On Fri, 31 Mar 2023 at 15:53, Jonathan Strauss <john@xxxxxxxxxxxxxxxxx> wrote: > > James Carter wrote: > > Jonathan Strauss wrote: > > > > > > I'm not sure if this is the right place to post this, I was writing a > > > policy for an API gateway and couldn't figure out why I wasn't getting > > > a domain transition. Turns out I was missing `type init_t;` in my > > > require block in the type enforcement file, but the compiler did not > > > complain about the missing type. > > > > > > Seems like it should have failed with the missing `type init_t;` > > > > > > > It is hard to say what is going on without seeing the policy you were > > trying to compile. Are you able to share it? > > Jim > > > > Apologies in advanced if I mess up the formatting, looks like I am also > missing another type `sysadm_t` (Still trying to understand the roles so > it's a bit ugly) reproducer here : > > https://github.com/pss-john/se-missing-type In your policy you are using the interface `init_daemon_domain()`, which introduces via its requirements[1] the type `init_t`. So for the remaining portions of the file `init_t` is in scope. The following statements should be redundant by using init_daemon_domain(): allow init_t gateway_exec_t : file { read getattr execute open } ; allow init_t gateway_t : process { transition siginh } ; type_transition init_t gateway_exec_t : process gateway_t; The fact that the domain transition is not triggering means either the subject process is not labeled init_t or the entry point is not labeled gateway_exec_t; search for avc messages regarding the permission execute_no_trans. [1]: https://github.com/SELinuxProject/refpolicy/blob/8e8f5e3ca3e5900cad126cb8b4fadaa8adb8caac/policy/modules/system/init.if#L343-L348
