Fedora 21 with selinux-policy-targeted-3.13.1-105.3
I've installed a local policy for PHP-FPM based off of https://github.com/prometheanfire/selinux-modules which defines several new types (to avoid conflicting with httpd_t type aliases in Fedora). I can't include everything in the .fc file for the local policy because I need to change the file contexts defined in other modules, so I set local contexts using semanage. This was working fine in Fedora 20, but here is what happens in Fedora 21:
[root@ice ~]# semanage fcontext -a -t phpfcgi_exec_t /usr/sbin/php-fpm # this works fine [root@ice ~]# semanage fcontext -a -t phpfcgi_var_run_t "/var/run/php-fpm(/.*)?" # fails libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory [root@ice ~]# semanage fcontext -a -t phpfcgi_var_run_t "/var/run/php-fpm" # but this works [root@ice ~]#
Does anyone have any idea why the first and third commands above work, but the second one no longer works under Fedora 21? The error message isn't very helpful. I've searched the web and looked at the libsemanage source code, but neither was helpful. I've also run strace on the commands that succeed and compared the output to running strace on the command that failed, but I don't see any system calls that shed light on the problem (including nothing just prior to the write() calls for the error message that returns ENOENT).
Here is some additional information. Note that I can add file context patterns very similar to the one that is failing above without any problems, such as "fcontext -a -f a -t selinux_config_t '/var/lib/config(/.*)?'"
[root@ice ~]# ls -ldZ /var/run/php-fpm drwxr-xr-x. root root system_u:object_r:httpd_var_run_t:s0 /var/run/php-fpm [root@ice ~]# semanage export boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D boolean -m -0 abrt_upload_watch_anon_write boolean -m -0 auditadm_exec_content boolean -m -0 boinc_execmem boolean -m -0 cron_userdomain_transition boolean -m -1 daemons_dump_core boolean -m -0 dbadm_exec_content boolean -m -1 deny_execmem boolean -m -1 deny_ptrace boolean -m -0 entropyd_use_audio boolean -m -0 gluster_export_all_rw boolean -m -0 gssd_read_tmp boolean -m -0 guest_exec_content boolean -m -0 httpd_builtin_scripting boolean -m -1 httpd_can_network_connect boolean -m -0 kerberos_enabled boolean -m -0 logadm_exec_content boolean -m -0 logging_syslogd_use_tty boolean -m -0 nfs_export_all_ro boolean -m -0 nfs_export_all_rw boolean -m -0 openvpn_can_network_connect boolean -m -0 openvpn_enable_homedirs boolean -m -1 polyinstantiation_enabled boolean -m -0 postfix_local_write_mail_spool boolean -m -0 postgresql_selinux_unconfined_dbadm boolean -m -0 postgresql_selinux_users_ddl boolean -m -0 privoxy_connect_any boolean -m -0 secadm_exec_content boolean -m -0 selinuxuser_direct_dri_enabled boolean -m -0 selinuxuser_execmod boolean -m -0 selinuxuser_execstack boolean -m -0 spamd_enable_home_dirs boolean -m -0 squid_connect_any boolean -m -0 telepathy_tcp_connect_generic_network_ports boolean -m -0 unconfined_chrome_sandbox_transition boolean -m -0 unconfined_login boolean -m -0 unconfined_mozilla_plugin_transition boolean -m -0 virt_use_usb boolean -m -0 xend_run_blktap boolean -m -0 xend_run_qemu boolean -m -0 xguest_connect_network boolean -m -0 xguest_exec_content boolean -m -0 xguest_mount_media boolean -m -0 xguest_use_bluetooth login -a -s guest_u -r 's0' __default__ login -a -s staff_u -r 's0' markmont login -a -s unconfined_u -r 's0-s0:c0.c1023' root login -a -s system_u -r 's0-s0:c0.c1023' system_u user -a -L s0 -r s0-s0:c0.c1023 -R 'staff_r unconfined_r system_r' staff_u fcontext -a -f a -t iptables_exec_t '/etc/systemd/ipset' fcontext -a -f a -t initrc_exec_t '/etc/systemd/selinux-lockdown' fcontext -a -f a -t tmp_t '/tmp/tmp-inst' fcontext -a -f a -t selinux_config_t '/var/lib/config(/.*)?' fcontext -a -f a -t tmp_t '/var/tmp/tmp-inst' module -d permissivedomains module -d unconfined module -d unlabelednet [root@ice ~]#
On 03/07/2015 08:50 PM, Mark Montague wrote:
Fedora 21 with selinux-policy-targeted-3.13.1-105.3
I've installed a local policy for PHP-FPM based off of https://github.com/prometheanfire/selinux-modules which defines several new types (to avoid conflicting with httpd_t type aliases in Fedora). I can't include everything in the .fc file for the local policy because I need to change the file contexts defined in other modules, so I set local contexts using semanage. This was working fine in Fedora 20, but here is what happens in Fedora 21:
[root@ice ~]# semanage fcontext -a -t phpfcgi_exec_t /usr/sbin/php-fpm # this works fine [root@ice ~]# semanage fcontext -a -t phpfcgi_var_run_t "/var/run/php-fpm(/.*)?" # fails libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory [root@ice ~]# semanage fcontext -a -t phpfcgi_var_run_t "/var/run/php-fpm" # but this works [root@ice ~]#
Does anyone have any idea why the first and third commands above work, but the second one no longer works under Fedora 21? The error message isn't very helpful. I've searched the web and looked at the libsemanage source code, but neither was helpful. I've also run strace on the commands that succeed and compared the output to running strace on the command that failed, but I don't see any system calls that shed light on the problem (including nothing just prior to the write() calls for the error message that returns ENOENT).
