[systemd-devel] SELinux type transition rule not working

Simon Sekidde ssekidde at redhat.com
Fri Mar 3 16:01:59 UTC 2017 


----- Original Message -----
> From: "Ian Pilcher" <arequipeno at gmail.com>
> To: "Simon Sekidde" <ssekidde at redhat.com>
> Cc: "Systemd" <systemd-devel at lists.freedesktop.org>, selinux at tycho.nsa.gov, lennart at poettering.net
> Sent: Friday, March 3, 2017 10:44:18 AM
> Subject: Re: [systemd-devel] SELinux type transition rule not working
> 
> On 03/02/2017 09:13 AM, Simon Sekidde wrote:
> > I assume this would be a pid file?
> 
> You assume correctly.
> 
> > If so then what you are probably looking for is a filename_trans rule
> > and will require a new interface in squid.if for this.
> >
> > Try something like
> >
> > interface(`squid_filetrans_named_content',` gen_require(`
> > type_squid_var_run_t; ')
> >
> > files_pid_filetrans($1, squid_var_run_t, dir, "squozy") ')
> 
> Not sure where squid came from.  The service is one of my own making
> called "squoxy" (short for "Squeezebox proxy").  Its purpose is to
> forward Squeezebox discovery broadcast packets from one network to
> another.
> 

Sorry I must have been doing something in the squid policy while I was responding to this... 

> So I assume that I would need to add something like this to my policy
> module:
> 
>    files_pid_filetrans(var_run_t, squoxy_var_run_t, dir, "squoxy")
> 
> (I'm guessing at what to put in for $1.)
> 

files_pid_filetrans(squoxy_t, squoxy_var_run_t, dir, "squoxy") 

Files created by the squoxy_t processes in the var_run_t directory will be created with the squoxy_var_run_t label

> >> Hmm, so the relevant code in systemd actually labels the dir after
> >> creating it after an selinux database lookup, so from our side all
> >> should be good:
> >>
> >> https://github.com/systemd/systemd/blob/master/src/core/execute.c#L1857
> >>
> >>
> >>(specifically, we all mkdir_p_label() instead of plain mkdir_p()
>  >> there)
> 
> And this is working now, presumably after a reboot?  I do so love
> non-deterministic computers.  :-/
> 
> --
> ========================================================================
> Ian Pilcher                                         arequipeno at gmail.com
> -------- "I grew up before Mark Zuckerberg invented friendship" --------
> ========================================================================
>

More information about the systemd-devel mailing list