Re: Gen_require scoping?

[Daniel J Walsh <dwalsh@redhat.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

selinux@a61.nl wrote:
> Hi all,
> 
> we're trying to setup an JBoss-module. As you probably know JBoss needs
> Java and vice versa.
> 
> For this we created an .te and if. Part of the .if is an interface to
> allow writing logfiles. Relevant part:
> 
> ########################################
> ## <summary>
> ##	Allow the specified domain to
> ##	write jboss log files
> ## </summary>
> ## <param name="domain">
> ##	<summary>
> ##	Domain allowed access.
> ##	</summary>
> ## </param>
> #
> interface(`jboss_write_log',`
> 	gen_require(`
> 		type jboss_log_t;
> 	')
> 	logging_search_logs($1)
> 	allow $1 jboss_log_t:dir list_dir_perms;
> 	allow $1 jboss_log_t:dir rw_dir_perms;
> 	allow $1 jboss_log_t:file read_file_perms;
> 	write_files_pattern($1,jboss_log_t,jboss_log_t);
> 	allow $1 jboss_log_t:dir search_dir_perms;
>         allow $1 jboss_log_t:dir getattr_dir_perms;
> ')
> 
> However, when compiling this modules, all fails at "allow $1
> jboss_log_t:dir list_dir_perms;" with this error:
> 
> Compiling targeted base module
> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> /usr/bin/checkmodule:  loading policy configuration from base.conf
> policy/modules/apps/java.te:22:ERROR 'unknown type jboss_log_t' at token
> ';' on line 491016:
> #line 22
>         allow java_t jboss_log_t:dir { getattr search read lock ioctl };
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> make: *** [tmp/base.mod] Error 1
> 
> Just to try, we declared "type jboss_log_t;" before logging_search_logs
> and after the gen_require. After this I was able to compile the module
> (but did run into other problems)...
> 
> So, I believe I have an scoping issue; gen_require checks (and find)
> jboss_log_t. But as soon as someone is trying to use jboss_log_t in the
> interface, it breaks..
> 
> To make everything clear:
> We changed java.te and added:
> 
> #Java needs access to jboss_log_t
> jboss_write_log(java_t);
> 
> What I am doing wrong here??
> 
> Cheers,
> 
> Bart
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
No your module needs a te file that defined jboss_log_t, not just the
interface, and probably need a file context file.

cat jboss.te

type jboss_log_t;
logging_file_type(jboss_log_t)

cat jboss.fc
/var/log/jboss.*  gen_context(system_u:object_r:jboss_log_t,s0)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAke/AjAACgkQrlYvE4MpobP52QCgopXRW8J10kAKL3T4XULq077o
u5QAoNcSqVRUryRI52Vo88qeZY+1V1ip
=z13R
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.