Re: [systemd-devel] SELinux type transition rule not working
- Original Message - > From: "Ian Pilcher" <arequip...@gmail.com> > To: "Simon Sekidde" <sseki...@redhat.com> > Cc: "Systemd" <systemd-devel@lists.freedesktop.org>, seli...@tycho.nsa.gov > Sent: Friday, March 3, 2017 2:32:54 PM > Subject: Re: [systemd-devel] SELinux type transition rule not working > > On 03/03/2017 10:45 AM, Simon Sekidde wrote: > > Ian do you have a copy of this custom policy somewhere? > > https://github.com/ipilcher/squoxy/blob/master/squoxy.te > Thanks. Lets try to get a template going and we can help clean it up. sepolicy generate --init -n squoxy /usr/local/bin/squoxy > -- > > Ian Pilcher arequip...@gmail.com > "I grew up before Mark Zuckerberg invented friendship" > > -- Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA Solution Architect, NA Public Sector sseki...@redhat.com | (w) 978-392-1074 | (m) 571-551-9366 | @ssekidde gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] SELinux type transition rule not working
Ian do you have a copy of this custom policy somewhere? - Original Message - > From: "Simon Sekidde" <sseki...@redhat.com> > To: "Ian Pilcher" <arequip...@gmail.com> > Cc: "Systemd" <systemd-devel@lists.freedesktop.org>, lenn...@poettering.net, > seli...@tycho.nsa.gov > Sent: Friday, March 3, 2017 11:01:59 AM > Subject: Re: [systemd-devel] SELinux type transition rule not working > > > > - Original Message - > > From: "Ian Pilcher" <arequip...@gmail.com> > > To: "Simon Sekidde" <sseki...@redhat.com> > > Cc: "Systemd" <systemd-devel@lists.freedesktop.org>, seli...@tycho.nsa.gov, > > lenn...@poettering.net > > Sent: Friday, March 3, 2017 10:44:18 AM > > Subject: Re: [systemd-devel] SELinux type transition rule not working > > > > On 03/02/2017 09:13 AM, Simon Sekidde wrote: > > > I assume this would be a pid file? > > > > You assume correctly. > > > > > If so then what you are probably looking for is a filename_trans rule > > > and will require a new interface in squid.if for this. > > > > > > Try something like > > > > > > interface(`squid_filetrans_named_content',` gen_require(` > > > type_squid_var_run_t; ') > > > > > > files_pid_filetrans($1, squid_var_run_t, dir, "squozy") ') > > > > Not sure where squid came from. The service is one of my own making > > called "squoxy" (short for "Squeezebox proxy"). Its purpose is to > > forward Squeezebox discovery broadcast packets from one network to > > another. > > > > Sorry I must have been doing something in the squid policy while I was > responding to this... > > > So I assume that I would need to add something like this to my policy > > module: > > > >files_pid_filetrans(var_run_t, squoxy_var_run_t, dir, "squoxy") > > > > (I'm guessing at what to put in for $1.) > > > > files_pid_filetrans(squoxy_t, squoxy_var_run_t, dir, "squoxy") > > Files created by the squoxy_t processes in the var_run_t directory will be > created with the squoxy_var_run_t label > > > >> Hmm, so the relevant code in systemd actually labels the dir after > > >> creating it after an selinux database lookup, so from our side all > > >> should be good: > > >> > > >> https://github.com/systemd/systemd/blob/master/src/core/execute.c#L1857 > > >> > > >> > > >>(specifically, we all mkdir_p_label() instead of plain mkdir_p() > > >> there) > > > > And this is working now, presumably after a reboot? I do so love > > non-deterministic computers. :-/ > > > > -- > > > > Ian Pilcher arequip...@gmail.com > > "I grew up before Mark Zuckerberg invented friendship" > > > > > > > > ___ > Selinux mailing list > seli...@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to > selinux-requ...@tycho.nsa.gov. > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] SELinux type transition rule not working
