rlpowell@jukni> rpm -q selinux-policy selinux-policy-3.13.1-128.1.fc22.noarch rlpowell@jukni> rpm -q policycoreutils policycoreutils-2.3-16.fc22.x86_64 rlpowell@jukni> On Wed, Jul 29, 2015 at 09:59:43AM +0200, Lukas Vrabec wrote: > Hi Robin, > Could you attach output of: > $ rpm -q selinux-policy > $ rpm -q policycoreutils > > Thank you! > > On 07/29/2015 09:03 AM, Robin Lee Powell wrote: > >On Tue, Jul 28, 2015 at 12:07:51AM -0700, Robin Lee Powell wrote: > >>On Mon, Jul 27, 2015 at 08:29:29PM -0700, Robin Lee Powell wrote: > >>>On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote: > >>>> > >>>>----- Original Message ----- > >>>>>From: "Robin Lee Powell" <rlpowell@xxxxxxxxxxxxxxxxxx> > >>>>>To: selinux@xxxxxxxxxxxxxxxxxxxxxxx > >>>>>Sent: Monday, July 27, 2015 6:05:51 PM > >>>>>Subject: Conflict between local module and local fcontext > >>>>> > >>>>> > >>>>>So I have a custom module that includes: > >>>>> > >>>>> type lojban_logger_t; > >>>>> type lojban_logger_exec_t; > >>>>> > >>>>> application_domain( lojban_logger_t, lojban_logger_exec_t) > >>>>> init_daemon_domain(lojban_logger_t, lojban_logger_exec_t) > >>>>> > >>>>>(not sure if those are redundant?) and: > >>>>> > >>>>> /srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0 > >>>>> > >>>>>I've made a variety of changes with "semodule fcontext", including: > >>>>> > >>>>> /srv/lojban system_u:object_r:httpd_user_content_t:s0 > >>>>> /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0 > >>>>> > >>>>>As a result, the changes in my module are ignored, and the files > >>>>>end up with httpd_user_content_t > >>>>> > >>>>>So I tried: > >>>>> > >>>>> $ sudo semanage fcontext -a -t lojban_logger_t '/srv/lojban/irclogs(/.*)?' > >>>>> ValueError: Type lojban_logger_t is invalid, must be a file or device type > >>>>> > >>>>>Uhh. > >>>>> > >>>>>I guess this means that the custom module's types can't be seen by > >>>>>semanage? > >>>>> > >>>>>So, what's the correct solution here? > >>>>> > >>>>1) Define a new type that is usable for log files in the .te > >>>> > >>>>type logjban_logger_log_t; > >>>>logging_log_type(logjban_logger_log_t) > >>>> > >>>>2) Add this label to the path in the .fc > >>>> > >>>>/srv/lojban/irclogs(/.*)? system_u:object_r:logjban_logger_log_t:s0 > >>>Unless I'm missing something, this won't help at all; the semanage > >>>fcontext rule will win, and they'll end up with httpd_user_content_t > >>>per the rule for /srv/lojban(/.*)? , because semanage fcontext rules > >>>*always* win over module rules. > >>Ah, I see what you're saying; that way at least I'd *have* a file > >>type, that I could then add with semanage. I'll try that, thanks. > >So I did that, and now: > > > >rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?' > >libsemanage.dbase_llist_query: could not query record value (No such file or directory). > >OSError: No such file or directory > >rlpowell@jukni> > > > >Here's the policy: > > > > policy_module(MYLOCAL_lojbanlogger, 1.6.0) > > ######################################## > > # > > # Declarations > > # > > type lojban_logger_t; > > type lojban_logger_logs_t; > > type lojban_logger_exec_t; > > gen_require(` > > type httpd_t; > > type setfiles_t; > > type unconfined_t; > > type staff_t; > > ') > > #============= lojban_logger_t ============== > > manage_dirs_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t) > > manage_files_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t) > > # Be a file type and a domain > > application_domain( lojban_logger_t, lojban_logger_exec_t ) > > # File type > > logging_log_file(lojban_logger_logs_t) > > # Be an init/systemd daemon > > init_daemon_domain(lojban_logger_t, lojban_logger_exec_t) > > # connect to ircd > > corenet_tcp_connect_ircd_port(lojban_logger_t) > >-- > >selinux mailing list > >selinux@xxxxxxxxxxxxxxxxxxxxxxx > >https://admin.fedoraproject.org/mailman/listinfo/selinux > > -- > Lukas Vrabec > SELinux Solutions > Red Hat, Inc. > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- http://intelligence.org/ : Our last, best hope for a fantastic future. .i ko na cpedu lo nu stidi vau loi jbopre .i dafsku lu na go'i li'u .e lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