Here is some additional information. Note that I can add file context patterns very similar to the one that is failing above without any problems, such as "fcontext -a -f a -t selinux_config_t '/var/lib/config(/.*)?'"
[root@ice ~]# ls -ldZ /var/run/php-fpm drwxr-xr-x. root root system_u:object_r:httpd_var_run_t:s0 /var/run/php-fpm [root@ice ~]# semanage export boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D boolean -m -0 abrt_upload_watch_anon_write boolean -m -0 auditadm_exec_content boolean -m -0 boinc_execmem boolean -m -0 cron_userdomain_transition boolean -m -1 daemons_dump_core boolean -m -0 dbadm_exec_content boolean -m -1 deny_execmem boolean -m -1 deny_ptrace boolean -m -0 entropyd_use_audio boolean -m -0 gluster_export_all_rw boolean -m -0 gssd_read_tmp boolean -m -0 guest_exec_content boolean -m -0 httpd_builtin_scripting boolean -m -1 httpd_can_network_connect boolean -m -0 kerberos_enabled boolean -m -0 logadm_exec_content boolean -m -0 logging_syslogd_use_tty boolean -m -0 nfs_export_all_ro boolean -m -0 nfs_export_all_rw boolean -m -0 openvpn_can_network_connect boolean -m -0 openvpn_enable_homedirs boolean -m -1 polyinstantiation_enabled boolean -m -0 postfix_local_write_mail_spool boolean -m -0 postgresql_selinux_unconfined_dbadm boolean -m -0 postgresql_selinux_users_ddl boolean -m -0 privoxy_connect_any boolean -m -0 secadm_exec_content boolean -m -0 selinuxuser_direct_dri_enabled boolean -m -0 selinuxuser_execmod boolean -m -0 selinuxuser_execstack boolean -m -0 spamd_enable_home_dirs boolean -m -0 squid_connect_any boolean -m -0 telepathy_tcp_connect_generic_network_ports boolean -m -0 unconfined_chrome_sandbox_transition boolean -m -0 unconfined_login boolean -m -0 unconfined_mozilla_plugin_transition boolean -m -0 virt_use_usb boolean -m -0 xend_run_blktap boolean -m -0 xend_run_qemu boolean -m -0 xguest_connect_network boolean -m -0 xguest_exec_content boolean -m -0 xguest_mount_media boolean -m -0 xguest_use_bluetooth login -a -s guest_u -r 's0' __default__ login -a -s staff_u -r 's0' markmont login -a -s unconfined_u -r 's0-s0:c0.c1023' root login -a -s system_u -r 's0-s0:c0.c1023' system_u user -a -L s0 -r s0-s0:c0.c1023 -R 'staff_r unconfined_r system_r' staff_u fcontext -a -f a -t iptables_exec_t '/etc/systemd/ipset' fcontext -a -f a -t initrc_exec_t '/etc/systemd/selinux-lockdown' fcontext -a -f a -t tmp_t '/tmp/tmp-inst' fcontext -a -f a -t selinux_config_t '/var/lib/config(/.*)?' fcontext -a -f a -t tmp_t '/var/tmp/tmp-inst' module -d permissivedomains module -d unconfined module -d unlabelednet [root@ice ~]#
Could you please open a new bug against libsemanage for now?
Thank you.
