----- Original Message ----- > From: "Ian Pilcher" <arequipeno@xxxxxxxxx> > To: "Simon Sekidde" <ssekidde@xxxxxxxxxx> > Cc: "Systemd" <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>, selinux@xxxxxxxxxxxxx, lennart@xxxxxxxxxxxxxx > Sent: Friday, March 3, 2017 10:44:18 AM > Subject: Re: [systemd-devel] SELinux type transition rule not working > > On 03/02/2017 09:13 AM, Simon Sekidde wrote: > > I assume this would be a pid file? > > You assume correctly. > > > If so then what you are probably looking for is a filename_trans rule > > and will require a new interface in squid.if for this. > > > > Try something like > > > > interface(`squid_filetrans_named_content',` gen_require(` > > type_squid_var_run_t; ') > > > > files_pid_filetrans($1, squid_var_run_t, dir, "squozy") ') > > Not sure where squid came from. The service is one of my own making > called "squoxy" (short for "Squeezebox proxy"). Its purpose is to > forward Squeezebox discovery broadcast packets from one network to > another. > Sorry I must have been doing something in the squid policy while I was responding to this... > So I assume that I would need to add something like this to my policy > module: > > files_pid_filetrans(var_run_t, squoxy_var_run_t, dir, "squoxy") > > (I'm guessing at what to put in for $1.) > files_pid_filetrans(squoxy_t, squoxy_var_run_t, dir, "squoxy") Files created by the squoxy_t processes in the var_run_t directory will be created with the squoxy_var_run_t label > >> Hmm, so the relevant code in systemd actually labels the dir after > >> creating it after an selinux database lookup, so from our side all > >> should be good: > >> > >> https://github.com/systemd/systemd/blob/master/src/core/execute.c#L1857 > >> > >> > >>(specifically, we all mkdir_p_label() instead of plain mkdir_p() > >> there) > > And this is working now, presumably after a reboot? I do so love > non-deterministic computers. :-/ > > -- > ======================================================================== > Ian Pilcher arequipeno@xxxxxxxxx > -------- "I grew up before Mark Zuckerberg invented friendship" -------- > ======================================================================== > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
