On 01/05/2015 02:55 PM, Robert Nichols wrote:
On 01/05/2015 02:41 PM, Daniel J Walsh wrote:
On 01/05/2015 10:11 AM, Robert Nichols wrote:
On 01/05/2015 03:29 AM, Miroslav Grepl wrote:
On 01/05/2015 01:55 AM, Robert Nichols wrote:
Would someone please help me translate this module into something that
will build on a current system (CentOS 6, checkpolicy-2.0.22-1.el6):
policy_module(procmail_uncon, 1.0.18)
=============== cut ===================
gen_require(`
type unconfined_t;
type unconfined_exec_t;
type procmail_t;
role system_r;
')
type my_uncon_exec_t;
files_type(my_uncon_exec_t)
allow procmail_t unconfined_t : process { transition sigchld };
domain_auto_trans(procmail_t, my_uncon_exec_t, unconfined_t)
role system_r types unconfined_t;
You say you are not able to build the above policy module on CentOS 6?
I cannot. With that in a file called procmail_uncon.te in a directory
with
a Makefile copied from /usr/share/linux/devel, running "make" yields:
========
Compiling targeted procmail_uncon module
/usr/bin/checkmodule: loading policy configuration from
tmp/procmail_uncon.tmp
procmail_uncon.te":13:ERROR 'unknown class file used in rule' at token
';' on line 1045:
#line 13
allow procmail_t my_uncon_exec_t:file { getattr open read execute };
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/procmail_uncon.mod] Error 1
========
The following packages are installed:
libselinux-2.0.94-5.8.el6.x86_64
libselinux-devel-2.0.94-5.8.el6.x86_64
libselinux-python-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64
selinux-policy-3.7.19-260.el6_6.1.noarch
libsepol-devel-2.0.41-4.el6.x86_64
selinux-policy-targeted-3.7.19-260.el6_6.1.noarch
I did dig up a procmail_uncon.pp file from an old Fedora 12 backup, and
that file seems to install OK, so the problem is no longer critical
for me,
but I'd like to get this resolved.
You need to run the Makefile on the te file with the
policy_module(procmail_uncon, 1.0.18) line.
I have no idea what you mean by that. You don't run a Makefile _on_ a
source file. OK, I'll try it anyway:
========
# make procmail_uncon.te
make: Nothing to be done for `procmail_uncon.te'.
========
Yes, it already exists and has no dependencies.
OK, I think I see what you meant, and I see what happened. I thought I had
just inserted the ===cut=== line in the wrong place in my initial post, but
it turns out that policy_module() line actually _had_ somehow gotten cut
out of the source. It builds OK now.
I just wish the macros and process weren't so much undocumented black magic.
Then I might be able to figure things out myself. Sure, you've got blog
postings that say, "Wave the wand this way over the entrails. It's easy
(if you want to do exactly what I just showed you)." That is not the same
thing.
I'd say, "Sorry for the noise," but, all things considered, that would be
a lie.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
