Re: Error from Checkmodule for my policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/06/2016 08:18 PM, amir sheng wrote:
> I am writing a policy module on Fedora trying to limit running the who command only to specific user. Checkmodule issues following error for my script :
>                Error 'syntax error' at token 'domain_auto_trans' on line 20
> 
> But I checked the syntax and there is no typo in it. Here is my whole script. What is the error in it?
> 
> module who 1.0;
> require {
> attribute domain;
> attribute file_type;
> attribute exec_type;
> type sysadm_t;
> attribute sysadm_r;
> class process transition;
> role sysadm_r;       }
> 
> 
> type who_t;
> typeattribute who_t domain;
> 
> type who_exec_t;
> typeattribute who_exec_t file_type;
> typeattribute who_exec_t  exec_type;
> 
> role sysadm_r types who_t;
> domain_auto_trans (sysadm_t, who_exec_t, who_t)

Hello Amir,
the problem is you call the domain_auto_trans() macro which is supposed
to be used for module policies using reference policy.

If you apply the following fix

-module who 1.0;
+policy_module(who, 1.0)

it will work for you. You create a policy module using reference policy
with this change so you can call macros.

> 
> 
> Another problem is that when  I transfer this script to Centos, checkmodule of centos issues other kind of errors. Why this happens?  Kinds of errors differ by fedora or centos?

Can you elaborate it more?

> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> 


Thank you.

-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux