Re: How do I create an initial policy for a new app?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Ginn wrote:
> using the polgengui, i get an error that the type is unknown (see below).
> 
> 
> 
> I compared the generated files to /usr/share/selinux/devel/example.*
> 
> I can see that I need to add the initial type myapp2_t;
> 
> 
> 
> ... there are some other differences.  For example:
> 
> 
> 
> Polgengui's myapp2.te:
> 
> corecmd_executable_file(pbrun_exec_t)
> 

> 
> 
> example.te:
> 
> domain_type(myapp_t)
> 
> domain_entry_file(myapp_t, myapp_exec_t)
> 
> 
> 
> Do these accomplish essentially the same thing?
> 
>
Not really corecmd_executable_file just identifies the label as being an
executable, which lots of apps will be allowed to execute without a
transition.

domain_type identifies the label as something that applies to a process,
domain_entry_file says that you can start a process labeled myapp_t, by
executing an executable labeled myapp_exec_t.  BUT you still need to
write a transition rule, like domtrans_pattern(unconfined_t,
myapp_exec_t, myapp_t)

Which would say when a process labeled unconfined_t executes an
executable labeled myapp_exec_t, it will transition to a process labeled
myapp_t.

> 
> 
> 
> Thanks,
> 
> Brian
> 
> 
> 
> 
> 
> + . ./myapp2.sh
> 
> ++ set -x
> 
> ++ make -f /usr/share/selinux/devel/Makefile
> 
> Compiling targeted myapp2 module
> 
> /usr/bin/checkmodule:  loading policy configuration from tmp/myapp2.tmp
> 
> myapp2.te:22:ERROR 'unknown type myapp2_t' at token ';' on line 83532:
> 
> 
> 
> allow myapp2_t myapp2_rw_t:file { create getattr setattr read write append rename link unlink ioctl lock };
> 
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> 
> make: *** [tmp/myapp2.mod] Error 1
> 
> ++ /usr/sbin/semodule -i myapp2.pp
> 
> libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t system_chkpwd_t:process { transition };
> 
> libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t updpwd_t:process { transition };
> 
> libsepol.check_assertion_helper: assertion on line 0 violated by allow system_chkpwd_t myapp2_t:process { sigchld };
> 
> libsepol.check_assertion_helper: assertion on line 0 violated by allow updpwd_t myapp2_t:process { sigchld };
> 
> libsepol.check_assertions: 4 assertion violations occured
> 
> libsemanage.semanage_expand_sandbox: Expand module failed
> 
> /usr/sbin/semodule:  Failed!
> 
> ++ /sbin/restorecon -F -R -v /usr/local/bin/myapp2
> 
> /sbin/restorecon reset /usr/local/bin/myapp2 context system_u:object_r:bin_t:s0->system_u:object_r:bin_t:s0
> 
> ++ /sbin/restorecon -F -R -v /etc/pb.settings
> 
> /sbin/restorecon reset /etc/pb.settings context system_u:object_r:etc_t:s0->system_u:object_r:etc_t:s0
> 
> ++ /usr/sbin/semanage port -a -t myapp2_port_t -p tcp 23000
> 
> libsepol.context_from_record: type myapp2_port_t is not defined
> 
> libsepol.context_from_record: could not create context structure
> 
> libsepol.port_from_record: could not create port structure for range 23000:23000 (tcp)
> 
> libsepol.sepol_port_modify: could not load port range 23000 - 23000 (tcp)
> 
> libsemanage.dbase_policydb_modify: could not modify record value
> 
> libsemanage.semanage_base_merge_components: could not merge local modifications into policy
> 
> /usr/sbin/semanage: Could not add port tcp/23000
> 
> ++ echo -ne '\033]0;root@localhost:~'
> 
> [root@localhost ~]#
> 
> 
> 
> `
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmxJWMACgkQrlYvE4MpobP8gQCeIBGJ5MY2vk/v5qwaqNR1jAfH
oLsAn1zdQLWspzC0PKeqA140rhTBgN/4
=TzQA
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux