[systemd-devel] SELinux type transition rule not working
Simon Sekidde
ssekidde at redhat.com
Thu Mar 2 15:13:48 UTC 2017
----- Original Message -----
> From: "Lennart Poettering" <lennart at poettering.net>
> To: "Ian Pilcher" <arequipeno at gmail.com>
> Cc: "Systemd" <systemd-devel at lists.freedesktop.org>, selinux at tycho.nsa.gov
> Sent: Wednesday, March 1, 2017 5:25:11 PM
> Subject: Re: [systemd-devel] SELinux type transition rule not working
>
> On Wed, 01.03.17 15:40, Ian Pilcher (arequipeno at gmail.com) wrote:
>
> > I am using systemd's RuntimeDirectory to create a directory for a
> > service.
> >
> > RuntimeDirectory=squoxy
> >
> > This causes systemd to create /run/squoxy before starting my service,
> > but I haven't been able to get the SELinux context set correctly on the
> > directory.
> >
> > I've set file context rules for both /run/squoxy and /var/run/squoxy:
> >
> > ^/var/run/squoxy(/.*)? all files system_u:object_r:squoxy_var_run_t:s0
> > ^/run/squoxy(/.*)? all files system_u:object_r:squoxy_var_run_t:s0
> >
> > And, indeed, restorecon will set the context of the directory to
> > squoxy_var_run_t.
> >
> > I've also added a type transition rule, attempting to get the correct
> > context applied automatically when systemd creates the directory:
> >
> > type_transition init_t var_run_t : dir squoxy_var_run_t "squoxy";
> >
> > But the directory is still being created as var_run_t:
> >
> > drwxr-xr-x. nobody nobody system_u:object_r:var_run_t:s0 /run/squoxy
> >
> > What am I doing wrong?
>
Ian,
I assume this would be a pid file?
If so then what you are probably looking for is a filename_trans rule and will require a new interface in squid.if for this.
Try something like
interface(`squid_filetrans_named_content',`
gen_require(`
type_squid_var_run_t;
')
files_pid_filetrans($1, squid_var_run_t, dir, "squozy")
')
> Hmm, so the relevant code in systemd actually labels the dir after
> creating it after an selinux database lookup, so from our side all
> should be good:
>
> https://github.com/systemd/systemd/blob/master/src/core/execute.c#L1857
>
> (specifically, we all mkdir_p_label() instead of plain mkdir_p() there)
>
> My own understanding of SELinux is finite however. I'd recommend
> pinging the SELinux folks for help on this,
>
We got you covered!
> Lennart
>
> --
> Lennart Poettering, Red Hat
> _______________________________________________
> Selinux mailing list
> Selinux at tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave at tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request at tycho.nsa.gov.
>
--
Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA
Solution Architect, NA Public Sector
ssekidde at redhat.com | (w) 978-392-1074 | (m) 571-551-9366 | @ssekidde
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
More information about the systemd-devel
mailing list