On 02/26/2016 11:33 AM, Daniel J Walsh wrote:
BTW I turned on the expand-check=1 in semanage.conf and semodule -B
went nuts and crashed.
On this policy.
policy_module(mypol, 1.0)
require {
type svirt_lxc_net_t;
type docker_t;
type svirt_sandbox_file_t;
type unconfined_t;
}
allow unconfined_t svirt_sandbox_file_t:file entrypoint;
allow docker_t svirt_sandbox_file_t:file entrypoint;
typebounds unconfined_t docker_t;
typebounds docker_t svirt_lxc_net_t;
I thought that maybe the toolchain couldn't handle an A bounds B bounds C
relationship, but current versions handle that just fine and even versions back
in June before I refactored the bounds checking could handle it. I only checked
with checkpolicy and secilc, so there is a chance that something particular with
modules caused this.
I tried your module on Fedora 23 and the first bounds check fails. Nothing crazy
happened though. I don't currently have a rawhide machine to try it on.
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
