On Thu, 2005-06-09 at 13:28 -0700, Jeremy Utley wrote: > The current problem: > According to the policy writing docs, a role should be created via the > full_user_role() macro. So, in domains/misc/custom_policy.te, I > placed the following line (along with other custom rules that have > already been compiled successfully and work): > > full_user_role(privileged) In order to support role changes via newrole, you need some further rules. These are defined in the role_tty_type_change() macro defined in domains/user.te, which means that you presently have to add rules to domains/user.te; that macro definition should likely be moved to base_user_macros.te or user_macros.te so that it can be used elsewhere. If you want the role to be able to use userhelper, sudo, or su, you also need to include reach_sysadm(privileged); that macro is also presently defined in domains/user.te and should likely be moved to user_macros.te or base_user_macros.te. > Now, when trying to compile the policy after that, I get the following error: > > /usr/bin/checkpolicy: loading policy configuration from policy.conf > domains/misc/custom_policy.te:13:ERROR 'unknown type > privileged_userhelper_t' at token ';' on line 115000: > #line 13 > allow privileged_mozilla_t privileged_userhelper_t:process transition; > /usr/bin/checkpolicy: error(s) encountered while parsing configuration > make: *** [/etc/selinux/strict/policy/policy.18] Error 1 That's a bug in mozilla_macros.te, already removed in the FC4/development strict policy. Remove the userhelper transition from it: --- macros/program/mozilla_macros.te.orig 2005-06-10 08:37:54.636627280 -0400 +++ macros/program/mozilla_macros.te 2005-06-10 08:38:11.886004976 -0400 @@ -116,9 +116,6 @@ dontaudit $1_mozilla_t file_type:dir getattr; allow $1_mozilla_t self:sem create_sem_perms; -ifdef(`userhelper.te', ` -domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t) -') dontaudit $1_mozilla_t selinux_config_t:dir search; # -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
