Louis Lam wrote:
Hi,
Thanks for the reply.
My conclusion is that not I'm not sure where to place the domain_auto_trans()
statement. If I can't place it in the vmware.if file(since it will not be read during
module compilation ) where can I put this statement? All i need to do now is to make the
vmware executable run in its own domain e.g. vmware_t. But it seems more difficult than I
thought.
if you want vmware program run in own domain, all necessary rules
should be in te file, e.g.
domain_auto_trans(vmware_t, vmware_host_exec_t, vmware_host_t)
(just a example)
similarly, domain_auto_trans can also used in if file, especially used
in per_role_template. All these are depend on your purpose.
to make vmware run in selinux-policy>3.0, the easiest way is to
follow what tom guid, i.e. modify the net-service.sh to restorce
label after creating device node.
but if you want to make policy contain vmware, you must resolve
the "device node label" problem, IMHO, you should use fs_use_trans
to make label automatically:
http://marc.info/?l=selinux&m=118481693028190&w=2
now, i have not time to do this, so i have not solved the problems
i encountered.
Can you point me to resources to how to develop modules? Can someone help me with this
problem?
"Beginning is the most difficult one, but A Good Beginning is half
the battle" :-)
after you finish the beginning, you will find it's not difficult.
The book <<SELinux by example>> is a good guide for developing modules,
but i think the best guide to develop policy is the policy source.
Thanks & Regards,
Louis
----- Original Message ----
From: Ken YANG <spng.yang(a)gmail.com>
To: Louis Lam <lshoujun(a)yahoo.com>
Cc: Daniel J Walsh <dwalsh(a)redhat.com>; fedora-selinux-list(a)redhat.com
Sent: Monday, July 30, 2007 6:53:17 AM
Subject: Re: Containing vmware player 2.0.0 with SELINUX
Louis Lam wrote:
> Hi,
>
> I think i'm having a policy compilation problem here
>
> I've moved the domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) statement to
vmware.if. I was following the domain_auto_trans rules for other apps such as mozilla. The
syntax error problem went away.
>
> But the problem is that the domain transition didn't take place. My vmplayer is
still running in unconfined state.
>
> I'm doing compilation of the vmware.pp module using make -f
/usr/share/selinux/devel/Makefile. I've tried to purposely introduce errors into
vmware.if to see if the compilation is effective:
>
> e.g. domain_auto_trans($2, $2, $1_t, vmware_exec_t, $1_vmware_t)
>
> But the make process didn't detect any errors and the compilation still went on.
I did a diff between the vmware.pp at the
/etc/selinux/targeted/modules/active/modules/vmware.pp and the development directory
(where I do all my compilation), but there are no differences.
>
> Does it mean if the vmware.if file is modified it will not affect the make?
as i infer (i'm not sure):
the interface will not be checked, unless someone invoke it, because if
there are not invokes, the parameter can not be determined.
when you build vmware module, you will not use your own interface in
own module, so build process will not detect error.
> How do you ensure that the changes at vmware.if effective? (well at least cause some
compilation errors?)
>
>
>
> Thanks,
> Louis
>
>
>
>
>
> ----- Original Message ----
> From: Ken YANG <spng.yang(a)gmail.com>
> To: Louis Lam <lshoujun(a)yahoo.com>
> Cc: Daniel J Walsh <dwalsh(a)redhat.com>; fedora-selinux-list(a)redhat.com
> Sent: Saturday, July 28, 2007 5:28:25 PM
> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>
>
> Louis Lam wrote:
>> My mistakes, apologies for the confusion, under part 2, I was trying to do
domain_auto_trans instead of doman_entry_file, so...
>>
>> 2. Created a domain transition so that the vmware user programs e.g.
>> /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are
>> labelleled system_u:object_r:vmware_exec_t will transit to
>> system_u:object_r:vmware_t when executed. I put it also in vmware.te:
>>
>> domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t)
>>
>> but
>> on making the vmware.pp module I get this warning and error:
>>
>> 'syntax error' at token '1' on line 81143:
>> #line 13
>> allow $1_t vmware_exec_t: file {getattr read execute};
> this rule is generated by domain_auto_trans, so i think the
> syntax error should be caused by other rules.
>
> you may check other rules in your policy.
>
>> Thanks in advance,
>> Louis
>>
>>
>> ----- Original Message ----
>> From: Louis Lam <lshoujun(a)yahoo.com>
>> To: Daniel J Walsh <dwalsh(a)redhat.com>
>> Cc: fedora-selinux-list(a)redhat.com
>> Sent: Friday, July 27, 2007 5:05:05 AM
>> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>>
>> Thanks Daniel for the information, hi everyone
>>
>> I've tried to make the following changes:
>>
>> 1. Defined the vmware_t type in vmware.te:
>> type vmware_t;
>>
>> I need to do this since I'm trying to let the vmware user program run under
vmware_t domain but this is not defined. In terms of overall code compliance is it correct
to define here? or should be at the vmware.if?
> type definition should be in vmware.te
>
> Send instant messages to your online friends
http://uk.messenger.yahoo.com
Send instant messages to your online friends
http://uk.messenger.yahoo.com