On 02/29/2016 11:27 AM, James Carter wrote:
On 02/26/2016 03:30 PM, Daniel J Walsh wrote:
On Fri, 2016-02-26 at 14:50 -0500, James Carter wrote:
On 02/26/2016 11:33 AM, Daniel J Walsh wrote:
BTW I turned on the expand-check=1 in semanage.conf and semodule -B
went nuts and crashed.
On this policy.
policy_module(mypol, 1.0)
require {
type svirt_lxc_net_t;
type docker_t;
type svirt_sandbox_file_t;
type unconfined_t;
}
allow unconfined_t svirt_sandbox_file_t:file entrypoint;
allow docker_t svirt_sandbox_file_t:file entrypoint;
typebounds unconfined_t docker_t;
typebounds docker_t svirt_lxc_net_t;
I thought that maybe the toolchain couldn't handle an A bounds B
bounds C
relationship, but current versions handle that just fine and even
versions back
in June before I refactored the bounds checking could handle it. I
only checked
with checkpolicy and secilc, so there is a chance that something
particular with
modules caused this.
I tried your module on Fedora 23 and the first bounds check fails.
Nothing crazy
happened though. I don't currently have a rawhide machine to try it
on.
I guess unconfined_t also needs docker_exec_t as an entrypoint.
Still crashes. Here is the output and strace.
# strace -o /tmp/strace semodule -B 2> /tmp/out
Is your policy available somewhere, so I can try to reproduce this?
Jim
It is just the rawhide policy, along with the rawhide docker-selinux
package.
Then add the policy module above.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
