On 04/06/2016 08:18 PM, amir sheng wrote:
> I am writing a policy module on Fedora trying to limit running the who command only to specific user. Checkmodule issues following error for my script :
> Error 'syntax error' at token 'domain_auto_trans' on line 20
>
> But I checked the syntax and there is no typo in it. Here is my whole script. What is the error in it?
>
> module who 1.0;
> require {
> attribute domain;
> attribute file_type;
> attribute exec_type;
> type sysadm_t;
> attribute sysadm_r;
> class process transition;
> role sysadm_r; }
>
>
> type who_t;
> typeattribute who_t domain;
>
> type who_exec_t;
> typeattribute who_exec_t file_type;
> typeattribute who_exec_t exec_type;
>
> role sysadm_r types who_t;
> domain_auto_trans (sysadm_t, who_exec_t, who_t)
Hello Amir,
the problem is you call the domain_auto_trans() macro which is supposed
to be used for module policies using reference policy.
If you apply the following fix
-module who 1.0;
+policy_module(who, 1.0)
it will work for you. You create a policy module using reference policy
with this change so you can call macros.
>
>
> Another problem is that when I transfer this script to Centos, checkmodule of centos issues other kind of errors. Why this happens? Kinds of errors differ by fedora or centos?
Can you elaborate it more?
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
Thank you.
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
