On 03/17/2016 11:25 AM, Richard Haines wrote: > Using Fedora 23 targeted policy. > > Problem: When adding a new class via the CIL module listed below, the allow > rule is not being resolved if the new class references a common set of > permissions. > > Viewing with apol shows that the new class has been allocated the unique and > common permissions, however the allow rule is missing. > > Note 1: If the 'all' expression is replaced in the 'classpermissionset' with > the actual permissions, then the allow rule is resolved. > > Note 2: If I use the latest 2.5 libsepol with the > (classorder (unordered sctp_socket)) statement I get the same result. > > The example CIL policy module is: > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; > (classorder (proxy sctp_socket)) ; 'proxy' is the last class defined in F-23 > ; and required when using libsepol 2.4 > > (classcommon sctp_socket socket) > (class sctp_socket (node_bind name_connect association bindx_add bindx_rem > connectx peeloff set_addr set_params)) > > (classpermission sctp_socket_all_perms) > (classpermissionset sctp_socket_all_perms (sctp_socket (all))) > > (allow unconfined_t self sctp_socket_all_perms) > ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; > > And is built with the following command: > > semodule --priority 400 -i sctp_test_module.cil > > Any ideas !!! > Richard I am able reproduce the issue. Looking into it now. Thanks, - Steve _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
