----- Original Message -----
> From: "Douglas Brown" <doug.brown@xxxxxxxxxx>
> To: "SELinux Fedora List" <selinux@xxxxxxxxxxxxxxxxxxxxxxx>
> Sent: Monday, June 13, 2016 8:52:40 PM
> Subject: RHEL 7 shutdown_run interface
>
> Hi all,
>
> In the process of porting policies from RHEL 6 to 7, I’m having an issue with
> the shutdown_run interface.
>
> The trivial te file below compiles and loads fine on RHEL 6.7:
>
> policy_module(test, 0.1)
>
> require {
> role staff_r;
> type staff_t;
> }
>
> shutdown_run(staff_t, staff_r)
>
> However, there appears to be a bug in RHEL 7.2, because loading with semodule
> gives the error: "libsepol.print_missing_requirements: test's global
> requirements were not met: role shutdown_roles (No such file or directory)"
>
I believe you also need shutdown_role(staff_r,staff_t) for this to compile
> After looking into this, curiously the interface has moved from
> /usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm in
> RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if
> (selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
>
> There’s also another issue in that shutdown_exec_t is used in the RHEL 7
> interface but it no longer exists because the shutdown binary has been
> replaced with a symlink to systemctl.
>
> Thanks,
> Doug
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
--
Simon Sekidde * Red Hat, Inc. * Westford, MA
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
