I installed the corresponding selinux-policy-devel rpm. I see references to my class in /usr/share/selinux/devel/include/support/all_perms.spt Any other ideas on what to look at? On Thu, Apr 17, 2008 at 10:29 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > On Thu, 2008-04-17 at 10:22 -0500, Xavier Toth wrote: > > I appended the class declaration to the security_classes files. > > > > I have installed the new policy and libselinux. However now when > > trying to use this new class in a te file the build fails with an > > 'unknown class' error. Do I need to rebuild any other packages before > > I can use this class? I tried rebuilding checkpolicy but that didn't > > help. > > Rebuilding checkpolicy isn't necessary. In fact, you don't even really > need the rebuilt libselinux if using the dynamic object class/permission > discovery support, since that will map the class and permission strings > to values via the kernel's selinuxfs interface. > > I'm guessing that you are trying to build a policy module using the > policy headers provided by the Fedora policy rather than the ones > provided by your rebuilt policy, and those headers lack the new > definitions. > > > > > > On Thu, Apr 17, 2008 at 9:30 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > > > > On Thu, 2008-04-17 at 09:20 -0500, Xavier Toth wrote: > > > > If the new security class is a userspace object manager related class > > > > do I still need to rebuild the kernel? > > > > > > No. You should find that the regenerated kernel headers are no > > > different, as they no longer include userspace classes (if annotated as > > > such in the security_classes file). > > > > > > I assume though that you are adding your new class to the end of the > > > security_classes list. Inserting a class before an existing one can > > > perturb the values of the existing classes, which isn't a good idea > > > (forbidden for kernel classes and any userspace object managers that use > > > the old libselinux API; permissible for new userspace object classes > > > when they use the dynamic class/permission discovery support but can > > > still break running applications until we have support for remapping > > > upon reload there). > > > > > > -- > > > > > > > > > Stephen Smalley > > > National Security Agency > > > > > > > -- > > > Stephen Smalley > National Security Agency > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
