local contexts using semanage. This was working fine in Fedora 20, but
here is what happens in Fedora 21:
[root@ice ~]# semanage fcontext -a -t phpfcgi_exec_t /usr/sbin/php-fpm
# this works fine
[root@ice ~]# semanage fcontext -a -t phpfcgi_var_run_t
"/var/run/php-fpm(/.*)?" # fails
libsemanage.dbase_llist_query: could not query record value (No such
file or directory).
OSError: No such file or directory
[root@ice ~]# semanage fcontext -a -t phpfcgi_var_run_t
"/var/run/php-fpm" # but this works
[root@ice ~]#
Does anyone have any idea why the first and third commands above work,
but the second one no longer works under Fedora 21? The error message
isn't very helpful. I've searched the web and looked at the libsemanage
source code, but neither was helpful. I've also run strace on the
commands that succeed and compared the output to running strace on the
command that failed, but I don't see any system calls that shed light on
the problem (including nothing just prior to the write() calls for the
error message that returns ENOENT).
Here is some additional information. Note that I can add file context
patterns very similar to the one that is failing above without any
problems, such as "fcontext -a -f a -t selinux_config_t
'/var/lib/config(/.*)?'"
[root@ice ~]# ls -ldZ /var/run/php-fpm
drwxr-xr-x. root root system_u:object_r:httpd_var_run_t:s0 /var/run/php-fpm
[root@ice ~]# semanage export
boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
boolean -m -0 abrt_upload_watch_anon_write
boolean -m -0 auditadm_exec_content
boolean -m -0 boinc_execmem
boolean -m -0 cron_userdomain_transition
boolean -m -1 daemons_dump_core
boolean -m -0 dbadm_exec_content
boolean -m -1 deny_execmem
boolean -m -1 deny_ptrace
boolean -m -0 entropyd_use_audio
boolean -m -0 gluster_export_all_rw
boolean -m -0 gssd_read_tmp
boolean -m -0 guest_exec_content
boolean -m -0 httpd_builtin_scripting
boolean -m -1 httpd_can_network_connect
boolean -m -0 kerberos_enabled
boolean -m -0 logadm_exec_content
boolean -m -0 logging_syslogd_use_tty
boolean -m -0 nfs_export_all_ro
boolean -m -0 nfs_export_all_rw
boolean -m -0 openvpn_can_network_connect
boolean -m -0 openvpn_enable_homedirs
boolean -m -1 polyinstantiation_enabled
boolean -m -0 postfix_local_write_mail_spool
boolean -m -0 postgresql_selinux_unconfined_dbadm
boolean -m -0 postgresql_selinux_users_ddl
boolean -m -0 privoxy_connect_any
boolean -m -0 secadm_exec_content
boolean -m -0 selinuxuser_direct_dri_enabled
boolean -m -0 selinuxuser_execmod
boolean -m -0 selinuxuser_execstack
boolean -m -0 spamd_enable_home_dirs
boolean -m -0 squid_connect_any
boolean -m -0 telepathy_tcp_connect_generic_network_ports
boolean -m -0 unconfined_chrome_sandbox_transition
boolean -m -0 unconfined_login
boolean -m -0 unconfined_mozilla_plugin_transition
boolean -m -0 virt_use_usb
boolean -m -0 xend_run_blktap
boolean -m -0 xend_run_qemu
boolean -m -0 xguest_connect_network
boolean -m -0 xguest_exec_content
boolean -m -0 xguest_mount_media
boolean -m -0 xguest_use_bluetooth
login -a -s guest_u -r 's0' __default__
login -a -s staff_u -r 's0' markmont
login -a -s unconfined_u -r 's0-s0:c0.c1023' root
login -a -s system_u -r 's0-s0:c0.c1023' system_u
user -a -L s0 -r s0-s0:c0.c1023 -R 'staff_r unconfined_r system_r' staff_u
fcontext -a -f a -t iptables_exec_t '/etc/systemd/ipset'
fcontext -a -f a -t initrc_exec_t '/etc/systemd/selinux-lockdown'
fcontext -a -f a -t tmp_t '/tmp/tmp-inst'
fcontext -a -f a -t selinux_config_t '/var/lib/config(/.*)?'
fcontext -a -f a -t tmp_t '/var/tmp/tmp-inst'
module -d permissivedomains
module -d unconfined
module -d unlabelednet
[root@ice ~]#
--
Mark Montague
mark@xxxxxxxxxxx
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
