On Fri, 2016-02-26 at 14:50 -0500, James Carter wrote:
> On 02/26/2016 11:33 AM, Daniel J Walsh wrote:
> >
> >
> > BTW I turned on the expand-check=1 in semanage.conf and semodule -B
> > went nuts and crashed.
> >
> > On this policy.
> >
> > policy_module(mypol, 1.0)
> >
> > require {
> > type svirt_lxc_net_t;
> > type docker_t;
> > type svirt_sandbox_file_t;
> > type unconfined_t;
> > }
> > allow unconfined_t svirt_sandbox_file_t:file entrypoint;
> > allow docker_t svirt_sandbox_file_t:file entrypoint;
> > typebounds unconfined_t docker_t;
> > typebounds docker_t svirt_lxc_net_t;
> >
> >
> I thought that maybe the toolchain couldn't handle an A bounds B
> bounds C
> relationship, but current versions handle that just fine and even
> versions back
> in June before I refactored the bounds checking could handle it. I
> only checked
> with checkpolicy and secilc, so there is a chance that something
> particular with
> modules caused this.
>
> I tried your module on Fedora 23 and the first bounds check fails.
> Nothing crazy
> happened though. I don't currently have a rawhide machine to try it
> on.
>
I guess unconfined_t also needs docker_exec_t as an entrypoint.
Still crashes. Here is the output and strace.
# strace -o /tmp/strace semodule -B 2> /tmp/out
Attachment:
strace.gz
Description: application/gzip
Attachment:
out.gz
Description: application/gzip
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
