How do I create an initial policy for a new app?
Brian Ginn
BGinn at symark.com
Fri Mar 6 01:55:26 UTC 2009
using the polgengui, i get an error that the type is unknown (see below).
I compared the generated files to /usr/share/selinux/devel/example.*
I can see that I need to add the initial type myapp2_t;
... there are some other differences. For example:
Polgengui's myapp2.te:
corecmd_executable_file(pbrun_exec_t)
example.te:
domain_type(myapp_t)
domain_entry_file(myapp_t, myapp_exec_t)
Do these accomplish essentially the same thing?
Thanks,
Brian
+ . ./myapp2.sh
++ set -x
++ make -f /usr/share/selinux/devel/Makefile
Compiling targeted myapp2 module
/usr/bin/checkmodule: loading policy configuration from tmp/myapp2.tmp
myapp2.te:22:ERROR 'unknown type myapp2_t' at token ';' on line 83532:
allow myapp2_t myapp2_rw_t:file { create getattr setattr read write append rename link unlink ioctl lock };
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/myapp2.mod] Error 1
++ /usr/sbin/semodule -i myapp2.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t system_chkpwd_t:process { transition };
libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t updpwd_t:process { transition };
libsepol.check_assertion_helper: assertion on line 0 violated by allow system_chkpwd_t myapp2_t:process { sigchld };
libsepol.check_assertion_helper: assertion on line 0 violated by allow updpwd_t myapp2_t:process { sigchld };
libsepol.check_assertions: 4 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
/usr/sbin/semodule: Failed!
++ /sbin/restorecon -F -R -v /usr/local/bin/myapp2
/sbin/restorecon reset /usr/local/bin/myapp2 context system_u:object_r:bin_t:s0->system_u:object_r:bin_t:s0
++ /sbin/restorecon -F -R -v /etc/pb.settings
/sbin/restorecon reset /etc/pb.settings context system_u:object_r:etc_t:s0->system_u:object_r:etc_t:s0
++ /usr/sbin/semanage port -a -t myapp2_port_t -p tcp 23000
libsepol.context_from_record: type myapp2_port_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.port_from_record: could not create port structure for range 23000:23000 (tcp)
libsepol.sepol_port_modify: could not load port range 23000 - 23000 (tcp)
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local modifications into policy
/usr/sbin/semanage: Could not add port tcp/23000
++ echo -ne '\033]0;root at localhost:~'
[root at localhost ~]#
`
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090305/27cd43d1/attachment.htm>
More information about the fedora-selinux-list
mailing list