Re: "invalid security context" in custom policy
On 04/29/2015 12:54 AM, Simon Sekidde wrote:
----- Original Message -----
> From: "Tracy Reed" <treed(a)ultraviolet.org>
> To: selinux(a)lists.fedoraproject.org
> Sent: Tuesday, April 28, 2015 6:48:05 PM
> Subject: Re: "invalid security context" in custom policy
>
> On Tue, Apr 28, 2015 at 12:11:05PM PDT, Tracy Reed spake thusly:
>> libsepol.context_from_record: invalid security context:
>> "myapp_u:myapp_r:myapp_api_t:s0"
>
> Solved: When declaring your own file contexts use object_r for the role
> instead
> of a user role in your .fc file.
>
> Still having an issue with this one though:
>
>> And while I'm posting I may as well ask: When I uncomment the
>> logging_log_file(mypp_logs_t) type attribute above I get this error:
>>
>> Compiling targeted myapp module
>> /usr/bin/checkmodule: loading policy configuration from tmp/myapp.tmp
>> myapp.te":42:ERROR 'unknown class filesystem used in rule' at token
';' on
>> line 1301:
>> allow myapp_logs_t tmp_t:filesystem associate;
>> #line 42
>> /usr/bin/checkmodule: error(s) encountered while parsing configuration
>> make: *** [tmp/myapp.mod] Error 1
>>
Probably need something like
class filesystem { associate };
inside the require { } along with this statement
allow myapp_tmp_t myapp_logs_t: filesystem associate;
Yes, you need to require all classes/permissions if you use this module
declaration.
You can use
policy_module(mypol, 1.0)
module declaration using reference policy. But you need to build it with
the devel Makefile which applies m4 and includes the interface files
that define the macros.
# make -f /usr/share/selinux/devel/Makefile mypol.pp
In this case, you don't need to require all classes with permissions
which are used.
>>
>> All tips are greatly appreciated!
>>
>> --
>> Tracy Reed
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.