I am trying to confine a custom web application using type enforcement plus MCS to protect multiple instances of the web app from each other. I can compile the policy ok but when I insert it I get this error:
# semodule -i myapp.pp libsepol.context_from_record: invalid security context: "myapp_u:myapp_r:myapp_api_t:s0" libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert myapp_u:myapp_r:myapp_api_t:s0 to sid invalid context myapp_u:myapp_r:myapp_api_t:s0 libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed!
I'm sure I've seen this problem before but can't recall how it was fixed. I know it's something fairly simple.
Here's myapp.te:
module myapp 1.0;
# Import some things we will need from other modules/default policy require { sensitivity s0; category c0, c1, c2, c3, c4, c5, c6, c7, c8, c9, c10; category c1023; }
# Role and type for our app role myapp_r; type myapp_t;
# Glide file context type myapp_bin_t; type myapp_api_t; type myapp_conf_t; type myapp_release_t; type myapp_incoming_t; type myapp_lib_t; type myapp_logs_t; type myapp_scripts_t; type myapp_tmp_t; type myapp_tomcat_t; type myapp_util_t; type myapp_var_t; type myapp_exec_t; type myapp_webapps_t;
# Assign type attributes corecmd_executable_file(myapp_bin_t) corecmd_executable_file(myapp_exec_t) #logging_log_file(myapp_logs_t)
# Generate one user per myapp instance with user and category matching the port # it will bind to, only as convention, they don't technically have to match.
gen_user(myapp_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c0.c1023) gen_user(p16000_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c0) gen_user(p16001_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c1) gen_user(p16002_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c2) gen_user(p16003_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c3) gen_user(p16004_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c4) gen_user(p16005_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c5) gen_user(p16006_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c6) gen_user(p16007_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c7) gen_user(p16008_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c8) gen_user(p16009_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c9) gen_user(p16010_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c10)
And while I'm posting I may as well ask: When I uncomment the logging_log_file(mypp_logs_t) type attribute above I get this error:
Compiling targeted myapp module /usr/bin/checkmodule: loading policy configuration from tmp/myapp.tmp myapp.te":42:ERROR 'unknown class filesystem used in rule' at token ';' on line 1301: allow myapp_logs_t tmp_t:filesystem associate; #line 42 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/myapp.mod] Error 1
All tips are greatly appreciated!
On Tue, Apr 28, 2015 at 12:11:05PM PDT, Tracy Reed spake thusly:
libsepol.context_from_record: invalid security context: "myapp_u:myapp_r:myapp_api_t:s0"
Solved: When declaring your own file contexts use object_r for the role instead of a user role in your .fc file.
Still having an issue with this one though:
And while I'm posting I may as well ask: When I uncomment the logging_log_file(mypp_logs_t) type attribute above I get this error:
Compiling targeted myapp module /usr/bin/checkmodule: loading policy configuration from tmp/myapp.tmp myapp.te":42:ERROR 'unknown class filesystem used in rule' at token ';' on line 1301: allow myapp_logs_t tmp_t:filesystem associate; #line 42 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/myapp.mod] Error 1
All tips are greatly appreciated!
-- Tracy Reed
----- Original Message -----
From: "Tracy Reed" treed@ultraviolet.org To: selinux@lists.fedoraproject.org Sent: Tuesday, April 28, 2015 6:48:05 PM Subject: Re: "invalid security context" in custom policy
On Tue, Apr 28, 2015 at 12:11:05PM PDT, Tracy Reed spake thusly:
libsepol.context_from_record: invalid security context: "myapp_u:myapp_r:myapp_api_t:s0"
Solved: When declaring your own file contexts use object_r for the role instead of a user role in your .fc file.
Still having an issue with this one though:
And while I'm posting I may as well ask: When I uncomment the logging_log_file(mypp_logs_t) type attribute above I get this error:
Compiling targeted myapp module /usr/bin/checkmodule: loading policy configuration from tmp/myapp.tmp myapp.te":42:ERROR 'unknown class filesystem used in rule' at token ';' on line 1301: allow myapp_logs_t tmp_t:filesystem associate; #line 42 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/myapp.mod] Error 1
Probably need something like
class filesystem { associate };
inside the require { } along with this statement
allow myapp_tmp_t myapp_logs_t: filesystem associate;
All tips are greatly appreciated!
-- Tracy Reed
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 04/29/2015 12:54 AM, Simon Sekidde wrote:
----- Original Message -----
From: "Tracy Reed" treed@ultraviolet.org To: selinux@lists.fedoraproject.org Sent: Tuesday, April 28, 2015 6:48:05 PM Subject: Re: "invalid security context" in custom policy
On Tue, Apr 28, 2015 at 12:11:05PM PDT, Tracy Reed spake thusly:
libsepol.context_from_record: invalid security context: "myapp_u:myapp_r:myapp_api_t:s0"
Solved: When declaring your own file contexts use object_r for the role instead of a user role in your .fc file.
Still having an issue with this one though:
And while I'm posting I may as well ask: When I uncomment the logging_log_file(mypp_logs_t) type attribute above I get this error:
Compiling targeted myapp module /usr/bin/checkmodule: loading policy configuration from tmp/myapp.tmp myapp.te":42:ERROR 'unknown class filesystem used in rule' at token ';' on line 1301: allow myapp_logs_t tmp_t:filesystem associate; #line 42 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/myapp.mod] Error 1
Probably need something like
class filesystem { associate };
inside the require { } along with this statement
allow myapp_tmp_t myapp_logs_t: filesystem associate;
Yes, you need to require all classes/permissions if you use this module declaration.
You can use
policy_module(mypol, 1.0)
module declaration using reference policy. But you need to build it with the devel Makefile which applies m4 and includes the interface files that define the macros.
# make -f /usr/share/selinux/devel/Makefile mypol.pp
In this case, you don't need to require all classes with permissions which are used.
All tips are greatly appreciated!
-- Tracy Reed
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org
-
Miroslav Grepl -
Simon Sekidde -
Tracy Reed