Dear Gary,
Thanks a zillion times for your help, the building of the policy works fine now that I have copied the .if file of the submodule to the directory you mentioned! I did not know I was reqired to copy the module's interface file to SELinux's include dirs to make it available for other modules to use.
BTW, I was building my module from within my "policy builder and installer" script using the "traditional" way of: # make -f /usr/share/selinux/devel/Makefile A.pp
Now the build process works, thanks to your suggestion!
Best Regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692 https://www.redhat.com/rhtapps/verify/?certId=150-053-692
LinkedIn: linkedin.com/in/janosszigetvari E-mail: janos@szigetvari.com, jszigetvari@gmail.com Phone: +36209440412 (Hungary)
__@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
Gary Tierney gary.tierney@gmx.com ezt írta (időpont: 2019. ápr. 3., Sze, 17:14):
On Wed, Apr 03, 2019 at 10:34:08AM +0200, SZIGETVÁRI János wrote:
Could anyone please give me some insight on this?
Thanks a lot!
Hi,
How are you building and installing your policy modules? The interface definitions (.if files) aren't preserved in the compiled policy package, so are typically kept elsewhere. On Fedora this is under /usr/share/selinux/devel/include and its associated subdirectories (which are recursively walked to find .if files when building policy using the refpolicy framework, i.e., the selinux-policy-devel package).
So it should be as simple as copying your .if files to: /usr/share/selinux/devel/include (though the "services" subdir is likely more appropriate).
Thanks, Gary.
Best Regards, János Szigetvári
SZIGETVÁRI János jszigetvari@gmail.com ezt írta (időpont: 2019. márc. 31., V, 13:47):
... snip ...
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
Hi Janos,
I am working on a similar SELinux policy issue. I have two policy modules A and B. B needs to use the interfaces provided by. Does this mean policy module A.pp has to be installed on the system first and A.if has to be available in some path /usr/share/selinux/devel/include/ under for B to make use of it?
Thanks zer0 0ne
On 11/1/19 7:38 AM, zer0__0ne@outlook.com wrote:
Hi Janos,
I am working on a similar SELinux policy issue. I have two policy modules A and B. B needs to use the interfaces provided by. Does this mean policy module A.pp has to be installed on the system first and A.if has to be available in some path /usr/share/selinux/devel/include/ under for B to make use of it?
Yes. If you want to compile and load B policy, you need to have A interfaces stored in /usr/share/selinux/devel/include/.
Thanks, Lukas.
Thanks zer0 0ne _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
Hi Lukas
Thanks for the reply. I am following 'SELinux Cookbook' following is an excerpt from the book
"The location of the interface definitions Whenever an SELinux policy module is built, the build system sources all interface files it finds at the following locations: • /usr /share/selinux/mcs/include/* or /usr/share/selinux/devel/include/* (depending on the Linux distribution) • The current working directory The first location is where the interface files of all the SELinux modules provided by the Linux distribution are stored. The files are Inside sub dIrectories named after particular categories (the reference policy calls these layers, but this is only used to make some structure amongst the definitions, nothing else) such as contrib/, system/, and roles/.
For local development of SELinux policies, this location is usually not writable. If we develop our own policy modules, then this would mean that none of the locally managed SELinux policy files can use interfaces of the other local interface files. The Makefile file, therefore, also sources all interface files it finds in the current working directory. "
According to the above If I am developing two policies a and b (b uses a's interface) a.pp from sources a.if, a.te, a.fc b.pp from sources b.if, b.te, b.fc, a.if
When I run make to compile b.pp make fails with error at b.te pointing to domtrans macro of a.if . However if I copy all of a's sources along with a.if then I am able to compile b.pp Is this expected?
If only a.if file is required to how does the a.if file types get's resolved when trying to compile b.pp or it doesn't get resolved? Is there an online example where one policy uses the interface file of another policy?
zer0 0ne
On 11/2/19 8:53 AM, zer0__0ne@outlook.com wrote:
Hi Lukas
Thanks for the reply. I am following 'SELinux Cookbook' following is an excerpt from the book
"The location of the interface definitions Whenever an SELinux policy module is built, the build system sources all interface files it finds at the following locations: • /usr /share/selinux/mcs/include/* or /usr/share/selinux/devel/include/* (depending on the Linux distribution) • The current working directory The first location is where the interface files of all the SELinux modules provided by the Linux distribution are stored. The files are Inside sub dIrectories named after particular categories (the reference policy calls these layers, but this is only used to make some structure amongst the definitions, nothing else) such as contrib/, system/, and roles/.
For local development of SELinux policies, this location is usually not writable. If we develop our own policy modules, then this would mean that none of the locally managed SELinux policy files can use interfaces of the other local interface files. The Makefile file, therefore, also sources all interface files it finds in the current working directory. "
According to the above If I am developing two policies a and b (b uses a's interface) a.pp from sources a.if, a.te, a.fc b.pp from sources b.if, b.te, b.fc, a.if
When I run make to compile b.pp make fails with error at b.te pointing to domtrans macro of a.if . However if I copy all of a's sources along with a.if then I am able to compile b.pp Is this expected?
Hi,
Let's describe it on the following example:
You have 2 policies:
A: a.te, a.fc, a.if B: b.te, b.fc, b.if
You successfully compile SELinux sources to SELinux module A.pp using: # /usr/share/selinux/devel/Makefile a.pp
Because A policy uses only system interfaces (/usr/share/selinux/devel/include).
