-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 03/29/2016 08:00 PM, Daniel J Walsh wrote:
> I investigated this a little further.
>
manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t,
svirt_sandbox_file_t)
define(`manage_chr_files_pattern',`
allow $1 self:capability mknod;
allow $1 $2:dir rw_dir_perms;
allow $1 $3:chr_file manage_chr_file_perms;
')
> If I write a policy file like
>
> ===============================================
> policy_module(container, 1.0) gen_require(` attribute
> svirt_sandbox_domain; ')
>
> type foobar_t; domain_type(foobar_t) typeattribute foobar_t
> svirt_sandbox_domain;
> ===============================================
>
> I get
>
>
> sesearch -A -s foobar_t | grep capa allow foobar_t foobar_t :
> capability mknod ;
>
> If I remove the typeattribute line foobar_t no longer has mknod.
>
> I think this is a compiler problem.
>
> On 03/29/2016 10:53 AM, Daniel J Walsh wrote:
>> When I compile and install this policy
>>
>> --------------------------------------------------------------- #
>> cat /tmp/container.te policy_module(container, 1.0)
>>
>> virt_sandbox_domain_template(container)
>>
>> ----------------------------------------------------------------
>> I end up with mknod capability.
>>
>> sesearch -A -s container_t -t container_t -c capability Found 1
>> semantic av rules: allow container_t container_t : capability
>> mknod ;
>>
>> But I didn't add mknod to the policy.
>>
>> grep mknod tmp/container.tmp class capability { chown
>> dac_override dac_read_search fowner fsetid kill setgid setuid
>> setpcap linux_immutable net_bind_service net_broadcast net_admin
>> net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot
>> sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource
>> sys_time sys_tty_config mknod lease audit_write audit_control
>> setfcap };
>>
>> Any ideas?
>
> _______________________________________________ Selinux mailing
> list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to
> Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing
> "help" to Selinux-request@xxxxxxxxxxxxx.
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJXAr1YAAoJECV0jlU3+Udp15kL/igUkHF8kUkSzGaEVnFbArtR
l63tgknNlnzoRF+s0bjSFYuYBRTefQpa/G23j/sIEQmKvVkRz8DlGQERqtSpPLZ2
sRNRlA3UA3vLqhk+RhGwxoEjdm8/MA/weU9VGhSHWsd0XrhYtOnI3metotgm422Q
YuQEtib+YQ/ldnEZ/2987DJy6Pg3leOBMn1JE+e7v3mFZDyzEfYI6IGR6VR+WEau
MooO6slYI7ftac4YnqzvUdTeANhYG4h2wfNA0qVxNVty4jS4mT3uCOhu/UmssnX/
fMviLYA2YJAkg0g6rvUnJJqFe0uCHMiVsMDwmR03I324BakxWCDpqnRhj5vxmYfx
ZW8gh3Xg+ZPyVoC5njgm9KkD0/6pgzwGEB3ayBIVgIVi8sVsNvzhJM2dILphT46K
OhFcSWX98xQY4G5P3/vOXx86nN4leP+Uw25eyZbStOFNscBK2LnZArQq65y4i6he
Qqv4V6xwCBRT+3u8VbjtgGzByeKEvkWvk7GMC17tgA==
=28BA
-----END PGP SIGNATURE-----
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