On 2015-03-09 10:33, Miroslav Grepl wrote:
On 03/07/2015 08:50 PM, Mark Montague wrote:
[root@ice ~]# semanage fcontext -a -t phpfcgi_exec_t /usr/sbin/php-fpm # this works fine [root@ice ~]# semanage fcontext -a -t phpfcgi_var_run_t "/var/run/php-fpm(/.*)?" # fails libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory [root@ice ~]# semanage fcontext -a -t phpfcgi_var_run_t "/var/run/php-fpm" # but this works [root@ice ~]#
Does anyone have any idea why the first and third commands above work, but the second one no longer works under Fedora 21?
Could you please open a new bug against libsemanage for now?
Thanks! I've created a minimal test case and submitted this as Bugzilla 1200181:
https://bugzilla.redhat.com/show_bug.cgi?id=1200181
I need to create a directory in a C binary.
I am currently doing something similar to this:
status = mkdir("/home/cnd/mod1", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH); But when the directory is created it ends up with the wrong SELinux context. It inherits it's parent's context and not the one defined in file context. Is there a C call that can be used that understands how to correctly create and label SElinux directories?
Hi,
On 03/24/2015 10:45 PM, Jayson Hurst wrote:
I need to create a directory in a C binary.
I am currently doing something similar to this:
status = mkdir("/home/cnd/mod1", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH);
But when the directory is created it ends up with the wrong SELinux context. It inherits it's parent's context and not the one defined in file context.
This is right behavior.When you create some file it inherits it's parent's context.
Is there a C call that can be used that understands how to correctly create and label SElinux directories?
You can define filenametransation in selinux policy related to your daemon. More informations and tutorial how to use it, you can find here: http://danwalsh.livejournal.com/46018.html
If you need some help, please feel free to contact me.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 03/24/2015 10:45 PM, Jayson Hurst wrote:
I need to create a directory in a C binary.
I am currently doing something similar to this:
status = mkdir("/home/cnd/mod1", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH);
But when the directory is created it ends up with the wrong SELinux context. It inherits it's parent's context and
not the one defined in file context.
What is your OS?
Is there a C call that can be used that understands how to correctly create and label SElinux directories?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
RHEL 6.5
I have tried this using a filestran pattern but it doesn't seem to work.
Date: Wed, 25 Mar 2015 09:32:32 +0100 From: mgrepl@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: How do I create a directory in C that will follow selinux file context rules?
On 03/24/2015 10:45 PM, Jayson Hurst wrote:
I need to create a directory in a C binary.
I am currently doing something similar to this:
status = mkdir("/home/cnd/mod1", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH);
But when the directory is created it ends up with the wrong SELinux context. It inherits it's parent's context and
not the one defined in file context.
What is your OS?
Is there a C call that can be used that understands how to correctly create and label SElinux directories?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc.
I'm afraid my solution will not work with RHEL 6.5. We must come with some other solution.
I have tried this using a filestran pattern but it doesn't seem to work.
Date: Wed, 25 Mar 2015 09:32:32 +0100 From: mgrepl@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: How do I create a directory in C that will follow
selinux file context rules?
On 03/24/2015 10:45 PM, Jayson Hurst wrote:
I need to create a directory in a C binary.
I am currently doing something similar to this:
status = mkdir("/home/cnd/mod1", S_IRWXU | S_IRWXG | S_IROTH |
S_IXOTH);
But when the directory is created it ends up with the wrong
SELinux context. It inherits it's parent's context and
not the one defined in file context.
What is your OS?
Is there a C call that can be used that understands how to
correctly create and label SElinux directories?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 03/26/2015 04:17 PM, Jayson Hurst wrote:
RHEL 6.5
I have tried this using a filestran pattern but it doesn't seem to work.
Date: Wed, 25 Mar 2015 09:32:32 +0100 From: mgrepl@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: How do I create a directory in C that will follow selinux
file context rules?
On 03/24/2015 10:45 PM, Jayson Hurst wrote:
I need to create a directory in a C binary.
I am currently doing something similar to this:
status = mkdir("/home/cnd/mod1", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH);
But when the directory is created it ends up with the wrong SELinux
context. It inherits it's parent's context and
not the one defined in file context.
What is your OS?
Is there a C call that can be used that understands how to correctly
create and label SElinux directories?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc.
Ok, basically you can add a transition rule for "/home/cnd/mod1"
userdom_user_home_dir_filetrans(unconfined_t, ABC_t, dir)
It will create a dir in /home/cnd with ABC_t labeling for unconfined_t or for a domain defined by you.
Where you are not able to use a file transition, you can use restorecond on RHEL6. It uses inotify to watch files listed in
/etc/selinux/restorecond.conf /etc/selinux/restorecond_user.conf
when they are created and it sets a context defined in the policy.
What I don't understand is why the filetrans doesn't work in the first place?
In my policy I define:
filetrans_pattern(vasd_t, vasd_var_t, vasd_var_auth_t, dir )
But when my binary that runs under the vasd_t domain as an unconfined user creates a directory in /var/opt/quest/vas/ called vasd it gets created as a vasd_var_t.
The parent directory of /var/opt/quest/vas is labeled as vasd_var_t. Shouldn't the above filetrans_pattern label all new directories under /var/opt/quest/vas as vasd_var_auth_t when they are being created under the vasd_t domain?
Date: Thu, 26 Mar 2015 18:24:01 +0100 From: mgrepl@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: How do I create a directory in C that will follow selinux file context rules?
On 03/26/2015 04:17 PM, Jayson Hurst wrote:
RHEL 6.5
I have tried this using a filestran pattern but it doesn't seem to work.
Date: Wed, 25 Mar 2015 09:32:32 +0100 From: mgrepl@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: How do I create a directory in C that will follow selinux
file context rules?
On 03/24/2015 10:45 PM, Jayson Hurst wrote:
I need to create a directory in a C binary.
I am currently doing something similar to this:
status = mkdir("/home/cnd/mod1", S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH);
But when the directory is created it ends up with the wrong SELinux
context. It inherits it's parent's context and
not the one defined in file context.
What is your OS?
Is there a C call that can be used that understands how to correctly
create and label SElinux directories?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc.
Ok, basically you can add a transition rule for "/home/cnd/mod1"
userdom_user_home_dir_filetrans(unconfined_t, ABC_t, dir)
It will create a dir in /home/cnd with ABC_t labeling for unconfined_t or for a domain defined by you.
Where you are not able to use a file transition, you can use restorecond on RHEL6. It uses inotify to watch files listed in
/etc/selinux/restorecond.conf /etc/selinux/restorecond_user.conf
when they are created and it sets a context defined in the policy.
-- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc.
On 03/26/2015 08:37 PM, Jayson Hurst wrote:
What I don't understand is why the filetrans doesn't work in the first place?
In my policy I define:
filetrans_pattern(vasd_t, vasd_var_t, vasd_var_auth_t, dir )
But when my binary that runs under the vasd_t domain as an unconfined user creates a directory in /var/opt/quest/vas/ called vasd it gets created as a vasd_var_t.
The parent directory of /var/opt/quest/vas is labeled as vasd_var_t. Shouldn't the above filetrans_pattern label all new directories under /var/opt/quest/vas as vasd_var_auth_t when they are being created under the vasd_t domain?
It should work. Are you sure you create it under vasd_t? Also you need to have
manage_dirs_pattern(vasd_t, vasd_var_auth_t, vasd_var_auth_t)
Date: Thu, 26 Mar 2015 18:24:01 +0100 From: mgrepl@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: How do I create a directory in C that will follow selinux
file context rules?
On 03/26/2015 04:17 PM, Jayson Hurst wrote:
RHEL 6.5
I have tried this using a filestran pattern but it doesn't seem to work.
Date: Wed, 25 Mar 2015 09:32:32 +0100 From: mgrepl@redhat.com To: swazup@hotmail.com; selinux@lists.fedoraproject.org Subject: Re: How do I create a directory in C that will follow selinux
file context rules?
On 03/24/2015 10:45 PM, Jayson Hurst wrote:
I need to create a directory in a C binary.
I am currently doing something similar to this:
status = mkdir("/home/cnd/mod1", S_IRWXU | S_IRWXG | S_IROTH |
S_IXOTH);
But when the directory is created it ends up with the wrong SELinux
context. It inherits it's parent's context and
not the one defined in file context.
What is your OS?
Is there a C call that can be used that understands how to correctly
create and label SElinux directories?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc.
Ok, basically you can add a transition rule for "/home/cnd/mod1"
userdom_user_home_dir_filetrans(unconfined_t, ABC_t, dir)
It will create a dir in /home/cnd with ABC_t labeling for unconfined_t or for a domain defined by you.
Where you are not able to use a file transition, you can use restorecond on RHEL6. It uses inotify to watch files listed in
/etc/selinux/restorecond.conf /etc/selinux/restorecond_user.conf
when they are created and it sets a context defined in the policy.
-- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc.
selinux@lists.fedoraproject.org