>Wait - the error message you displayed listed "dbus_rpc_example_server"
>as the module name, not dbus_exe - so you aren't showing the module that
>is triggering the error.
yes.They are different modules but they are giving the same error.This one gives:
[root@localhost shaunak]# semodule -i dbus_exe.pp
libsepol.print_missing_requirements: dbus_exe's global requirements were not
met: type/attribute resmgrd_var_run_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed
libsepol.print_missing_requirements: dbus_exe's global requirements were not
met: type/attribute resmgrd_var_run_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed
I have given the .te file for this as this is comparitively smaller than the other module.I m sorry for that confusion.
> And I'm not sure what the purpose of this module
This is a sample program i have written to learn the policy writing.It calls some dbus api's.It is working fine with the dbus.But now i want to test gconf.I m working on making gconf-daemon an userspace object manager.For this i wanted to add gconf class and test it.
>Just in case it isn't clear though - you cannot add new classes/perms in
>a non-base module; they have to be defined in the base module. A
>non-base module can only require them, not declare them.
>a non-base module; they have to be defined in the base module. A
>non-base module can only require them, not declare them.
How to declare them in base module?Sorry for the ignorance but dont really know how to do this
On Fri, Aug 29, 2008 at 7:29 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
Wait - the error message you displayed listed "dbus_rpc_example_server"
On Fri, 2008-08-29 at 19:18 +0530, shaunak saha wrote:
>
> >So that's the problem - you didn't install it? Or you didn't include
> it
> >in your base?
>
> No.I didn't installed it,neither did anything to include it in
> base.Actually i m not aware what this module is required for.Previouly
> while inserting any module didn't got this erorr.
>
>
> >I think we'd have to see your module .te file
>
> This is my .te file
>
> policy_module(dbus_exe,1.0.0)
as the module name, not dbus_exe - so you aren't showing the module that
is triggering the error. And I'm not sure what the purpose of this
module is, given that dbus already has a policy module.
Nothing above seems to have anything to do with resmgrd, and the policy
> ########################################
> #
> # Declarations
> #
> require{
> type system_dbusd_t;
> class dbus acquire_svc;
> class dbus send_msg;
> class gconf set_value;
> }
> type dbus_exe_t;
> type dbus_exe_exec_t;
> domain_type(dbus_exe_t)
> init_daemon_domain(dbus_exe_t, dbus_exe_exec_t)
> domtrans_pattern(unconfined_t,dbus_exe_exec_t,dbus_exe_t)
> role unconfined_r types dbus_exe_t;
> ########################################
> #
> # dbus_exe local policy
> #
> # Check in /etc/selinux/refpolicy/include for macros to use instead of
> allow rules.
> # Some common macros (you might be able to remove some)
> files_read_etc_files(dbus_exe_t)
> libs_use_ld_so(dbus_exe_t)
> libs_use_shared_libs(dbus_exe_t)
> miscfiles_read_localization(dbus_exe_t)
> dbus_system_bus_client_template(dbus_exe,dbus_exe_t)
> ## internal communication is often done using fifo and unix sockets.
> allow dbus_exe_t self:fifo_file { read write };
> allow dbus_exe_t self:unix_stream_socket create_stream_socket_perms;
> allow dbus_exe_t system_dbusd_t:dbus { send_msg };
> allow dbus_exe_t self:dbus {acquire_svc send_msg};
> allow dbus_exe_t self:chr_file {getattr read write};
> allow dbus_exe_t devpts_t:chr_file {getattr read write};
> allow dbus_exe_t self:process {signal};
module name doesn't match, so I'm guessing this isn't the right file.
Just in case it isn't clear though - you cannot add new classes/perms in
a non-base module; they have to be defined in the base module. A
non-base module can only require them, not declare them.
--
Stephen Smalley
National Security Agency
