Dipping into the policy waters
Miroslav Grepl
mgrepl at redhat.com
Wed Feb 29 13:54:47 UTC 2012
On 02/29/2012 01:39 AM, Alan Batie wrote:
> I'm trying a simple "first policy" with Eclipse and SLIDE, and getting
> an error I don't understand. I'm hoping someone can point me in the
> right direction:
>
> Creating policy.xml
> /usr/share/selinux/devel/include/support/segenxml.py: warning: unable to
> find XML for interface peak_read_files()
> /usr/share/selinux/devel/include/support/segenxml.py: warning: unable to
> find XML for interface peak_read_config_files()
> /usr/share/selinux/devel/include/support/segenxml.py: warning: orphan
> XML comments at bottom of file ./peak_files.te
> doc/policy.xml:65535: element module: validity error : Element module
> content does not follow the DTD, expecting (summary , desc? , required?
> , (interface | template)* , (bool | tunable)*), got (summary param
> interface interface )
> Document doc/policy.xml does not validate against
> /usr/share/selinux/devel/include/support/policy.dtd
> make: *** [doc/policy.xml] Error 3
> Compiling targeted peak_files module
>
> I'm guessing that means I haven't defined the interfaces somewhere I
> ought to, but I have them in the Interfaces (.if) tab:
>
> ############################################################
> ##<summary>
> ## Access to reading peak files
> ##</summary>
> ##<param name="domain">
> ## <summary>
> ## Source domain to give access to
> ## </summary>
> ##</param>
> #
> interface(`peak_read_files',`
> gen_require(`
> type peak_t;
> ')
>
> allow $1 peak_t:dir list_dir_perms;
> read_files_pattern($1,peak_t,peak_t)
> ')
>
> ############################################################
> ##<summary>
> ## Access to reading peak config files
> ##</summary>
> ##<param name="domain">
> ## <summary>
> ## Source domain to give access to
> ## </summary>
> ##</param>
> #
> interface(`peak_read_config_files',`
> gen_require(`
> type peak_config_t;
> ')
>
> allow $1 peak_config_t:dir list_dir_perms;
> read_files_pattern($1,peak_config_t,peak_config_t)
> ')
>
>
> The .te file is simple enough:
>
> policy_module(peak_files,1.0.0)
>
> ############################################################
> ##<summary>
> ## Peak local configuration files and scripts
> ##</summary>
>
> # domain for peak files
> type peak_t;
> # domain for peak configuration files
> type peak_config_t;
> # domain for peak scripts to run in
> type peak_exec_t;
>
> files_type(peak_t)
> files_type(peak_config_t)
>
> # peak things can read peak config files
> read_files_pattern(peak_t,peak_config_t,peak_config_t)
>
>
> For completeness, the .fc file:
>
> /peak(/.*)? gen_context(system_u:object_r:peak_t,s0))
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
What OS?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120229/583a20bc/attachment.html>
More information about the selinux
mailing list