On 04/25/2016 09:11 PM, amir sheng wrote:
> Oh sorry, it is as the following and the error using "$ checkmodule -M -m -o who.mod who.te" in Fedora 22 is :
>
> ERROR ' Building a policy module, but no module specification found.' at token ' policy_module' on line 1:
> checkmodule: error(s) encountered while parsing configuration
>
>
>
> ------------------------------------------------------------------------------------
> policy_module (who, 1.0);
> require {
> attribute domain;
> class file getattr;
> class file execute;
> class file entrypoint;
> attribute file_type;
> attribute exec_type;
> type unconfined_t;
> class process transition;
> role unconfined_r; }
>
>
> type who_t;
> typeattribute who_t domain;
>
> type who_exec_t;
> typeattribute who_exec_t file_type;
> typeattribute who_exec_t exec_type;
>
> role unconfined_r types who_t;
> type_transition unconfined_t who_exec_t:process who_t;
>
>
> allow unconfined_t who_exec_t : file *;
> allow unconfined_t who_t:process transition;
> allow who_t who_exec_t: file entrypoint;
>
>
> domain_auto_trans (sysadm_t, who_exec_t, who_t)
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
Ah, ok it makes sense now. The problem is you mix reference and
non-reference policy.
If we use m4 macros
domain_auto_trans (sysadm_t, who_exec_t, who_t)
we say that you use reference policy. m4 macros need to be expanded by
m4. It is a reason why you fail with checkmodule. You can use
/usr/share/selinux/devel/include/Makefile
to build your policy. It will do a job for you.
# make -f /usr/share/selinux/devel/Makefile who.pp
# semodule -i who.pp
You can see Makefile to check what is happening.
Thank you.
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
