On Thu, Apr 17, 2008 at 10:59 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > On Thu, 2008-04-17 at 10:55 -0500, Xavier Toth wrote: > > I installed the corresponding selinux-policy-devel rpm. I see > > references to my class in > > /usr/share/selinux/devel/include/support/all_perms.spt Any other ideas > > on what to look at? > > (don't top-post, and don't trim the cc list, please) > > At this point I need to see a copy of the .te file and the precise > output from the failed build. > > > > > On Thu, Apr 17, 2008 at 10:29 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > > > > On Thu, 2008-04-17 at 10:22 -0500, Xavier Toth wrote: > > > > I appended the class declaration to the security_classes files. > > > > > > > > I have installed the new policy and libselinux. However now when > > > > trying to use this new class in a te file the build fails with an > > > > 'unknown class' error. Do I need to rebuild any other packages before > > > > I can use this class? I tried rebuilding checkpolicy but that didn't > > > > help. > > > > > > Rebuilding checkpolicy isn't necessary. In fact, you don't even really > > > need the rebuilt libselinux if using the dynamic object class/permission > > > discovery support, since that will map the class and permission strings > > > to values via the kernel's selinuxfs interface. > > > > > > I'm guessing that you are trying to build a policy module using the > > > policy headers provided by the Fedora policy rather than the ones > > > provided by your rebuilt policy, and those headers lack the new > > > definitions. > > > > > > > > > > > > > > On Thu, Apr 17, 2008 at 9:30 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > > > > > > > > On Thu, 2008-04-17 at 09:20 -0500, Xavier Toth wrote: > > > > > > If the new security class is a userspace object manager related class > > > > > > do I still need to rebuild the kernel? > > > > > > > > > > No. You should find that the regenerated kernel headers are no > > > > > different, as they no longer include userspace classes (if annotated as > > > > > such in the security_classes file). > > > > > > > > > > I assume though that you are adding your new class to the end of the > > > > > security_classes list. Inserting a class before an existing one can > > > > > perturb the values of the existing classes, which isn't a good idea > > > > > (forbidden for kernel classes and any userspace object managers that use > > > > > the old libselinux API; permissible for new userspace object classes > > > > > when they use the dynamic class/permission discovery support but can > > > > > still break running applications until we have support for remapping > > > > > upon reload there). > > > > > > > > > > -- > > > > > > > > > > > > > > > Stephen Smalley > > > > > National Security Agency > > > > > > > > > > > > > -- > > > > > > > > > Stephen Smalley > > > National Security Agency > > > > > > > -- > > > Stephen Smalley > National Security Agency > > I use gmail This te file is not the finally resting place for copy/paste policy simply a convenient place to try out the class. [tedx@comms hack-policy]$ make rebuild rm -f /home/tedx/src2/Linux_i386/OED/policy/hack-policy.pp rm -f *.CKP *.ln *.o core errs ,* *~ .emacs_* tags TAGS make.log *.i if [ ! -d /usr/share/selinux/devel/include/jcdx ]; then \ sudo mkdir /usr/share/selinux/devel/include/jcdx; \ sudo chmod 777 /usr/share/selinux/devel/include/jcdx; \ fi; \ cp hack-policy.if /usr/share/selinux/devel/include/jcdx; rm -f /usr/share/selinux/devel/include/jcdx/hack-policy.if make -f /usr/share/selinux/devel/Makefile make[1]: Entering directory `/home/tedx/src2/hack-policy' Compiling mls hack-policy module /usr/bin/checkmodule: loading policy configuration from tmp/hack-policy.tmp hack-policy.te":30:ERROR 'unknown class x_application_data used in rule' at token ';' on line 3343: allow x_rootwindow_t self:x_application_data paste_without_confirm; ; /usr/bin/checkmodule: error(s) encountered while parsing configuration make[1]: *** [tmp/hack-policy.mod] Error 1 make[1]: Leaving directory `/home/tedx/src2/hack-policy' make: *** [progs] Error 2
Attachment:
hack-policy.te
Description: Binary data
