On 01/05/2015 02:41 PM, Daniel J Walsh wrote:
On 01/05/2015 10:11 AM, Robert Nichols wrote:
On 01/05/2015 03:29 AM, Miroslav Grepl wrote:
On 01/05/2015 01:55 AM, Robert Nichols wrote:
Would someone please help me translate this module into something that
will build on a current system (CentOS 6, checkpolicy-2.0.22-1.el6):
policy_module(procmail_uncon, 1.0.18)
=============== cut ===================
gen_require(`
type unconfined_t;
type unconfined_exec_t;
type procmail_t;
role system_r;
')
type my_uncon_exec_t;
files_type(my_uncon_exec_t)
allow procmail_t unconfined_t : process { transition sigchld };
domain_auto_trans(procmail_t, my_uncon_exec_t, unconfined_t)
role system_r types unconfined_t;
You say you are not able to build the above policy module on CentOS 6?
I cannot. With that in a file called procmail_uncon.te in a directory
with
a Makefile copied from /usr/share/linux/devel, running "make" yields:
========
Compiling targeted procmail_uncon module
/usr/bin/checkmodule: loading policy configuration from
tmp/procmail_uncon.tmp
procmail_uncon.te":13:ERROR 'unknown class file used in rule' at token
';' on line 1045:
#line 13
allow procmail_t my_uncon_exec_t:file { getattr open read execute };
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/procmail_uncon.mod] Error 1
========
The following packages are installed:
libselinux-2.0.94-5.8.el6.x86_64
libselinux-devel-2.0.94-5.8.el6.x86_64
libselinux-python-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-260.el6_6.1.noarch
libsepol-devel-2.0.41-4.el6.x86_64
selinux-policy-targeted-3.7.19-260.el6_6.1.noarch
I did dig up a procmail_uncon.pp file from an old Fedora 12 backup, and
that file seems to install OK, so the problem is no longer critical
for me,
but I'd like to get this resolved.
You need to run the Makefile on the te file with the
policy_module(procmail_uncon, 1.0.18) line.
I have no idea what you mean by that. You don't run a Makefile _on_ a
source file. OK, I'll try it anyway:
========
# make procmail_uncon.te
make: Nothing to be done for `procmail_uncon.te'.
========
Yes, it already exists and has no dependencies.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux