Greetings everyone!
I'm trying to set up a demonstration of SELinux functionality for a
few people, and have been hitting my head against a brick wall on it
for 2 days, was hoping that maybe you guys could give me some
advice...Background:
System:
Fedora Core 3, updated to latest packages via "yum update"
Strict policy, version 1.19.10-2, and the strict policy sources installed.
The Goal:
To demonstrate locking down access to a file to only a certain role,
privileged_r. User account should have to access that role via the
newrole command.
The current problem:
According to the policy writing docs, a role should be created via the
full_user_role() macro. So, in domains/misc/custom_policy.te, I
placed the following line (along with other custom rules that have
already been compiled successfully and work):
full_user_role(privileged)
The docs also say that new user roles should be added to the
in_user_role macro within macros/user_macros.te, so I did that as
well, making that macro look like this:
undefine(`in_user_role')
define(`in_user_role', `
role user_r types $1;
role staff_r types $1;
role privileged_r type $1;
')
Now, when trying to compile the policy after that, I get the following error:
/usr/bin/checkpolicy: loading policy configuration from policy.conf
domains/misc/custom_policy.te:13:ERROR 'unknown type
privileged_userhelper_t' at token ';' on line 115000:
#line 13
allow privileged_mozilla_t privileged_userhelper_t:process transition;
/usr/bin/checkpolicy: error(s) encountered while parsing configuration
make: *** [/etc/selinux/strict/policy/policy.18] Error 1
I've been banging my head against the wall on this one for a day and a
half - have searched the web, read numerous docs on creating policy,
looked at how the full_user_role macro is used elsewhere in the
policy, and I simply can't figure out what I'm doing wrong.
Anyone have any ideas?
Jeremy