On 04/06/2016 08:18 PM, amir sheng wrote: > I am writing a policy module on Fedora trying to limit running the who command only to specific user. Checkmodule issues following error for my script : > Error 'syntax error' at token 'domain_auto_trans' on line 20 > > But I checked the syntax and there is no typo in it. Here is my whole script. What is the error in it? > > module who 1.0; > require { > attribute domain; > attribute file_type; > attribute exec_type; > type sysadm_t; > attribute sysadm_r; > class process transition; > role sysadm_r; } > > > type who_t; > typeattribute who_t domain; > > type who_exec_t; > typeattribute who_exec_t file_type; > typeattribute who_exec_t exec_type; > > role sysadm_r types who_t; > domain_auto_trans (sysadm_t, who_exec_t, who_t) Hello Amir, the problem is you call the domain_auto_trans() macro which is supposed to be used for module policies using reference policy. If you apply the following fix -module who 1.0; +policy_module(who, 1.0) it will work for you. You create a policy module using reference policy with this change so you can call macros. > > > Another problem is that when I transfer this script to Centos, checkmodule of centos issues other kind of errors. Why this happens? Kinds of errors differ by fedora or centos? Can you elaborate it more? > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx > Thank you. -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx