Great, thanks again. That will make me busy little bit :)
On Fri, Feb 3, 2017 at 11:26 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Fri, 2017-02-03 at 11:13 -0800, Bassam Alsanie wrote:
> Thanks Steven.
> Is there an interface close to this logic?
>
> allow myapp_t *:process signull;
You can browse for interfaces by installing selinux-policy-doc (or in
older releases, selinux-policy-devel) and running
/usr/share/selinux/devel/policyhelp to open the interface docs in a
browser. Upstream refpolicy also provides its generated docs online
at http://oss.tresys.com/docs/refpolicy/api/
Looks like domain_signull_all_domains(myapp_t) should do it for you.
>
>
>
>
>
> On Fri, Feb 3, 2017 at 10:40 AM, Stephen Smalley <sds@xxxxxxxxxxxxx>
> wrote:
> > On Fri, 2017-02-03 at 10:22 -0800, Bassam Alsanie wrote:
> > > I have an app that need to have search access to all directories
> > on
> > > the system.
> > > I am trying to use this TE in my policy:
> > >
> > > > allow myapp_t *:dir { search_dir_perms } ;
> > >
> > > When compile with make, I am getting this error messages:
> > >
> > > > $ make
> > > > Compiling targeted myapp module
> > > > here it is /usr/share/selinux/devel/include
> > > > /usr/bin/checkmodule: loading policy configuration from
> > > > tmp/myapp.tmp
> > > > myapp.te:678:ERROR '* not allowed in this type of rule' at
> > token
> > > > ';' on line 5114:
> > > > allow myapp_t *:dir { { getattr search open } };
> > > >
> > > > /usr/bin/checkmodule: error(s) encountered while parsing
> > > > configuration
> > > > /usr/share/selinux/devel/include/Makefile:154: recipe for
> > target
> > > > 'tmp/myapp.mod' failed
> > > > make: *** [tmp/myapp.mod] Error 1
> > >
> > > I running on Fedora 25.
> >
> > files_search_all(myapp_t)
> >
> >
>
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
