Re: using an interface defined in another loaded module

Hi Lukas Thanks for the reply. I am following 'SELinux Cookbook' following is an excerpt from the book "The location of the interface definitions Whenever an SELinux policy module is built, the build system sources all interface files it finds at the following locations: • /usr /share/selinux/mcs/include/* or /usr/share/selinux/devel/include/* (depending on the Linux distribution) • The current working directory The first location is where the interface files of all the SELinux modules provided by the Linux distribution are stored. The files are Inside sub dIrectories named after particular categories (the reference policy calls these layers, but this is only used to make some structure amongst the definitions, nothing else) such as contrib/, system/, and roles/. For local development of SELinux policies, this location is usually not writable. If we develop our own policy modules, then this would mean that none of the locally managed SELinux policy files can use interfaces of the other local interface files. The Makefile file, therefore, also sources all interface files it finds in the current working directory. " According to the above If I am developing two policies a and b (b uses a's interface) a.pp from sources a.if, a.te, a.fc b.pp from sources b.if, b.te, b.fc, a.if When I run make to compile b.pp make fails with error at b.te pointing to domtrans macro of a.if . However if I copy all of a's sources along with a.if then I am able to compile b.pp Is this expected? If only a.if file is required to how does the a.if file types get's resolved when trying to compile b.pp or it doesn't get resolved? Is there an online example where one policy uses the interface file of another policy? zer0 0ne