Fedora 21 with selinux-policy-targeted-3.13.1-105.3
I've installed a local policy for PHP-FPM based off of https://github.com/prometheanfire/selinux-modules which defines several new types (to avoid conflicting with httpd_t type aliases in Fedora). I can't include everything in the .fc file for the local policy because I need to change the file contexts defined in other modules, so I set local contexts using semanage. This was working fine in Fedora 20, but here is what happens in Fedora 21:
[root@ice ~]# semanage fcontext -a -t phpfcgi_exec_t /usr/sbin/php-fpm # this works fine [root@ice ~]# semanage fcontext -a -t phpfcgi_var_run_t "/var/run/php-fpm(/.*)?" # fails libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory [root@ice ~]# semanage fcontext -a -t phpfcgi_var_run_t "/var/run/php-fpm" # but this works [root@ice ~]#
Does anyone have any idea why the first and third commands above work, but the second one no longer works under Fedora 21? The error message isn't very helpful. I've searched the web and looked at the libsemanage source code, but neither was helpful. I've also run strace on the commands that succeed and compared the output to running strace on the command that failed, but I don't see any system calls that shed light on the problem (including nothing just prior to the write() calls for the error message that returns ENOENT).
Here is some additional information. Note that I can add file context patterns very similar to the one that is failing above without any problems, such as "fcontext -a -f a -t selinux_config_t '/var/lib/config(/.*)?'"
[root@ice ~]# ls -ldZ /var/run/php-fpm drwxr-xr-x. root root system_u:object_r:httpd_var_run_t:s0 /var/run/php-fpm [root@ice ~]# semanage export boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D boolean -m -0 abrt_upload_watch_anon_write boolean -m -0 auditadm_exec_content boolean -m -0 boinc_execmem boolean -m -0 cron_userdomain_transition boolean -m -1 daemons_dump_core boolean -m -0 dbadm_exec_content boolean -m -1 deny_execmem boolean -m -1 deny_ptrace boolean -m -0 entropyd_use_audio boolean -m -0 gluster_export_all_rw boolean -m -0 gssd_read_tmp boolean -m -0 guest_exec_content boolean -m -0 httpd_builtin_scripting boolean -m -1 httpd_can_network_connect boolean -m -0 kerberos_enabled boolean -m -0 logadm_exec_content boolean -m -0 logging_syslogd_use_tty boolean -m -0 nfs_export_all_ro boolean -m -0 nfs_export_all_rw boolean -m -0 openvpn_can_network_connect boolean -m -0 openvpn_enable_homedirs boolean -m -1 polyinstantiation_enabled boolean -m -0 postfix_local_write_mail_spool boolean -m -0 postgresql_selinux_unconfined_dbadm boolean -m -0 postgresql_selinux_users_ddl boolean -m -0 privoxy_connect_any boolean -m -0 secadm_exec_content boolean -m -0 selinuxuser_direct_dri_enabled boolean -m -0 selinuxuser_execmod boolean -m -0 selinuxuser_execstack boolean -m -0 spamd_enable_home_dirs boolean -m -0 squid_connect_any boolean -m -0 telepathy_tcp_connect_generic_network_ports boolean -m -0 unconfined_chrome_sandbox_transition boolean -m -0 unconfined_login boolean -m -0 unconfined_mozilla_plugin_transition boolean -m -0 virt_use_usb boolean -m -0 xend_run_blktap boolean -m -0 xend_run_qemu boolean -m -0 xguest_connect_network boolean -m -0 xguest_exec_content boolean -m -0 xguest_mount_media boolean -m -0 xguest_use_bluetooth login -a -s guest_u -r 's0' __default__ login -a -s staff_u -r 's0' markmont login -a -s unconfined_u -r 's0-s0:c0.c1023' root login -a -s system_u -r 's0-s0:c0.c1023' system_u user -a -L s0 -r s0-s0:c0.c1023 -R 'staff_r unconfined_r system_r' staff_u fcontext -a -f a -t iptables_exec_t '/etc/systemd/ipset' fcontext -a -f a -t initrc_exec_t '/etc/systemd/selinux-lockdown' fcontext -a -f a -t tmp_t '/tmp/tmp-inst' fcontext -a -f a -t selinux_config_t '/var/lib/config(/.*)?' fcontext -a -f a -t tmp_t '/var/tmp/tmp-inst' module -d permissivedomains module -d unconfined module -d unlabelednet [root@ice ~]#