policy compile error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I just downloaded the policy source from redhat (serefpolicy-2.4.6) and
attempted to build a strict-mls loadable module policy and got the
following compile error:

Compiling mls base module
/usr/bin/checkmodule -M base.conf -o tmp/base.mod
/usr/bin/checkmodule:  loading policy configuration from base.conf
policy/modules/kernel/domain.te:174:ERROR 'unknown type ipsec_spd_t' at
token ';' on line 10298:
        allow domain ipsec_spd_t:association polmatch;
#line 174
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/base.mod] Error 1


Here is the offending portion of domain.te:

ifdef(`enable_mls',`
	tunable_policy(`allow_netlabel',`
		kernel_raw_recvfrom_unlabeled(domain)
		kernel_tcp_recvfrom_unlabeled(domain)
		kernel_udp_recvfrom_unlabeled(domain)
	')
	tunable_policy(`allow_ipsec_label',`
		ipsec_labeled(domain)
	')
')


Since domain is a base module and ipsec is a loadable module, doesn't
the call to the ipsec_labeled interface need to be wrapped in an
optional_policy statement? Since nesting conditional statements aren't
supported, I had to comment out the tunable_policy statement to get this
to compile:
	#tunable_policy(`allow_ipsec_label',`
		optional_policy(`
			ipsec_labeled(domain)
		')
	#')

What's the right fix for this?


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux