I am trying to confine a custom web application using type enforcement plus MCS
to protect multiple instances of the web app from each other. I can compile the
policy ok but when I insert it I get this error:
# semodule -i myapp.pp
libsepol.context_from_record: invalid security context: "myapp_u:myapp_r:myapp_api_t:s0"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert myapp_u:myapp_r:myapp_api_t:s0 to sid
invalid context myapp_u:myapp_r:myapp_api_t:s0
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule: Failed!
I'm sure I've seen this problem before but can't recall how it was fixed. I
know it's something fairly simple.
Here's myapp.te:
module myapp 1.0;
# Import some things we will need from other modules/default policy
require {
sensitivity s0;
category c0, c1, c2, c3, c4, c5, c6, c7, c8, c9, c10;
category c1023;
}
# Role and type for our app
role myapp_r;
type myapp_t;
# Glide file context
type myapp_bin_t;
type myapp_api_t;
type myapp_conf_t;
type myapp_release_t;
type myapp_incoming_t;
type myapp_lib_t;
type myapp_logs_t;
type myapp_scripts_t;
type myapp_tmp_t;
type myapp_tomcat_t;
type myapp_util_t;
type myapp_var_t;
type myapp_exec_t;
type myapp_webapps_t;
# Assign type attributes
corecmd_executable_file(myapp_bin_t)
corecmd_executable_file(myapp_exec_t)
#logging_log_file(myapp_logs_t)
# Generate one user per myapp instance with user and category matching the port
# it will bind to, only as convention, they don't technically have to match.
gen_user(myapp_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c0.c1023)
gen_user(p16000_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c0)
gen_user(p16001_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c1)
gen_user(p16002_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c2)
gen_user(p16003_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c3)
gen_user(p16004_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c4)
gen_user(p16005_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c5)
gen_user(p16006_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c6)
gen_user(p16007_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c7)
gen_user(p16008_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c8)
gen_user(p16009_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c9)
gen_user(p16010_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c10)
And while I'm posting I may as well ask: When I uncomment the
logging_log_file(mypp_logs_t) type attribute above I get this error:
Compiling targeted myapp module
/usr/bin/checkmodule: loading policy configuration from tmp/myapp.tmp
myapp.te":42:ERROR 'unknown class filesystem used in rule' at token ';' on line 1301:
allow myapp_logs_t tmp_t:filesystem associate;
#line 42
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/myapp.mod] Error 1
All tips are greatly appreciated!
--
Tracy Reed
Attachment:
pgp84xVppHKZm.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
