On 10/24/2014 07:37 PM, Daniel J Walsh wrote:
On 10/24/2014 10:15 AM, Lukas Zapletal wrote:
Hello,
I am working on a policy where we want to modularize certain features
(management of DHCP, DNS and TFTP services). Since users can turn these
features on and off, we would like to introduce SELinux booleans to do
the same.
Unfortunately when I try to put some macros in the tunable_policy
blocks, I get errors:
tunable_policy(`foreman_proxy_manage_dhcp', `
dhcpd_admin(foreman_proxy_t, system_r)
netutils_exec_ping(foreman_proxy_t)
netutils_domtrans_ping(foreman_proxy_t)
You would not have both of these within the same block.
netutils_domtrans_ping implies netutils_exec_ping.
You probably want this on all the time.
What types does foreman have to manage under dhcpd? We probably need to
add interfaces for this.
')
foreman-proxy.te":188:ERROR 'syntax error' at token 'typeattribute' on
line 10649:
typeattribute foreman_proxy_t initrc_transition_domain;
/usr/bin/checkmodule: error(s) encountered while parsing
configuration
It works just fine without the tunable_policy block.
Where's the snag and how can we workaround it? Thanks!
You would need to re-write
dhcpd_admin()
interface. It's caused by
init_labeled_script_domtrans()
where we use
typeattribute $1 initrc_transition_domain;
Is this on RHEL7? You don't need to have it in RHEL7 because of systemd. We should probably re-write/fix this init_t/initrc_t/unconfined_services_t concept in Fedora22.
If you use RHEL6, you need to write own _admin() interface to make it working with tunable statement.
You are not allowed to put attributes within a boolean block.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
