Description of problem: I've installed a local policy for PHP-FPM based off of https://github.com/prometheanfire/selinux-modules but with the types changed from phpfpm_* to phpfcgi_* to avoid conflicting with the Fedora policy type alias of phpfpm_t for httpd_t Not all the file contexts can be included in the local policy's .fc file because they conflict with file contexts defined in other policy modules, so I set them via file_contexts.local. As an example, the following works without problem to override the type on the php-fpm executable under both Fedora 20 and Fedora 21: semanage fcontext -a -t phpfcgi_exec_t /usr/sbin/php-fpm However, starting with Fedora 21 the following no longer works although it worked fine in Fedora 20 and previous: semanage fcontext -a -t phpfcgi_var_run_t "/var/run/php-fpm(/.*)?" Under Fedora 21 the second command results in the error libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory Note, however that both of the following work fine under Fedora 21: semanage fcontext -a -t phpfcgi_var_run_t "/var/run/php-fpm" mkdir /var/run/test-directory semanage fcontext -a -t phpfcgi_var_run_t "/var/run/test-directory(/.*)?" This leads me to think that the problem may be with overriding file contexts containing wildcards rather than defining new file contexts. Version-Release number of selected component (if applicable): libsemanage-2.3-6.fc21.x86_64 How reproducible: Always. Steps to Reproduce: 1. Create a file "bug-test.te" containing the three lines policy_module(bug_test, 1.0) type bug_test_t; files_pid_file(bug_test_t) 2. Compile the bug-test.te policy and install it via "semodule -i bug_test.pp" 3. Run the command semanage fcontext -a -t bug_test_t "/var/run/php-fpm(/.*)?" Actual results (Fedora 21): [root@ice bug-test]# rpm -q -a | grep selinux libselinux-devel-2.3-5.fc21.x86_64 rpm-plugin-selinux-4.12.0.1-4.fc21.x86_64 selinux-policy-3.13.1-105.3.fc21.noarch selinux-policy-devel-3.13.1-105.3.fc21.noarch libselinux-python-2.3-5.fc21.x86_64 libselinux-utils-2.3-5.fc21.x86_64 libselinux-2.3-5.fc21.x86_64 selinux-policy-targeted-3.13.1-105.3.fc21.noarch [root@ice bug-test]# cat bug_test.te policy_module(bug_test, 1.0) type bug_test_t; files_pid_file(bug_test_t) [root@ice bug-test]# make cat: /selinux/mls: No such file or directory Compiling targeted bug_test module /usr/bin/checkmodule: loading policy configuration from tmp/bug_test.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/bug_test.mod Creating targeted bug_test.pp policy package rm tmp/bug_test.mod.fc tmp/bug_test.mod [root@ice bug-test]# semodule -i bug_test.pp [root@ice bug-test]# ls -ldZ /var/run/php-fpm drwxr-xr-x. root root system_u:object_r:httpd_var_run_t:s0 /var/run/php-fpm [root@ice bug-test]# semanage fcontext -a -t bug_test_t "/var/run/php-fpm(/.*)?" libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory [root@ice bug-test]# semanage export | grep bug_test [root@ice bug-test]# Expected results (Fedora 20): [root@fire bug-test]# rpm -q -a | grep selinux libselinux-2.2.1-6.fc20.x86_64 selinux-policy-3.12.1-196.fc20.noarch libselinux-utils-2.2.1-6.fc20.x86_64 libselinux-devel-2.2.1-6.fc20.x86_64 libselinux-python-2.2.1-6.fc20.x86_64 selinux-policy-targeted-3.12.1-196.fc20.noarch libselinux-debuginfo-2.2.1-6.fc20.x86_64 selinux-policy-devel-3.12.1-196.fc20.noarch [root@fire bug-test]# cat bug_test.te policy_module(bug_test, 1.0) type bug_test_t; files_pid_file(bug_test_t) [root@fire bug-test]# make cat: /selinux/mls: No such file or directory Compiling targeted bug_test module /usr/bin/checkmodule: loading policy configuration from tmp/bug_test.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/bug_test.mod Creating targeted bug_test.pp policy package rm tmp/bug_test.mod.fc tmp/bug_test.mod [root@fire bug-test]# semodule -i bug_test.pp [root@fire bug-test]# ls -ldZ /var/run/php-fpm drwxr-xr-x. root root system_u:object_r:httpd_var_run_t:s0 /var/run/php-fpm [root@fire bug-test]# semanage fcontext -a -t bug_test_t "/var/run/php-fpm(/.*)?" [root@fire bug-test]# semanage export | grep bug_test fcontext -a -f a -t bug_test_t '/var/run/php-fpm(/.*)?' [root@fire bug-test]# Additional info: Local SELinux configuration from the Fedora 21 system: [root@ice ~]# semanage export boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D boolean -m -0 abrt_upload_watch_anon_write boolean -m -0 auditadm_exec_content boolean -m -0 boinc_execmem boolean -m -0 cron_userdomain_transition boolean -m -1 daemons_dump_core boolean -m -0 dbadm_exec_content boolean -m -1 deny_execmem boolean -m -1 deny_ptrace boolean -m -0 entropyd_use_audio boolean -m -0 gluster_export_all_rw boolean -m -0 gssd_read_tmp boolean -m -0 guest_exec_content boolean -m -0 httpd_builtin_scripting boolean -m -1 httpd_can_network_connect boolean -m -0 kerberos_enabled boolean -m -0 logadm_exec_content boolean -m -0 logging_syslogd_use_tty boolean -m -0 nfs_export_all_ro boolean -m -0 nfs_export_all_rw boolean -m -0 openvpn_can_network_connect boolean -m -0 openvpn_enable_homedirs boolean -m -1 polyinstantiation_enabled boolean -m -0 postfix_local_write_mail_spool boolean -m -0 postgresql_selinux_unconfined_dbadm boolean -m -0 postgresql_selinux_users_ddl boolean -m -0 privoxy_connect_any boolean -m -0 secadm_exec_content boolean -m -0 selinuxuser_direct_dri_enabled boolean -m -0 selinuxuser_execmod boolean -m -0 selinuxuser_execstack boolean -m -0 spamd_enable_home_dirs boolean -m -0 squid_connect_any boolean -m -0 telepathy_tcp_connect_generic_network_ports boolean -m -0 unconfined_chrome_sandbox_transition boolean -m -0 unconfined_login boolean -m -0 unconfined_mozilla_plugin_transition boolean -m -0 virt_use_usb boolean -m -0 xend_run_blktap boolean -m -0 xend_run_qemu boolean -m -0 xguest_connect_network boolean -m -0 xguest_exec_content boolean -m -0 xguest_mount_media boolean -m -0 xguest_use_bluetooth login -a -s guest_u -r 's0' __default__ login -a -s staff_u -r 's0' markmont login -a -s unconfined_u -r 's0-s0:c0.c1023' root login -a -s system_u -r 's0-s0:c0.c1023' system_u user -a -L s0 -r s0-s0:c0.c1023 -R 'staff_r unconfined_r system_r' staff_u fcontext -a -f a -t iptables_exec_t '/etc/systemd/ipset' fcontext -a -f a -t initrc_exec_t '/etc/systemd/selinux-lockdown' fcontext -a -f a -t tmp_t '/tmp/tmp-inst' fcontext -a -f a -t selinux_config_t '/var/lib/config(/.*)?' fcontext -a -f a -t tmp_t '/var/tmp/tmp-inst' module -d permissivedomains module -d unconfined module -d unlabelednet [root@ice ~]#
This message is a reminder that Fedora 21 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '21'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 21 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 21 changed to end-of-life (EOL) status on 2015-12-01. Fedora 21 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.