----- Original Message ----- > From: "Robin Lee Powell" <rlpowell@xxxxxxxxxxxxxxxxxx> > To: "Lukas Vrabec" <lvrabec@xxxxxxxxxx>, selinux@xxxxxxxxxxxxxxxxxxxxxxx > Sent: Wednesday, July 29, 2015 6:29:16 AM > Subject: Re: [selinux] Re: Conflict between local module and local fcontext > > I removed this line: > > /srv/lojban/irclogs(/.*)? > system_u:object_r:lojban_logger_logs_t:s0 > > from the module's .fc file, since that was the only other use of > lojban_logger_logs_t , and that line was non-functional as > previously described, and now the fcontext command works. > > Yay!, but I don't get it at all. The purpose of that line in the .fc is to have you avoid running `semanage fcontext -a -t lojban_logger_logs_t '/srv/lojban/irclogs(/.*)?'` since the label for all files in that path dir has been predefined. > > On Wed, Jul 29, 2015 at 03:24:50AM -0700, Robin Lee Powell wrote: > > rlpowell@jukni> rpm -q policycoreutils > > policycoreutils-2.3-17.fc22.x86_64 > > rlpowell@jukni> rpm -q selinux-policy > > selinux-policy-3.13.1-128.6.fc22.noarch > > rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t > > '/srv/lojban/irclogs(/.*)?' > > libsemanage.dbase_llist_query: could not query record value (No such file > > or directory). > > OSError: No such file or directory > > rlpowell@jukni> > > > > I've got other local mods installed, but I don't know how any of > > them could be relevant. > > > > What does that error even *mean*? > > > > On Wed, Jul 29, 2015 at 10:32:25AM +0200, Lukas Vrabec wrote: > > > Please could you update selinux-policy package and try it again? > > > I tried reproduce it and I cannot see your issue. > > > > > > On 07/29/2015 10:01 AM, Robin Lee Powell wrote: > > > >rlpowell@jukni> rpm -q selinux-policy > > > >selinux-policy-3.13.1-128.1.fc22.noarch > > > >rlpowell@jukni> rpm -q policycoreutils > > > >policycoreutils-2.3-16.fc22.x86_64 > > > >rlpowell@jukni> > > > > > > > >On Wed, Jul 29, 2015 at 09:59:43AM +0200, Lukas Vrabec wrote: > > > >>Hi Robin, > > > >>Could you attach output of: > > > >>$ rpm -q selinux-policy > > > >>$ rpm -q policycoreutils > > > >> > > > >>Thank you! > > > >> > > > >>On 07/29/2015 09:03 AM, Robin Lee Powell wrote: > > > >>>On Tue, Jul 28, 2015 at 12:07:51AM -0700, Robin Lee Powell wrote: > > > >>>>On Mon, Jul 27, 2015 at 08:29:29PM -0700, Robin Lee Powell wrote: > > > >>>>>On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote: > > > >>>>>>----- Original Message ----- > > > >>>>>>>From: "Robin Lee Powell" <rlpowell@xxxxxxxxxxxxxxxxxx> > > > >>>>>>>To: selinux@xxxxxxxxxxxxxxxxxxxxxxx > > > >>>>>>>Sent: Monday, July 27, 2015 6:05:51 PM > > > >>>>>>>Subject: Conflict between local module and local fcontext > > > >>>>>>> > > > >>>>>>> > > > >>>>>>>So I have a custom module that includes: > > > >>>>>>> > > > >>>>>>> type lojban_logger_t; > > > >>>>>>> type lojban_logger_exec_t; > > > >>>>>>> > > > >>>>>>> application_domain( lojban_logger_t, lojban_logger_exec_t) > > > >>>>>>> init_daemon_domain(lojban_logger_t, lojban_logger_exec_t) > > > >>>>>>> > > > >>>>>>>(not sure if those are redundant?) and: > > > >>>>>>> > > > >>>>>>> /srv/lojban/irclogs(/.*)? > > > >>>>>>> system_u:object_r:lojban_logger_t:s0 > > > >>>>>>> > > > >>>>>>>I've made a variety of changes with "semodule fcontext", > > > >>>>>>>including: > > > >>>>>>> > > > >>>>>>> /srv/lojban system_u:object_r:httpd_user_content_t:s0 > > > >>>>>>> /srv/lojban(/.*)? system_u:object_r:httpd_user_content_t:s0 > > > >>>>>>> > > > >>>>>>>As a result, the changes in my module are ignored, and the files > > > >>>>>>>end up with httpd_user_content_t > > > >>>>>>> > > > >>>>>>>So I tried: > > > >>>>>>> > > > >>>>>>> $ sudo semanage fcontext -a -t lojban_logger_t > > > >>>>>>> '/srv/lojban/irclogs(/.