-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 03/17/2016 04:25 PM, Richard Haines wrote: > Using Fedora 23 targeted policy. > > Problem: When adding a new class via the CIL module listed below, > the allow rule is not being resolved if the new class references a > common set of permissions. > > Viewing with apol shows that the new class has been allocated the > unique and common permissions, however the allow rule is missing. > > Note 1: If the 'all' expression is replaced in the > 'classpermissionset' with the actual permissions, then the allow > rule is resolved. > > Note 2: If I use the latest 2.5 libsepol with the (classorder > (unordered sctp_socket)) statement I get the same result. > > The example CIL policy module is: > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; (classorder (proxy > sctp_socket)) ; 'proxy' is the last class defined in F-23 ; and > required when using libsepol 2.4 > > (classcommon sctp_socket socket) (class sctp_socket (node_bind > name_connect association bindx_add bindx_rem connectx peeloff > set_addr set_params)) > > (classpermission sctp_socket_all_perms) (classpermissionset > sctp_socket_all_perms (sctp_socket (all))) > > (allow unconfined_t self sctp_socket_all_perms) > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; > > And is built with the following command: > > semodule --priority 400 -i sctp_test_module.cil Maybe it is related to semodule? Seems to work fine when tested with DSS P: https://www.youtube.com/watch?v=NYMoPUNTqes [root@void kcinimod]# rpm -qa | grep libselinux libselinux-2.4-4.fc23.x86_64 libselinux-utils-2.4-4.fc23.x86_64 libselinux-python3-2.4-4.fc23.x86_64 libselinux-2.4-4.fc23.i686 [root@void kcinimod]# rpm -qa | grep libsepol libsepol-2.5-9999.gitb3b5ede.fc24.x86_64 [root@void kcinimod]# rpm -qa | grep setools setools-4.0-9999.gitac4f846.fc23.x86_64 setools-gui-4.0-9999.gitac4f846.fc23.x86_64 [root@void kcinimod]# rpm -qa | grep secilc secilc-2.5-9999.gitb3b5ede.fc24.x86_64 > > Any ideas !!! Richard > _______________________________________________ Selinux mailing > list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to > Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing > "help" to Selinux-request@xxxxxxxxxxxxx. > - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJW6tOvAAoJECV0jlU3+UdpijYL+gPumCA7OVEC4MlZ7gqBj7+P EXaWX7MKUC4FUdyKljd416/l1aj0y5m3ihKmx/Iiyk9ZJim//BIQCoKtySXooo3w RmAIFx1vRd3qet88W9L9zhfq+q+wPnXSOBsbBwSylVQdC5dLMtxYnZwAgm1Jraxp LRw92wz5rn1OS33M5+/v7sLwfP5sx8yakoD//DN2hJO0FmOmrbB+/I77iXMjoIjH jDIKSqBufS4IgQO+xN5a42hjfzxVlhrKX4wCDaafagkQQBOQpD4Il5xHx70ZzE55 mvVzyCyIGZ8QpVGM4MhyaKIvXPwffCFNwivCSPjiEz5AMDc2IbbNDEb4cH6br7SR 4DCHyGWwyO3QhbW2BALGFp3mH4lYoFNyetRE6xVKqDYf6OZ5jLJaQZwqHuUpSkvG XGb3fzLsSFFQo/0X8Et9yGLyvsFNf/Gb5K85mYOSKDhYFMQ9ZIL56rQKK+GXZtrA +54icfOw1f8laVISosIuoCX4T/W5U+4ap90bpHbdRQ== =r/id -----END PGP SIGNATURE----- _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
