Re: using an interface defined in another loaded module

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/2/19 8:53 AM, zer0__0ne@xxxxxxxxxxx wrote:
> Hi Lukas
> 
> Thanks for the reply. I am following 'SELinux Cookbook' following is an excerpt from the book
> 
> "The location of the interface definitions
> Whenever an SELinux policy module is built, the build system sources all interface files it finds at the following locations:
> • /usr /share/selinux/mcs/include/* or /usr/share/selinux/devel/include/* (depending on the Linux distribution)
> • The current working directory 
> The first location is where the interface files of all the SELinux modules provided by the Linux distribution are stored. The files are Inside sub dIrectories named after particular categories (the reference policy calls these layers, but this is only used to make some structure amongst the definitions, nothing else) such as contrib/, system/, and roles/.
> 
> For local development of SELinux policies, this location is usually not writable. If we develop our own policy modules, then this would mean that none of the locally managed SELinux policy files can use interfaces of the other local interface files. The Makefile file, therefore, also sources all interface files it finds in the current working directory.
> "
> 
> According to the above If I am developing two policies a and b (b uses a's interface)
> a.pp from sources a.if, a.te, a.fc  
> b.pp from sources b.if, b.te, b.fc, a.if
> 
> When I run make to compile b.pp make fails with error at b.te pointing to domtrans macro of a.if . However if I copy all of a's sources along with a.if then I am able to compile b.pp Is this expected? 
> 

Hi,

Let's describe it on the following example:

You have 2 policies:

A: a.te, a.fc, a.if
B: b.te, b.fc, b.if

You successfully compile SELinux sources to SELinux module A.pp using:
# /usr/share/selinux/devel/Makefile a.pp

Because A policy uses only system interfaces
(/usr/share/selinux/devel/include).

But B policy uses also macro defined in a.if + system interfaces defined
in (/usr/share/selinux/devel/include), during compilation all macros
needs to be extracted and these macros are searched in
/usr/share/selinux/devel/include and current directory. As you mentioned
from SELinux cookbook.

So yes, if you're compiling B policy, you needs to have a.if interface
file in one directory with B policy sources.

Is this clear or I missing something in your question?

Thanks,
Lukas.

> If only a.if file is required to how does the a.if file types get's resolved when trying to compile b.pp or it doesn't get resolved? Is there an online example where one policy uses the interface file of another policy?
> 
> zer0 0ne
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> 


-- 
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux