[systemd-devel] SELinux type transition rule not working

Ian Pilcher arequipeno at gmail.com
Wed Mar 1 23:28:07 UTC 2017 

On 03/01/2017 04:28 PM, cgzones wrote:
> Can you try a transition from initrc_t or the interface

I've added a rule for initrc_t (although I'm 99% sure that is no longer
used under systemd):

   type_transition init_t var_run_t : dir squoxy_var_run_t "squoxy";
   type_transition initrc_t var_run_t : dir squoxy_var_run_t "squoxy";

No change in behavior.  The directory still ends up as var_run_t.

> init_daemon_pid_file()

I can't find any documentation of this interface, and it doesn't appear
to exist on Fedora 25 or CentOS 7.  Attempting to use it just gives me a
syntax error:

squoxy.te:17:ERROR 'syntax error' at token 'init_daemon_pid_file' on 
line 3513:
# PID file 

init_daemon_pid_file(squoxy_var_run_t, dir, "squoxy")

Here is the entire file:

policy_module(squoxy, 0.0.1)

require {
	type kernel_t;
	type devlog_t;
	type node_t;
};

type squoxy_t;
type squoxy_exec_t;
type squoxy_var_run_t;

init_daemon_domain(squoxy_t, squoxy_exec_t)
files_type(squoxy_var_run_t)

# PID file
init_daemon_pid_file(squoxy_var_run_t, dir, "squoxy")
allow squoxy_t squoxy_var_run_t:dir { search write add_name };
allow squoxy_t squoxy_var_run_t:file { create write open };

# Sockets
allow squoxy_t self:rawip_socket { create bind setopt ioctl read write };
allow squoxy_t node_t:rawip_socket { node_bind };
allow squoxy_t self:capability { net_raw };

# syslog
allow squoxy_t self:unix_dgram_socket { create connect write };
allow squoxy_t kernel_t:unix_dgram_socket { sendto };
allow squoxy_t devlog_t:sock_file { write };

Per Lennart's response, systemd *should* be honoring the file context
rules when creating the directory.  It's almost as if the directory is
being created with the proper context, but something is changing it
after the fact.  I have absolutely no idea what that might be, though.

-- 
========================================================================
Ian Pilcher                                         arequipeno at gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

More information about the systemd-devel mailing list