Hi all,
we're trying to setup an JBoss-module. As you probably know JBoss needs
Java and vice versa.
For this we created an .te and if. Part of the .if is an interface to
allow writing logfiles. Relevant part:
########################################
## <summary>
## Allow the specified domain to
## write jboss log files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`jboss_write_log',`
gen_require(`
type jboss_log_t;
')
logging_search_logs($1)
allow $1 jboss_log_t:dir list_dir_perms;
allow $1 jboss_log_t:dir rw_dir_perms;
allow $1 jboss_log_t:file read_file_perms;
write_files_pattern($1,jboss_log_t,jboss_log_t);
allow $1 jboss_log_t:dir search_dir_perms;
allow $1 jboss_log_t:dir getattr_dir_perms;
')
However, when compiling this modules, all fails at "allow $1
jboss_log_t:dir list_dir_perms;" with this error:
Compiling targeted base module
/usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
policy/modules/apps/java.te:22:ERROR 'unknown type jboss_log_t' at token
';' on line 491016:
#line 22
allow java_t jboss_log_t:dir { getattr search read lock ioctl };
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/base.mod] Error 1
Just to try, we declared "type jboss_log_t;" before logging_search_logs
and after the gen_require. After this I was able to compile the module
(but did run into other problems)...
So, I believe I have an scoping issue; gen_require checks (and find)
jboss_log_t. But as soon as someone is trying to use jboss_log_t in the
interface, it breaks..
To make everything clear:
We changed java.te and added:
#Java needs access to jboss_log_t
jboss_write_log(java_t);
What I am doing wrong here??
Cheers,
Bart
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
