What is missing with this policy

David Highley <dhighley@xxxxxxxxxxxxxxxxxxxxxxx> · Thu, 11 Nov 2010 18:55:44 -0800 (PST)

When I install the following policy I see these warnings, what is
missing?

libsemanage.semanage_fc_sort: WARNING: semanage_fc_sort: Incomplete context.
libsemanage.semanage_fc_sort: WARNING: semanage_fc_sort: Incomplete context.

sshdfilter.fc:
/etc/rc\.d/init\.d/sshdfilter --
gen_context(system_u:object_r:sshdfilter_initrc_exec_t, s0)
/etc/sshdfilterrc.* -- gen_context(system_u:object_r:sshdfilter_etc_t, s0)
/usr/sbin/sshdfilter -- gen_context(system_u:object_r:sshdfilter_exec_t, s0)
#/var/run/sshdfilter.fifo -- gen_context(system_u:object_r:sshdfilter_syslog_t, s0)

sshdfilter.if:
## <summary></summary>

sshdfilter.te:
policy_module(sshdfilter, 1.0.7)

type sshdfilter_t;
type sshdfilter_exec_t;
init_daemon_domain(sshdfilter_t, sshdfilter_exec_t)

type sshdfilter_initrc_exec_t;
init_script_file(sshdfilter_initrc_exec_t)

type sshdfilter_etc_t;
files_config_file(sshdfilter_etc_t)

dev_read_urand(sshdfilter_t)
corecmd_search_bin(sshdfilter_t)
miscfiles_read_localization(sshdfilter_t)

require {
        type var_run_t;
        type usr_t;
        type syslogd_t;
        type etc_t;
        type shell_exec_t;
        type sshdfilter_t;
        type bin_t;
        type devlog_t;
        type sshdfilter_etc_t;
        type proc_t;
        type net_conf_t;
        class sock_file { write getattr };
        class lnk_file read;
        class unix_dgram_socket { write create connect ioctl sendto };
        class file { execute read ioctl execute_no_trans getattr open create };
        class fifo_file { write ioctl read open getattr };
        class dir { write add_name remove_name };
}

#============= sshdfilter_t ==============
allow sshdfilter_t bin_t:file { read getattr open execute execute_no_trans };
allow sshdfilter_t bin_t:lnk_file read;
allow sshdfilter_t devlog_t:sock_file { write getattr };
allow sshdfilter_t etc_t:file { read getattr open };
allow sshdfilter_t proc_t:file { read getattr open };
allow sshdfilter_t self:fifo_file { read write ioctl getattr };
allow sshdfilter_t self:unix_dgram_socket { write create ioctl connect };
allow sshdfilter_t shell_exec_t:file { read execute open getattr execute_no_trans };
allow sshdfilter_t sshdfilter_etc_t:file { read ioctl open getattr };
allow sshdfilter_t syslogd_t:unix_dgram_socket sendto;
allow sshdfilter_t usr_t:file { read getattr open ioctl };
allow sshdfilter_t var_run_t:dir { write add_name remove_name };
allow sshdfilter_t var_run_t:file { write getattr unlink open create ioctl };
allow sshdfilter_t var_run_t:fifo_file { read open ioctl getattr };
allow sshdfilter_t net_conf_t:file { read getattr open };

optional_policy(`
        iptables_domtrans(sshdfilter_t)
')
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux