On Fri, 2006-10-13 at 20:31 +0100, Robin Bowes wrote: > Stephen Smalley wrote: > > On Fri, 2006-10-13 at 19:51 +0100, Robin Bowes wrote: > >> allow xm_t fixed_disk_device_t:blk_file read; > > > >>From the above, you are still directly allowing read access to a fixed > > disk device rather than using the storage_raw_read_fixed_disk() > > interface. IOW, replace your 'allow xm_t fixed_disk_device_t:blk_file > > read;' statement with: > > storage_raw_read_fixed_disk(xm_t) > > Ah, right. That was what I was missing. > > I removed that line and ran the make and got these errors: > <snip> > I found I had to add all the missing classes and permissions. Or, alternatively, replace: module local 1.0; with the standard module prologue: policy_module(local, 1.0) This brings in the class/permission requires automatically. > This version of xen.te builds and installs cleanly: <snip> > So, how do I find out more about this? How would I know that interfaces > like storage_raw_read_fixed_disk(xm_t) exist, and what they mean? Interface documentation is under /usr/share/doc/selinux-policy-x.y.z/html/index.html. /usr/share/selinux/devel/policyhelp is a trivial one-line script to launch a browser on it. Also available at: http://oss.tresys.com/docs/refpolicy/api/ An IDE is under development. Available from: http://oss.tresys.com/projects/slide -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
