How do I create an initial policy for a new app?

Miroslav Grepl mgrepl at redhat.com
Mon Mar 9 09:41:39 UTC 2009 

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Brian Ginn wrote:
>   
>> using the polgengui, i get an error that the type is unknown (see below).
>>
>>
>>
>> I compared the generated files to /usr/share/selinux/devel/example.*
>>
>> I can see that I need to add the initial type myapp2_t;
>>
>>
>>
>> ... there are some other differences.  For example:
>>
>>
>>
>> Polgengui's myapp2.te:
>>
>> corecmd_executable_file(pbrun_exec_t)
>>
>>     
>
>   
>> example.te:
>>
>> domain_type(myapp_t)
>>
>> domain_entry_file(myapp_t, myapp_exec_t)
>>
>>
>>
>> Do these accomplish essentially the same thing?
>>
>>
>>     
> Not really corecmd_executable_file just identifies the label as being an
> executable, which lots of apps will be allowed to execute without a
> transition.
>
> domain_type identifies the label as something that applies to a process,
> domain_entry_file says that you can start a process labeled myapp_t, by
> executing an executable labeled myapp_exec_t.  BUT you still need to
> write a transition rule, like domtrans_pattern(unconfined_t,
> myapp_exec_t, myapp_t)
>
> Which would say when a process labeled unconfined_t executes an
> executable labeled myapp_exec_t, it will transition to a process labeled
> myapp_t.
>
>   
The example of an initial policy for a app, in this case for ceterim app.

centerim.te:

policy_module(centerim,1.0.0)

type centerim_t;
type centerim_exec_t;
application_domain(centerim_t, centerim_exec_t)
role unconfined_r types centerim_t;

###########################

# definiton of transition from unconfined_t to centerim_t
unconfined_domtrans_to(centerim_t, centerim_exec_t)

libs_use_ld_so(centerim_t)
libs_use_shared_libs(centerim_t)

miscfiles_read_localization(centerim_t)

# set permissive mode for centerim_t
permissive centerim_t;


centerim.fc:

/usr/bin/centerim        --      
gen_context(system_u:object_r:centerim_exec_t,s0)

>>
>> Thanks,
>>
>> Brian
>>
>>
>>
>>
>>
>> + . ./myapp2.sh
>>
>> ++ set -x
>>
>> ++ make -f /usr/share/selinux/devel/Makefile
>>
>> Compiling targeted myapp2 module
>>
>> /usr/bin/checkmodule:  loading policy configuration from tmp/myapp2.tmp
>>
>> myapp2.te:22:ERROR 'unknown type myapp2_t' at token ';' on line 83532:
>>
>>
>>
>> allow myapp2_t myapp2_rw_t:file { create getattr setattr read write append rename link unlink ioctl lock };
>>
>> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
>>
>> make: *** [tmp/myapp2.mod] Error 1
>>
>> ++ /usr/sbin/semodule -i myapp2.pp
>>
>> libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t system_chkpwd_t:process { transition };
>>
>> libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t updpwd_t:process { transition };
>>
>> libsepol.check_assertion_helper: assertion on line 0 violated by allow system_chkpwd_t myapp2_t:process { sigchld };
>>
>> libsepol.check_assertion_helper: assertion on line 0 violated by allow updpwd_t myapp2_t:process { sigchld };
>>
>> libsepol.check_assertions: 4 assertion violations occured
>>
>> libsemanage.semanage_expand_sandbox: Expand module failed
>>
>> /usr/sbin/semodule:  Failed!
>>
>> ++ /sbin/restorecon -F -R -v /usr/local/bin/myapp2
>>
>> /sbin/restorecon reset /usr/local/bin/myapp2 context system_u:object_r:bin_t:s0->system_u:object_r:bin_t:s0
>>
>> ++ /sbin/restorecon -F -R -v /etc/pb.settings
>>
>> /sbin/restorecon reset /etc/pb.settings context system_u:object_r:etc_t:s0->system_u:object_r:etc_t:s0
>>
>> ++ /usr/sbin/semanage port -a -t myapp2_port_t -p tcp 23000
>>
>> libsepol.context_from_record: type myapp2_port_t is not defined
>>
>> libsepol.context_from_record: could not create context structure
>>
>> libsepol.port_from_record: could not create port structure for range 23000:23000 (tcp)
>>
>> libsepol.sepol_port_modify: could not load port range 23000 - 23000 (tcp)
>>
>> libsemanage.dbase_policydb_modify: could not modify record value
>>
>> libsemanage.semanage_base_merge_components: could not merge local modifications into policy
>>
>> /usr/sbin/semanage: Could not add port tcp/23000
>>
>> ++ echo -ne '\033]0;root at localhost:~'
>>
>> [root at localhost ~]#
>>
>>
>>
>> `
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>     
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkmxJWMACgkQrlYvE4MpobP8gQCeIBGJ5MY2vk/v5qwaqNR1jAfH
> oLsAn1zdQLWspzC0PKeqA140rhTBgN/4
> =TzQA
> -----END PGP SIGNATURE-----
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the fedora-selinux-list mailing list