*)?' > > > >>>>>>> ValueError: Type lojban_logger_t is invalid, must be a file or > > > >>>>>>> device type > > > >>>>>>> > > > >>>>>>>Uhh. > > > >>>>>>> > > > >>>>>>>I guess this means that the custom module's types can't be seen by > > > >>>>>>>semanage? > > > >>>>>>> > > > >>>>>>>So, what's the correct solution here? > > > >>>>>>> > > > >>>>>>1) Define a new type that is usable for log files in the .te > > > >>>>>> > > > >>>>>>type logjban_logger_log_t; > > > >>>>>>logging_log_type(logjban_logger_log_t) > > > >>>>>> > > > >>>>>>2) Add this label to the path in the .fc > > > >>>>>> > > > >>>>>>/srv/lojban/irclogs(/.*)? > > > >>>>>>system_u:object_r:logjban_logger_log_t:s0 > > > >>>>>Unless I'm missing something, this won't help at all; the semanage > > > >>>>>fcontext rule will win, and they'll end up with httpd_user_content_t > > > >>>>>per the rule for /srv/lojban(/.*)? , because semanage fcontext rules > > > >>>>>*always* win over module rules. > > > >>>>Ah, I see what you're saying; that way at least I'd *have* a file > > > >>>>type, that I could then add with semanage. I'll try that, thanks. > > > >>>So I did that, and now: > > > >>> > > > >>>rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t > > > >>>'/srv/lojban/irclogs(/.*)?' > > > >>>libsemanage.dbase_llist_query: could not query record value (No such > > > >>>file or directory). > > > >>>OSError: No such file or directory > > > >>>rlpowell@jukni> > > > >>> > > > >>>Here's the policy: > > > >>> > > > >>> policy_module(MYLOCAL_lojbanlogger, 1.6.0) > > > >>> ######################################## > > > >>> # > > > >>> # Declarations > > > >>> # > > > >>> type lojban_logger_t; > > > >>> type lojban_logger_logs_t; > > > >>> type lojban_logger_exec_t; > > > >>> gen_require(` > > > >>> type httpd_t; > > > >>> type setfiles_t; > > > >>> type unconfined_t; > > > >>> type staff_t; > > > >>> ') > > > >>> #============= lojban_logger_t ============== > > > >>> manage_dirs_pattern( lojban_logger_t, lojban_logger_logs_t, > > > >>> lojban_logger_logs_t) > > > >>> manage_files_pattern( lojban_logger_t, lojban_logger_logs_t, > > > >>> lojban_logger_logs_t) > > > >>> # Be a file type and a domain > > > >>> application_domain( lojban_logger_t, lojban_logger_exec_t ) > > > >>> # File type > > > >>> logging_log_file(lojban_logger_logs_t) > > > >>> # Be an init/systemd daemon > > > >>> init_daemon_domain(lojban_logger_t, lojban_logger_exec_t) > > > >>> # connect to ircd > > > >>> corenet_tcp_connect_ircd_port(lojban_logger_t) > > > >>>-- > > > >>>selinux mailing list > > > >>>selinux@xxxxxxxxxxxxxxxxxxxxxxx > > > >>>https://admin.fedoraproject.org/mailman/listinfo/selinux > > > >>-- > > > >>Lukas Vrabec > > > >>SELinux Solutions > > > >>Red Hat, Inc. > > > >> > > > >>-- > > > >>selinux mailing list > > > >>selinux@xxxxxxxxxxxxxxxxxxxxxxx > > > >>https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > > > -- > > > Lukas Vrabec > > > SELinux Solutions > > > Red Hat, Inc. > > > > > > -- > > > selinux mailing list > > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > -- > > http://intelligence.org/ : Our last, best hope for a fantastic future. > > .i ko na cpedu lo nu stidi vau loi jbopre .i dafsku lu na go'i li'u .e > > lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e > > lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni > > li'u > > -- > > selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > -- > http://intelligence.org/ : Our last, best hope for a fantastic future. > .i ko na cpedu lo nu stidi vau loi jbopre .i dafsku lu na go'i li'u .e > lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e > lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- Simon Sekidde * Red Hat, Inc. * Westford, MA gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