But B policy uses also macro defined in a.if + system interfaces defined in (/usr/share/selinux/devel/include), during compilation all macros needs to be extracted and these macros are searched in /usr/share/selinux/devel/include and current directory. As you mentioned from SELinux cookbook.
So yes, if you're compiling B policy, you needs to have a.if interface file in one directory with B policy sources.
Is this clear or I missing something in your question?
Thanks, Lukas.
If only a.if file is required to how does the a.if file types get's resolved when trying to compile b.pp or it doesn't get resolved? Is there an online example where one policy uses the interface file of another policy?
zer0 0ne _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
Thanks for the explanation Lukas. I have one follow up question about the example you described,
"So yes, if you're compiling B policy, you needs to have a.if interface file in one directory with B policy sources."
If I have a.if in the B policy sources, is that sufficient or do I need to have a.te also in B policy sources? When I experimented with just a.if B policy compilation failed and was successful when I copied the a.te into B policy sources directory. Is this expected or is it an issue with policies I have written.
On 11/4/19 11:02 PM, zer0 0ne wrote:
Thanks for the explanation Lukas. I have one follow up question about the example you described,
"So yes, if you're compiling B policy, you needs to have a.if interface file in one directory with B policy sources."
If I have a.if in the B policy sources, is that sufficient or do I need to have a.te also in B policy sources? When I experimented with just a.if B policy compilation failed and was successful when I copied the a.te into B policy sources directory. Is this expected or is it an issue with policies I have written.
You could have only a.if in B policy sources, *but* A policy (a.pp) has to be loaded to the kernel before you installing B policy module.
Lukas.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
Lukas,
I experimented a bit using the files below from SELinux cookbook (sources below). The mysysadm policy uses interface from mylogging
When compiling mysysadm.te with JUST mylogging.if in the same directory I get the following eeror
Compiling targeted mysysadm module /usr/bin/checkmodule: loading policy configuration from tmp/mysysadm.tmp mysysadm.te:5:ERROR 'syntax error' at token 'logging_exec_syslog' on line 3340: logging_exec_syslog(sysadm_t)
/usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/mysysadm.mod] Error 1
When compiling mysysadm.te with mylogging.if and mylogging.te in the same directory. mysysadm policy compiles successfully. I was under the impression that having just .if file will allow another policy to compile apparently that is not the case.
Makefile ---------- # installation paths SHAREDIR := /usr/share/selinux
AWK ?= gawk NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
ifeq ($(MLSENABLED),) MLSENABLED := 1 endif
ifeq ($(MLSENABLED),1) NTYPE = mcs endif
ifeq ($(NAME),mls) NTYPE = mls endif
TYPE ?= $(NTYPE)
HEADERDIR := $(SHAREDIR)/devel/include include $(HEADERDIR)/Makefile
mylogging.if ------------ interface(`logging_exec_syslog',` gen_require(` type syslogd_exec_t; '); can_exec($1, syslogd_exec_t) ')
mylogging.te -------------- policy_module(mylogging, 0.2) gen_require(` type syslogd_t; ') bind_write_config(syslogd_t)
mysysadm.te --------------- policy_module(mysysadm, 0.1) gen_require(` type sysadm_t; ') logging_exec_syslog(sysadm_t)
On 11/5/19 8:36 PM, zer0 0ne wrote:
Lukas,
I experimented a bit using the files below from SELinux cookbook (sources below). The mysysadm policy uses interface from mylogging
When compiling mysysadm.te with JUST mylogging.if in the same directory I get the following eeror
Compiling targeted mysysadm module /usr/bin/checkmodule: loading policy configuration from tmp/mysysadm.tmp mysysadm.te:5:ERROR 'syntax error' at token 'logging_exec_syslog' on line 3340: logging_exec_syslog(sysadm_t)
/usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/mysysadm.mod] Error 1
When compiling mysysadm.te with mylogging.if and mylogging.te in the same directory. mysysadm policy compiles successfully. I was under the impression that having just .if file will allow another policy to compile apparently that is not the case.
Makefile
# installation paths SHAREDIR := /usr/share/selinux
AWK ?= gawk NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
ifeq ($(MLSENABLED),) MLSENABLED := 1 endif
ifeq ($(MLSENABLED),1) NTYPE = mcs endif
ifeq ($(NAME),mls) NTYPE = mls endif
TYPE ?= $(NTYPE)
HEADERDIR := $(SHAREDIR)/devel/include include $(HEADERDIR)/Makefile
mylogging.if
interface(`logging_exec_syslog',` gen_require(` type syslogd_exec_t; '); can_exec($1, syslogd_exec_t) ')
mylogging.te
policy_module(mylogging, 0.2) gen_require(` type syslogd_t; ') bind_write_config(syslogd_t)
mysysadm.te
policy_module(mysysadm, 0.1) gen_require(` type sysadm_t; ') logging_exec_syslog(sysadm_t)
Did you load mylogging.pp before? _______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
Got the same error while compiling mysysadm.pp when mylogging module was loaded. (Output below)
Does this confirm my previous statement if B.te is going to use A.if, then A.te must exist in the same directory otherwise B.pp won't compile?
~/demo $ sudo semodule -l | grep -i mylogging mylogging 0.2
localhost ~/demo $ make mysysadm.pp Compiling targeted mysysadm module /usr/bin/checkmodule: loading policy configuration from tmp/mysysadm.tmp mysysadm.te:5:ERROR 'syntax error' at token 'logging_exec_syslog' on line 3340: logging_exec_syslog(sysadm_t)
/usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/mysysadm.mod] Error 1
selinux@lists.fedoraproject.org