full_user_role macro not working as expected
Stephen Smalley
sds at tycho.nsa.gov
Fri Jun 10 12:39:28 UTC 2005
On Thu, 2005-06-09 at 13:28 -0700, Jeremy Utley wrote:
> The current problem:
> According to the policy writing docs, a role should be created via the
> full_user_role() macro. So, in domains/misc/custom_policy.te, I
> placed the following line (along with other custom rules that have
> already been compiled successfully and work):
>
> full_user_role(privileged)
In order to support role changes via newrole, you need some further
rules. These are defined in the role_tty_type_change() macro defined in
domains/user.te, which means that you presently have to add rules to
domains/user.te; that macro definition should likely be moved to
base_user_macros.te or user_macros.te so that it can be used elsewhere.
If you want the role to be able to use userhelper, sudo, or su, you also
need to include reach_sysadm(privileged); that macro is also presently
defined in domains/user.te and should likely be moved to user_macros.te
or base_user_macros.te.
> Now, when trying to compile the policy after that, I get the following error:
>
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> domains/misc/custom_policy.te:13:ERROR 'unknown type
> privileged_userhelper_t' at token ';' on line 115000:
> #line 13
> allow privileged_mozilla_t privileged_userhelper_t:process transition;
> /usr/bin/checkpolicy: error(s) encountered while parsing configuration
> make: *** [/etc/selinux/strict/policy/policy.18] Error 1
That's a bug in mozilla_macros.te, already removed in the
FC4/development strict policy. Remove the userhelper transition from
it:
--- macros/program/mozilla_macros.te.orig 2005-06-10 08:37:54.636627280 -0400
+++ macros/program/mozilla_macros.te 2005-06-10 08:38:11.886004976 -0400
@@ -116,9 +116,6 @@
dontaudit $1_mozilla_t file_type:dir getattr;
allow $1_mozilla_t self:sem create_sem_perms;
-ifdef(`userhelper.te', `
-domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
-')
dontaudit $1_mozilla_t selinux_config_t:dir search;
#
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list