Dear Members,
My new topic is slightly related to my last message.
Since then I managed to sort things out, and my new policy seems to work fine, at least far as I was able to test it.
My current situation is the following:
I had a policy that I created for the main application "A" a while ago. Now I am creating a policy for a submodule of application "A", called "B" for the sake of illustrating it.
"B" is a separate helper application that communicates with "A", but "A" can perfectly work without "B" being in use.
In this situation it makes sense to create a separate policy for "A" and "B".
Now, if submodule "B" is in use, then I would need to make use some interfaces, defined in the SELinux policy of "B", within the policy belonging to "A".
Now how should I do this? I tried googling around for a few hours, but practically found no examples of this on the web.
The policy module of "B" is built and loaded first, and when I'm compiling the now extended policy of "A", I get the following:
Compiling targeted syslog_ng module
/usr/bin/checkmodule: loading policy configuration from tmp/A.tmp
A.te:5:ERROR 'syntax error' at token 'transition_to_B_t' on line 3212:
transition_to_B_t(A_t)
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/A.mod] Error 1
/usr/bin/checkmodule: loading policy configuration from tmp/A.tmp
A.te:5:ERROR 'syntax error' at token 'transition_to_B_t' on line 3212:
transition_to_B_t(A_t)
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/A.mod] Error 1
How do I need to reference the interface defined in another module, that is already loaded, when trying to use it?
Currently this is the interface file of policy module "B":
=================================================================================
########################################
## <summary>
## Allow the specified program domain
## to manage to the B socket.
## </summary>
## <param name="domain">
## <summary>
## The type of the process for which
## to allow managing the socket
## </summary>
## </param>
#
interface(`B_sock_manage', `
gen_require(`
type B_t, B_sock_t;
')
manage_sock_files_pattern($1, B_sock_t, B_sock_t)
')
########################################
## <summary>
## Allow the specified program domain
## to transition to B_t through the entry point.
## </summary>
## <param name="domain">
## <summary>
## The type of the process for which to allow transitioning to B_t
## </summary>
## </param>
#
interface(`transition_to_B_t',`
gen_require(`
type B_t, B_exec_t;
')
domtrans_pattern($1, B_exec_t, B_t)
')
########################################
## <summary>
## Allow the specified program domain
## to read B_exec_t files.
## </summary>
## <param name="domain">
## <summary>
## The type of the process for which to allow read access
## to B_exec_t
## </summary>
## </param>
#
interface(`read_B_exec_t',`
gen_require(`
type B_exec_t;
')
allow $1 B_exec_t:lnk_file { read };
allow $1 B_exec_t:file { read };
')
=================================================================================
## <summary>
## Allow the specified program domain
## to manage to the B socket.
## </summary>
## <param name="domain">
## <summary>
## The type of the process for which
## to allow managing the socket
## </summary>
## </param>
#
interface(`B_sock_manage', `
gen_require(`
type B_t, B_sock_t;
')
manage_sock_files_pattern($1, B_sock_t, B_sock_t)
')
########################################
## <summary>
## Allow the specified program domain
## to transition to B_t through the entry point.
## </summary>
## <param name="domain">
## <summary>
## The type of the process for which to allow transitioning to B_t
## </summary>
## </param>
#
interface(`transition_to_B_t',`
gen_require(`
type B_t, B_exec_t;
')
domtrans_pattern($1, B_exec_t, B_t)
')
########################################
## <summary>
## Allow the specified program domain
## to read B_exec_t files.
## </summary>
## <param name="domain">
## <summary>
## The type of the process for which to allow read access
## to B_exec_t
## </summary>
## </param>
#
interface(`read_B_exec_t',`
gen_require(`
type B_exec_t;
')
allow $1 B_exec_t:lnk_file { read };
allow $1 B_exec_t:file { read };
')
=================================================================================
And this is the way I am trying to access it from the policy module of "A":
=================================================================================
transition_to_B_t(A_t)
B_sock_manage(A_t)
filetrans_pattern(A_t, A_var_run_t, B_sock_t, sock_file, "B.sock")
read_B_exec_t(A_t)
B_sock_manage(A_t)
filetrans_pattern(A_t, A_var_run_t, B_sock_t, sock_file, "B.sock")
read_B_exec_t(A_t)
=================================================================================
I would be thankful for any suggestions for this!
Thanks for your help in advance!
Best Regards,
János Szigetvári
--
LinkedIn: linkedin.com/in/janosszigetvari
E-mail: janos@szigetvari.com, jszigetvari@gmail.com
Phone: +36209440412 (Hungary)
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
E-mail: janos@szigetvari.com, jszigetvari@gmail.com
Phone: +36209440412 (Hungary)
__@__˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
