Ian do you have a copy of this custom policy somewhere? ----- Original Message ----- > From: "Simon Sekidde" <ssekidde@xxxxxxxxxx> > To: "Ian Pilcher" <arequipeno@xxxxxxxxx> > Cc: "Systemd" <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>, lennart@xxxxxxxxxxxxxx, selinux@xxxxxxxxxxxxx > Sent: Friday, March 3, 2017 11:01:59 AM > Subject: Re: [systemd-devel] SELinux type transition rule not working > > > > ----- Original Message ----- > > From: "Ian Pilcher" <arequipeno@xxxxxxxxx> > > To: "Simon Sekidde" <ssekidde@xxxxxxxxxx> > > Cc: "Systemd" <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>, selinux@xxxxxxxxxxxxx, > > lennart@xxxxxxxxxxxxxx > > Sent: Friday, March 3, 2017 10:44:18 AM > > Subject: Re: [systemd-devel] SELinux type transition rule not working > > > > On 03/02/2017 09:13 AM, Simon Sekidde wrote: > > > I assume this would be a pid file? > > > > You assume correctly. > > > > > If so then what you are probably looking for is a filename_trans rule > > > and will require a new interface in squid.if for this. > > > > > > Try something like > > > > > > interface(`squid_filetrans_named_content',` gen_require(` > > > type_squid_var_run_t; ') > > > > > > files_pid_filetrans($1, squid_var_run_t, dir, "squozy") ') > > > > Not sure where squid came from. The service is one of my own making > > called "squoxy" (short for "Squeezebox proxy"). Its purpose is to > > forward Squeezebox discovery broadcast packets from one network to > > another. > > > > Sorry I must have been doing something in the squid policy while I was > responding to this... > > > So I assume that I would need to add something like this to my policy > > module: > > > > files_pid_filetrans(var_run_t, squoxy_var_run_t, dir, "squoxy") > > > > (I'm guessing at what to put in for $1.) > > > > files_pid_filetrans(squoxy_t, squoxy_var_run_t, dir, "squoxy") > > Files created by the squoxy_t processes in the var_run_t directory will be > created with the squoxy_var_run_t label > > > >> Hmm, so the relevant code in systemd actually labels the dir after > > >> creating it after an selinux database lookup, so from our side all > > >> should be good: > > >> > > >> https://github.com/systemd/systemd/blob/master/src/core/execute.c#L1857 > > >> > > >> > > >>(specifically, we all mkdir_p_label() instead of plain mkdir_p() > > >> there) > > > > And this is working now, presumably after a reboot? I do so love > > non-deterministic computers. :-/ > > > > -- > > ======================================================================== > > Ian Pilcher arequipeno@xxxxxxxxx > > -------- "I grew up before Mark Zuckerberg invented friendship" -------- > > ======================================================================== > > > > > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to > Selinux-request@xxxxxxxxxxxxx. > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