- Original Message - > From: "Ian Pilcher" <arequip...@gmail.com> > To: "Simon Sekidde" <sseki...@redhat.com> > Cc: "Systemd" <systemd-devel@lists.freedesktop.org>, seli...@tycho.nsa.gov, > lenn...@poettering.net > Sent: Friday, March 3, 2017 10:44:18 AM > Subject: Re: [systemd-devel] SELinux type transition rule not working > > On 03/02/2017 09:13 AM, Simon Sekidde wrote: > > I assume this would be a pid file? > > You assume correctly. > > > If so then what you are probably looking for is a filename_trans rule > > and will require a new interface in squid.if for this. > > > > Try something like > > > > interface(`squid_filetrans_named_content',` gen_require(` > > type_squid_var_run_t; ') > > > > files_pid_filetrans($1, squid_var_run_t, dir, "squozy") ') > > Not sure where squid came from. The service is one of my own making > called "squoxy" (short for "Squeezebox proxy"). Its purpose is to > forward Squeezebox discovery broadcast packets from one network to > another. > Sorry I must have been doing something in the squid policy while I was responding to this... > So I assume that I would need to add something like this to my policy > module: > >files_pid_filetrans(var_run_t, squoxy_var_run_t, dir, "squoxy") > > (I'm guessing at what to put in for $1.) > files_pid_filetrans(squoxy_t, squoxy_var_run_t, dir, "squoxy") Files created by the squoxy_t processes in the var_run_t directory will be created with the squoxy_var_run_t label > >> Hmm, so the relevant code in systemd actually labels the dir after > >> creating it after an selinux database lookup, so from our side all > >> should be good: > >> > >> https://github.com/systemd/systemd/blob/master/src/core/execute.c#L1857 > >> > >> > >>(specifically, we all mkdir_p_label() instead of plain mkdir_p() > >> there) > > And this is working now, presumably after a reboot? I do so love > non-deterministic computers. :-/ > > -- > > Ian Pilcher arequip...@gmail.com > "I grew up before Mark Zuckerberg invented friendship" > > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] SELinux type transition rule not working
- Original Message - > From: "Lennart Poettering" <lenn...@poettering.net> > To: "Ian Pilcher" <arequip...@gmail.com> > Cc: "Systemd" <systemd-devel@lists.freedesktop.org>, seli...@tycho.nsa.gov > Sent: Wednesday, March 1, 2017 5:25:11 PM > Subject: Re: [systemd-devel] SELinux type transition rule not working > > On Wed, 01.03.17 15:40, Ian Pilcher (arequip...@gmail.com) wrote: > > > I am using systemd's RuntimeDirectory to create a directory for a > > service. > > > >RuntimeDirectory=squoxy > > > > This causes systemd to create /run/squoxy before starting my service, > > but I haven't been able to get the SELinux context set correctly on the > > directory. > > > > I've set file context rules for both /run/squoxy and /var/run/squoxy: > > > > ^/var/run/squoxy(/.*)? all files system_u:object_r:squoxy_var_run_t:s0 > > ^/run/squoxy(/.*)? all files system_u:object_r:squoxy_var_run_t:s0 > > > > And, indeed, restorecon will set the context of the directory to > > squoxy_var_run_t. > > > > I've also added a type transition rule, attempting to get the correct > > context applied automatically when systemd creates the directory: > > > > type_transition init_t var_run_t : dir squoxy_var_run_t "squoxy"; > > > > But the directory is still being created as var_run_t: > > > > drwxr-xr-x. nobody nobody system_u:object_r:var_run_t:s0 /run/squoxy > > > > What am I doing wrong? > Ian, I assume this would be a pid file? If so then what you are probably looking for is a filename_trans rule and will require a new interface in squid.if for this. Try something like interface(`squid_filetrans_named_content',` gen_require(` type_squid_var_run_t; ') files_pid_filetrans($1, squid_var_run_t, dir, "squozy") ') > Hmm, so the relevant code in systemd actually labels the dir after > creating it after an selinux database lookup, so from our side all > should be good: > > https://github.com/systemd/systemd/blob/master/src/core/execute.c#L1857 > > (specifically, we all mkdir_p_label() instead of plain mkdir_p() there) > > My own understanding of SELinux is finite however. I'd recommend > pinging the SELinux folks for help on this, > We got you covered! > Lennart > > -- > Lennart Poettering, Red Hat > ___ > Selinux mailing list > seli...@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to > selinux-requ...@tycho.nsa.gov. > -- Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA Solution Architect, NA Public Sector sseki...@redhat.com | (w) 978-392-1074 | (m) 571-551-9366 | @ssekidde gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
