Re: [systemd-devel] SELinux type transition rule not working

Wed, 01 Mar 2017 15:41:14 -0800 

On 03/01/2017 04:28 PM, cgzones wrote:

Can you try a transition from initrc_t or the interface


I've added a rule for initrc_t (although I'm 99% sure that is no longer
used under systemd):

  type_transition init_t var_run_t : dir squoxy_var_run_t "squoxy";
  type_transition initrc_t var_run_t : dir squoxy_var_run_t "squoxy";

No change in behavior.  The directory still ends up as var_run_t.


init_daemon_pid_file()


I can't find any documentation of this interface, and it doesn't appear
to exist on Fedora 25 or CentOS 7.  Attempting to use it just gives me a
syntax error:


squoxy.te:17:ERROR 'syntax error' at token 'init_daemon_pid_file' on 
line 3513:
# PID file 


init_daemon_pid_file(squoxy_var_run_t, dir, "squoxy")

Here is the entire file:

policy_module(squoxy, 0.0.1)

require {
        type kernel_t;
        type devlog_t;
        type node_t;
};

type squoxy_t;
type squoxy_exec_t;
type squoxy_var_run_t;

init_daemon_domain(squoxy_t, squoxy_exec_t)
files_type(squoxy_var_run_t)

# PID file
init_daemon_pid_file(squoxy_var_run_t, dir, "squoxy")
allow squoxy_t squoxy_var_run_t:dir { search write add_name };
allow squoxy_t squoxy_var_run_t:file { create write open };

# Sockets
allow squoxy_t self:rawip_socket { create bind setopt ioctl read write };
allow squoxy_t node_t:rawip_socket { node_bind };
allow squoxy_t self:capability { net_raw };

# syslog
allow squoxy_t self:unix_dgram_socket { create connect write };
allow squoxy_t kernel_t:unix_dgram_socket { sendto };
allow squoxy_t devlog_t:sock_file { write };

Per Lennart's response, systemd *should* be honoring the file context
rules when creating the directory.  It's almost as if the directory is
being created with the proper context, but something is changing it
after the fact.  I have absolutely no idea what that might be, though.

--
========================================================================
Ian Pilcher                                         arequip...@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel






















					Reply via email to