Just been testing the latest fix for expanding classmapping and found that if the classes are unique, then it works okay. If there are repeated classes then I get this error in the example below when the binary is being generated: "Type default labeling for class binder already specified" (class binder (impersonate call set_context_mgr transfer receive)) (class property_service (set)) (class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo)) (classpermissionset cps_zygote_1 (zygote (not (specifyids)))) ; This works fine in the defaultuser statement: (classmap single_set_classes (single_set)) (classmapping single_set_classes single_set ( (binder (all)) (property_service (set)) (zygote (not (specifycapabilities))) ) ) ; However with multiple classmapping secilc fails due to repeat classes: (classmap multiple_set_classes (set_1 set_2 set_3)) (classmapping multiple_set_classes set_1 ( (binder (all)) (property_service (set)) (zygote (not (specifycapabilities))) ) ) (classmapping multiple_set_classes set_2 ( (binder (impersonate call set_context_mgr transfer)) (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith)) ) ) (classmapping multiple_set_classes set_3 ( (cps_zygote_1) (binder (impersonate call set_context_mgr)) ) ) (defaultuser (single_set_classes) source) ; The defaulttype statement gives the following error: ;;; Type default labeling for class binder already specified (defaulttype (multiple_set_classes) target) ----- Original Message ----- > From: James Carter <jwcart2@xxxxxxxxxxxxx> > To: Dominick Grift <dominick.grift@xxxxxxxxx>; selinux <selinux@xxxxxxxxxxxxx> > Cc: > Sent: Friday, 16 May 2014, 15:38 > Subject: Re: secilc: classmappings do not work > > On 05/16/2014 10:20 AM, James Carter wrote: > >> >> Also note that currently classmaps cannot be used in nametypetransition, >> rangetransition, type_rule, roletransition, validatetrans, default_user, >> default_role, default_type, or default_range rules. >> > > I forgot to mention that I am currently working on this and should release a fix > > soon. > > > -- > James Carter <jwcart2@xxxxxxxxxxxxx> > National Security Agency > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to > Selinux-request@xxxxxxxxxxxxx. > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
