Louis Lam wrote: > Hi, > > Thanks for the reply. > > My conclusion is that not I'm not sure where to place the domain_auto_trans() statement. If I can't place it in the vmware.if file(since it will not be read during module compilation ) where can I put this statement? All i need to do now is to make the vmware executable run in its own domain e.g. vmware_t. But it seems more difficult than I thought. if you want vmware program run in own domain, all necessary rules should be in te file, e.g. domain_auto_trans(vmware_t, vmware_host_exec_t, vmware_host_t) (just a example) similarly, domain_auto_trans can also used in if file, especially used in per_role_template. All these are depend on your purpose. to make vmware run in selinux-policy>3.0, the easiest way is to follow what tom guid, i.e. modify the net-service.sh to restorce label after creating device node. but if you want to make policy contain vmware, you must resolve the "device node label" problem, IMHO, you should use fs_use_trans to make label automatically: http://marc.info/?l=selinux&m=118481693028190&w=2 now, i have not time to do this, so i have not solved the problems i encountered. > > Can you point me to resources to how to develop modules? Can someone help me with this problem? "Beginning is the most difficult one, but A Good Beginning is half the battle" :-) after you finish the beginning, you will find it's not difficult. The book <<SELinux by example>> is a good guide for developing modules, but i think the best guide to develop policy is the policy source. > > Thanks & Regards, > Louis > > ----- Original Message ---- > From: Ken YANG <spng.yang@xxxxxxxxx> > To: Louis Lam <lshoujun@xxxxxxxxx> > Cc: Daniel J Walsh <dwalsh@xxxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx > Sent: Monday, July 30, 2007 6:53:17 AM > Subject: Re: Containing vmware player 2.0.0 with SELINUX > > Louis Lam wrote: >> Hi, >> >> I think i'm having a policy compilation problem here >> >> I've moved the domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) statement to vmware.if. I was following the domain_auto_trans rules for other apps such as mozilla. The syntax error problem went away. >> >> But the problem is that the domain transition didn't take place. My vmplayer is still running in unconfined state. >> >> I'm doing compilation of the vmware.pp module using make -f /usr/share/selinux/devel/Makefile. I've tried to purposely introduce errors into vmware.if to see if the compilation is effective: >> >> e.g. domain_auto_trans($2, $2, $1_t, vmware_exec_t, $1_vmware_t) >> >> But the make process didn't detect any errors and the compilation still went on. I did a diff between the vmware.pp at the /etc/selinux/targeted/modules/active/modules/vmware.pp and the development directory (where I do all my compilation), but there are no differences. >> >> Does it mean if the vmware.if file is modified it will not affect the make? > > as i infer (i'm not sure): > > the interface will not be checked, unless someone invoke it, because if > there are not invokes, the parameter can not be determined. > > when you build vmware module, you will not use your own interface in > own module, so build process will not detect error. > > > >> How do you ensure that the changes at vmware.if effective? (well at least cause some compilation errors?) >> >> >> >> Thanks, >> Louis >> >> >> >> >> >> ----- Original Message ---- >> From: Ken YANG <spng.yang@xxxxxxxxx> >> To: Louis Lam <lshoujun@xxxxxxxxx> >> Cc: Daniel J Walsh <dwalsh@xxxxxxxxxx>; fedora-selinux-list@xxxxxxxxxx >> Sent: Saturday, July 28, 2007 5:28:25 PM >> Subject: Re: Containing vmware player 2.0.0 with SELINUX >> >> >> Louis Lam wrote: >>> My mistakes, apologies for the confusion, under part 2, I was trying to do domain_auto_trans instead of doman_entry_file, so... >>> >>> 2. Created a domain transition so that the vmware user programs e.g. >>> /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are >>> labelleled system_u:object_r:vmware_exec_t will transit to >>> system_u:object_r:vmware_t when executed. I put it also in vmware.te: >>> >>> domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) >>> >>> but >>> on making the vmware.pp module I get this warning and error: >>> >>> 'syntax error' at token '1' on line 81143: >>> #line 13 >>> allow $1_t vmware_exec_t: file {getattr read execute}; >> this rule is generated by domain_auto_trans, so i think the >> syntax error should be caused by other rules. >> >> you may check other rules in your policy. >> >>> Thanks in advance, >>> Louis >>> >>> >>> ----- Original Message ---- >>> From: Louis Lam <lshoujun@xxxxxxxxx> >>> To: Daniel J Walsh <dwalsh@xxxxxxxxxx> >>> Cc: fedora-selinux-list@xxxxxxxxxx >>> Sent: Friday, July 27, 2007 5:05:05 AM >>> Subject: Re: Containing vmware player 2.0.0 with SELINUX >>> >>> Thanks Daniel for the information, hi everyone >>> >>> I've tried to make the following changes: >>> >>> 1. Defined the vmware_t type in vmware.te: >>> type vmware_t; >>> >>> I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if? >> type definition should be in vmware.te >> >> Send instant messages to your online friends http://uk.messenger.yahoo.com > > > > > > > > Send instant messages to your online friends http://uk.messenger.yahoo.com -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
