----- Original Message -----
From: "Douglas Brown" doug.brown@qut.edu.au To: "SELinux Fedora List" selinux@lists.fedoraproject.org Sent: Monday, June 13, 2016 8:52:40 PM Subject: RHEL 7 shutdown_run interface
Hi all,
In the process of porting policies from RHEL 6 to 7, I’m having an issue with the shutdown_run interface.
The trivial te file below compiles and loads fine on RHEL 6.7:
policy_module(test, 0.1)
require { role staff_r; type staff_t; }
shutdown_run(staff_t, staff_r)
However, there appears to be a bug in RHEL 7.2, because loading with semodule gives the error: "libsepol.print_missing_requirements: test's global requirements were not met: role shutdown_roles (No such file or directory)"
I believe you also need shutdown_role(staff_r,staff_t) for this to compile
After looking into this, curiously the interface has moved from /usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm in RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if (selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
There’s also another issue in that shutdown_exec_t is used in the RHEL 7 interface but it no longer exists because the shutdown binary has been replaced with a symlink to systemctl.
Thanks, Doug
-- selinux mailing list selinux@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org