Re: "invalid security context" in custom policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 04/29/2015 12:54 AM, Simon Sekidde wrote:
> 
> 
> ----- Original Message -----
>> From: "Tracy Reed" <treed@xxxxxxxxxxxxxxx>
>> To: selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> Sent: Tuesday, April 28, 2015 6:48:05 PM
>> Subject: Re: "invalid security context" in custom policy
>>
>> On Tue, Apr 28, 2015 at 12:11:05PM PDT, Tracy Reed spake thusly:
>>> libsepol.context_from_record: invalid security context:
>>> "myapp_u:myapp_r:myapp_api_t:s0"
>>
>> Solved: When declaring your own file contexts use object_r for the role
>> instead
>> of a user role in your .fc file.
>>
>> Still having an issue with this one though:
>>
>>> And while I'm posting I may as well ask: When I uncomment the
>>> logging_log_file(mypp_logs_t) type attribute above I get this error:
>>>
>>> Compiling targeted myapp module
>>> /usr/bin/checkmodule:  loading policy configuration from tmp/myapp.tmp
>>> myapp.te":42:ERROR 'unknown class filesystem used in rule' at token ';' on
>>> line 1301:
>>>     allow myapp_logs_t tmp_t:filesystem associate;
>>> #line 42
>>>     /usr/bin/checkmodule:  error(s) encountered while parsing configuration
>>>     make: *** [tmp/myapp.mod] Error 1
>>>
> 
> Probably need something like 
> 
>  class filesystem { associate };
> 
> inside the require { } along with this statement 
> 
>  allow myapp_tmp_t myapp_logs_t: filesystem associate;

Yes, you need to require all classes/permissions if you use this module
declaration.

You can use

policy_module(mypol, 1.0)

module declaration using reference policy. But you need to build it with
the devel Makefile which applies m4 and includes the interface files
that define the macros.

# make -f /usr/share/selinux/devel/Makefile mypol.pp

In this case, you don't need to require all classes with permissions
which are used.

> 
>>>
>>> All tips are greatly appreciated!
>>>
>>> --
>>> Tracy Reed
>>
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 


-- 
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux