How do I create an initial policy for a new app?
Daniel J Walsh
dwalsh at redhat.com
Fri Mar 6 13:30:11 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Brian Ginn wrote:
> using the polgengui, i get an error that the type is unknown (see below).
>
>
>
> I compared the generated files to /usr/share/selinux/devel/example.*
>
> I can see that I need to add the initial type myapp2_t;
>
>
>
> ... there are some other differences. For example:
>
>
>
> Polgengui's myapp2.te:
>
> corecmd_executable_file(pbrun_exec_t)
>
>
>
> example.te:
>
> domain_type(myapp_t)
>
> domain_entry_file(myapp_t, myapp_exec_t)
>
>
>
> Do these accomplish essentially the same thing?
>
>
Not really corecmd_executable_file just identifies the label as being an
executable, which lots of apps will be allowed to execute without a
transition.
domain_type identifies the label as something that applies to a process,
domain_entry_file says that you can start a process labeled myapp_t, by
executing an executable labeled myapp_exec_t. BUT you still need to
write a transition rule, like domtrans_pattern(unconfined_t,
myapp_exec_t, myapp_t)
Which would say when a process labeled unconfined_t executes an
executable labeled myapp_exec_t, it will transition to a process labeled
myapp_t.
>
>
>
> Thanks,
>
> Brian
>
>
>
>
>
> + . ./myapp2.sh
>
> ++ set -x
>
> ++ make -f /usr/share/selinux/devel/Makefile
>
> Compiling targeted myapp2 module
>
> /usr/bin/checkmodule: loading policy configuration from tmp/myapp2.tmp
>
> myapp2.te:22:ERROR 'unknown type myapp2_t' at token ';' on line 83532:
>
>
>
> allow myapp2_t myapp2_rw_t:file { create getattr setattr read write append rename link unlink ioctl lock };
>
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
>
> make: *** [tmp/myapp2.mod] Error 1
>
> ++ /usr/sbin/semodule -i myapp2.pp
>
> libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t system_chkpwd_t:process { transition };
>
> libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t updpwd_t:process { transition };
>
> libsepol.check_assertion_helper: assertion on line 0 violated by allow system_chkpwd_t myapp2_t:process { sigchld };
>
> libsepol.check_assertion_helper: assertion on line 0 violated by allow updpwd_t myapp2_t:process { sigchld };
>
> libsepol.check_assertions: 4 assertion violations occured
>
> libsemanage.semanage_expand_sandbox: Expand module failed
>
> /usr/sbin/semodule: Failed!
>
> ++ /sbin/restorecon -F -R -v /usr/local/bin/myapp2
>
> /sbin/restorecon reset /usr/local/bin/myapp2 context system_u:object_r:bin_t:s0->system_u:object_r:bin_t:s0
>
> ++ /sbin/restorecon -F -R -v /etc/pb.settings
>
> /sbin/restorecon reset /etc/pb.settings context system_u:object_r:etc_t:s0->system_u:object_r:etc_t:s0
>
> ++ /usr/sbin/semanage port -a -t myapp2_port_t -p tcp 23000
>
> libsepol.context_from_record: type myapp2_port_t is not defined
>
> libsepol.context_from_record: could not create context structure
>
> libsepol.port_from_record: could not create port structure for range 23000:23000 (tcp)
>
> libsepol.sepol_port_modify: could not load port range 23000 - 23000 (tcp)
>
> libsemanage.dbase_policydb_modify: could not modify record value
>
> libsemanage.semanage_base_merge_components: could not merge local modifications into policy
>
> /usr/sbin/semanage: Could not add port tcp/23000
>
> ++ echo -ne '\033]0;root at localhost:~'
>
> [root at localhost ~]#
>
>
>
> `
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmxJWMACgkQrlYvE4MpobP8gQCeIBGJ5MY2vk/v5qwaqNR1jAfH
oLsAn1zdQLWspzC0PKeqA140rhTBgN/4
=TzQA
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list