Please could you update selinux-policy package and try it again?
I tried reproduce it and I cannot see your issue.
On 07/29/2015 10:01 AM, Robin Lee Powell wrote:
rlpowell@jukni> rpm -q selinux-policy
selinux-policy-3.13.1-128.1.fc22.noarch
rlpowell@jukni> rpm -q policycoreutils
policycoreutils-2.3-16.fc22.x86_64
rlpowell@jukni>
On Wed, Jul 29, 2015 at 09:59:43AM +0200, Lukas Vrabec wrote:
Hi Robin,
Could you attach output of:
$ rpm -q selinux-policy
$ rpm -q policycoreutils
Thank you!
On 07/29/2015 09:03 AM, Robin Lee Powell wrote:
On Tue, Jul 28, 2015 at 12:07:51AM -0700, Robin Lee Powell wrote:
On Mon, Jul 27, 2015 at 08:29:29PM -0700, Robin Lee Powell wrote:
On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote:
----- Original Message -----
From: "Robin Lee Powell" <rlpowell@xxxxxxxxxxxxxxxxxx>
To: selinux@xxxxxxxxxxxxxxxxxxxxxxx
Sent: Monday, July 27, 2015 6:05:51 PM
Subject: Conflict between local module and local fcontext
So I have a custom module that includes:
type lojban_logger_t;
type lojban_logger_exec_t;
application_domain( lojban_logger_t, lojban_logger_exec_t)
init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
(not sure if those are redundant?) and:
/srv/lojban/irclogs(/.*)? system_u:object_r:lojban_logger_t:s0
I've made a variety of changes with "semodule fcontext", including:
/srv/lojban system_u:object_r:httpd_user_content_t:s0
/srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0
As a result, the changes in my module are ignored, and the files
end up with httpd_user_content_t
So I tried:
$ sudo semanage fcontext -a -t lojban_logger_t '/srv/lojban/irclogs(/.*)?'
ValueError: Type lojban_logger_t is invalid, must be a file or device type
Uhh.
I guess this means that the custom module's types can't be seen by
semanage?
So, what's the correct solution here?
1) Define a new type that is usable for log files in the .te
type logjban_logger_log_t;
logging_log_type(logjban_logger_log_t)
2) Add this label to the path in the .fc
/srv/lojban/irclogs(/.*)? system_u:object_r:logjban_logger_log_t:s0
Unless I'm missing something, this won't help at all; the semanage
fcontext rule will win, and they'll end up with httpd_user_content_t
per the rule for /srv/lojban(/.*)? , because semanage fcontext rules
*always* win over module rules.
Ah, I see what you're saying; that way at least I'd *have* a file
type, that I could then add with semanage. I'll try that, thanks.
So I did that, and now:
rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?'
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
OSError: No such file or directory
rlpowell@jukni>
Here's the policy:
policy_module(MYLOCAL_lojbanlogger, 1.6.0)
########################################
#
# Declarations
#
type lojban_logger_t;
type lojban_logger_logs_t;
type lojban_logger_exec_t;
gen_require(`
type httpd_t;
type setfiles_t;
type unconfined_t;
type staff_t;
')
#============= lojban_logger_t ==============
manage_dirs_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t)
manage_files_pattern( lojban_logger_t, lojban_logger_logs_t, lojban_logger_logs_t)
# Be a file type and a domain
application_domain( lojban_logger_t, lojban_logger_exec_t )
# File type
logging_log_file(lojban_logger_logs_t)
# Be an init/systemd daemon
init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
# connect to ircd
corenet_tcp_connect_ircd_port(lojban_logger_t)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
