-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
selinux@xxxxxx wrote:
> Hi all,
>
> we're trying to setup an JBoss-module. As you probably know JBoss needs
> Java and vice versa.
>
> For this we created an .te and if. Part of the .if is an interface to
> allow writing logfiles. Relevant part:
>
> ########################################
> ## <summary>
> ## Allow the specified domain to
> ## write jboss log files
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`jboss_write_log',`
> gen_require(`
> type jboss_log_t;
> ')
> logging_search_logs($1)
> allow $1 jboss_log_t:dir list_dir_perms;
> allow $1 jboss_log_t:dir rw_dir_perms;
> allow $1 jboss_log_t:file read_file_perms;
> write_files_pattern($1,jboss_log_t,jboss_log_t);
> allow $1 jboss_log_t:dir search_dir_perms;
> allow $1 jboss_log_t:dir getattr_dir_perms;
> ')
>
> However, when compiling this modules, all fails at "allow $1
> jboss_log_t:dir list_dir_perms;" with this error:
>
> Compiling targeted base module
> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> /usr/bin/checkmodule: loading policy configuration from base.conf
> policy/modules/apps/java.te:22:ERROR 'unknown type jboss_log_t' at token
> ';' on line 491016:
> #line 22
> allow java_t jboss_log_t:dir { getattr search read lock ioctl };
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/base.mod] Error 1
>
> Just to try, we declared "type jboss_log_t;" before logging_search_logs
> and after the gen_require. After this I was able to compile the module
> (but did run into other problems)...
>
> So, I believe I have an scoping issue; gen_require checks (and find)
> jboss_log_t. But as soon as someone is trying to use jboss_log_t in the
> interface, it breaks..
>
> To make everything clear:
> We changed java.te and added:
>
> #Java needs access to jboss_log_t
> jboss_write_log(java_t);
>
> What I am doing wrong here??
>
> Cheers,
>
> Bart
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
No your module needs a te file that defined jboss_log_t, not just the
interface, and probably need a file context file.
cat jboss.te
type jboss_log_t;
logging_file_type(jboss_log_t)
cat jboss.fc
/var/log/jboss.* gen_context(system_u:object_r:jboss_log_t,s0)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAke/AjAACgkQrlYvE4MpobP52QCgopXRW8J10kAKL3T4XULq077o
u5QAoNcSqVRUryRI52Vo88qeZY+1V1ip
=z13R
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
