Re: Dipping into the policy waters

Miroslav Grepl <mgrepl@xxxxxxxxxx> · Wed, 29 Feb 2012 13:54:47 +0000

    On 02/29/2012 01:39 AM, Alan Batie wrote:

      I'm trying a simple "first policy" with Eclipse and SLIDE, and getting
an error I don't understand.  I'm hoping someone can point me in the
right direction:

Creating policy.xml
/usr/share/selinux/devel/include/support/segenxml.py: warning: unable to
find XML for interface peak_read_files()
/usr/share/selinux/devel/include/support/segenxml.py: warning: unable to
find XML for interface peak_read_config_files()
/usr/share/selinux/devel/include/support/segenxml.py: warning: orphan
XML comments at bottom of file ./peak_files.te
doc/policy.xml:65535: element module: validity error : Element module
content does not follow the DTD, expecting (summary , desc? , required?
, (interface | template)* , (bool | tunable)*), got (summary param
interface interface )
Document doc/policy.xml does not validate against
/usr/share/selinux/devel/include/support/policy.dtd
make: *** [doc/policy.xml] Error 3
Compiling targeted  peak_files module

I'm guessing that means I haven't defined the interfaces somewhere I
ought to, but I have them in the Interfaces (.if) tab:

############################################################
## <summary>
##	Access to reading peak files
## </summary>
## <param name="domain">
##	<summary>
##		Source domain to give access to
##	</summary>
## </param>
#
interface(`peak_read_files',`
    gen_require(`
        type peak_t;
    ')

    allow $1 peak_t:dir list_dir_perms;
    read_files_pattern($1,peak_t,peak_t)
')

############################################################
## <summary>
##	Access to reading peak config files
## </summary>
## <param name="domain">
##	<summary>
##		Source domain to give access to
##	</summary>
## </param>
#
interface(`peak_read_config_files',`
    gen_require(`
        type peak_config_t;
    ')

    allow $1 peak_config_t:dir list_dir_perms;
    read_files_pattern($1,peak_config_t,peak_config_t)
')

The .te file is simple enough:

policy_module(peak_files,1.0.0)

############################################################
## <summary>
##	Peak local configuration files and scripts
## </summary>

# domain for peak files
type peak_t;
# domain for peak configuration files
type peak_config_t;
# domain for peak scripts to run in
type peak_exec_t;

files_type(peak_t)
files_type(peak_config_t)

# peak things can read peak config files
read_files_pattern(peak_t,peak_config_t,peak_config_t)

For completeness, the .fc file:

/peak(/.*)?	gen_context(system_u:object_r:peak_t,s0))

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

    What OS?

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux