Using Fedora 23 targeted policy.
Problem: When adding a new class via the CIL module listed below, the allow
rule is not being resolved if the new class references a common set of
permissions.
Viewing with apol shows that the new class has been allocated the unique and
common permissions, however the allow rule is missing.
Note 1: If the 'all' expression is replaced in the 'classpermissionset' with
the actual permissions, then the allow rule is resolved.
Note 2: If I use the latest 2.5 libsepol with the
(classorder (unordered sctp_socket)) statement I get the same result.
The example CIL policy module is:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
(classorder (proxy sctp_socket)) ; 'proxy' is the last class defined in F-23
; and required when using libsepol 2.4
(classcommon sctp_socket socket)
(class sctp_socket (node_bind name_connect association bindx_add bindx_rem
connectx peeloff set_addr set_params))
(classpermission sctp_socket_all_perms)
(classpermissionset sctp_socket_all_perms (sctp_socket (all)))
(allow unconfined_t self sctp_socket_all_perms)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
And is built with the following command:
semodule --priority 400 -i sctp_test_module.cil
Any ideas !!!
Richard
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
