Attempting to set up a custom policy module for a service from a third party, and I’m running into multiple issues. The “me” issue is that I need to figure out if this is correct for a .te file for a service (name changed):
module mynewservice 1.0;
require {
type unconfined_t;
type init_t;
class process transition;
class file { read open execute getattr map };
class dir { search read open };
class service start;
}
type mynewservice_t;
type mynewservice_exec_t;
allow unconfined_t mynewservice_t:process transition;
allow init_t mynewservice_t:service start;
allow mynewservice_t mynewservice_exec_t:file { read open execute getattr map };
allow mynewservice_t mynewservice_exec_t:file { read open execute };
allow mynewservice_t mynewservice_exec_t:dir { search read open };
Attemptiing to run semanage fcontext -a -t mynewservice_exec_t “/the/path(/.*)?” gives me ValueError: Type mynewservice_exec_t is invalid, must be a file or device type
Policy module loads fine, I can see mynewservice_t and mynewservice_exec_t with seinfo -t. I think the issue is that class service start should be class file execmod or something similar. The latter I got from an autogen .te file created using ausearch -c ‘mynewservice’ --raw | audit2allow -M my-mynewservice, which was recommended by a suggestion inside the SETroubleshoot Details Window.
That said, I’d like to learn something about what I’m doing and I’ve been looking for information on SELinux to figure out if class file execmod is actually correct or not. SELinux isn’t exactly the easiest thing to find answers on, however. Red Hat has documentation for following along, but doesn’t list options for classes or labels (that I’ve noticed).
It does have a good looking tutorial here for custom module creation:
Trying to follow along, and I get to the command: sepolicy generate --init /usr/local/bin/mydaemon
Output:
Errors during downloading metadata for repository 'baseos':
- Status code: 404 for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=BaseOS-9$rltype (IP: 2a04:4e42:5::644)
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/dnf/repo.py", line 574, in load
ret = self._repo.load()
File "/usr/lib64/python3.9/site-packages/libdnf/repo.py", line 331, in load
return _repo.Repo_load(self)
libdnf._error.Error: Failed to download metadata for repo 'baseos': Cannot prepare internal mirrorlist: Status code: 404 for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=BaseOS-9$rltype (IP: 2a04:4e42:5::644)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/bin/sepolicy", line 702, in <module>
args.func(args)
File "/bin/sepolicy", line 569, in generate
mypolicy.gen_writeable()
File "/usr/lib/python3.9/site-packages/sepolicy/generate.py", line 1304, in gen_writeable
self.__extract_rpms()
File "/usr/lib/python3.9/site-packages/sepolicy/generate.py", line 1271, in __extract_rpms
base.fill_sack(load_system_repo=True)
File "/usr/lib/python3.9/site-packages/dnf/base.py", line 406, in fill_sack
self._add_repo_to_sack(r)
File "/usr/lib/python3.9/site-packages/dnf/base.py", line 141, in _add_repo_to_sack
repo.load()
File "/usr/lib/python3.9/site-packages/dnf/repo.py", line 581, in load
raise dnf.exceptions.RepoError(str(e))
dnf.exceptions.RepoError: Failed to download metadata for repo 'baseos': Cannot prepare internal mirrorlist: Status code: 404 for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=BaseOS-9$rltype (IP: 2a04:4e42:5::644)
This doesn’t look like a “me” issue as I’ve attempted a few different Internet connections. I’m on Rocky Linux 9.5, installed using the Cinnamon DE Workstation edition.
Is there any advice on how to fix the 404, OR how to fix the original invalid error in subject? I’d like to get a process developed for use with future servers. The service is a remote access/administration tool.
Let me know. Thanks,