4:11 a.m.
Hi,
I think i'm having a policy compilation problem here
I've moved the domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) statement to
vmware.if. I was following the domain_auto_trans rules for other apps such as mozilla. The
syntax error problem went away.
But the problem is that the domain transition didn't take place. My vmplayer is still
running in unconfined state.
I'm doing compilation of the vmware.pp module using make -f
/usr/share/selinux/devel/Makefile. I've tried to purposely introduce errors into
vmware.if to see if the compilation is effective:
e.g. domain_auto_trans($2, $2, $1_t, vmware_exec_t, $1_vmware_t)
But the make process didn't detect any errors and the compilation still went on. I did
a diff between the vmware.pp at the /etc/selinux/targeted/modules/active/modules/vmware.pp
and the development directory (where I do all my compilation), but there are no
differences.
Does it mean if the vmware.if file is modified it will not affect the make?
How do you ensure that the changes at vmware.if effective? (well at least cause some
compilation errors?)
Thanks,
Louis
----- Original Message ----
From: Ken YANG <spng.yang(a)gmail.com>
To: Louis Lam <lshoujun(a)yahoo.com>
Cc: Daniel J Walsh <dwalsh(a)redhat.com>; fedora-selinux-list(a)redhat.com
Sent: Saturday, July 28, 2007 5:28:25 PM
Subject: Re: Containing vmware player 2.0.0 with SELINUX
Louis Lam wrote:
My mistakes, apologies for the confusion, under part 2, I was trying
to do domain_auto_trans instead of doman_entry_file, so...
2. Created a domain transition so that the vmware user programs e.g.
/usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are
labelleled system_u:object_r:vmware_exec_t will transit to
system_u:object_r:vmware_t when executed. I put it also in vmware.te:
domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t)
but
on making the vmware.pp module I get this warning and error:
'syntax error' at token '1' on line 81143:
#line 13
allow $1_t vmware_exec_t: file {getattr read execute};
this rule is generated by domain_auto_trans, so i think the
syntax error should be caused by other rules.
you may check other rules in your policy.
Thanks in advance,
Louis
----- Original Message ----
From: Louis Lam <lshoujun(a)yahoo.com>
To: Daniel J Walsh <dwalsh(a)redhat.com>
Cc: fedora-selinux-list(a)redhat.com
Sent: Friday, July 27, 2007 5:05:05 AM
Subject: Re: Containing vmware player 2.0.0 with SELINUX
Thanks Daniel for the information, hi everyone
I've tried to make the following changes:
1. Defined the vmware_t type in vmware.te:
type vmware_t;
I need to do this since I'm trying to let the vmware user program run under vmware_t
domain but this is not defined. In terms of overall code compliance is it correct to
define here? or should be at the vmware.if?
type definition should be in vmware.te
Send instant messages to your online friends http://uk.messenger.yahoo.com
5:53 a.m.
New subject: Containing vmware player 2.0.0 with SELINUX
Louis Lam wrote:
Hi,
I think i'm having a policy compilation problem here
I've moved the domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) statement to
vmware.if. I was following the domain_auto_trans rules for other apps such as mozilla. The
syntax error problem went away.
But the problem is that the domain transition didn't take place. My vmplayer is still
running in unconfined state.
I'm doing compilation of the vmware.pp module using make -f
/usr/share/selinux/devel/Makefile. I've tried to purposely introduce errors into
vmware.if to see if the compilation is effective:
e.g. domain_auto_trans($2, $2, $1_t, vmware_exec_t, $1_vmware_t)
But the make process didn't detect any errors and the compilation still went on. I
did a diff between the vmware.pp at the
/etc/selinux/targeted/modules/active/modules/vmware.pp and the development directory
(where I do all my compilation), but there are no differences.
Does it mean if the vmware.if file is modified it will not affect the make?
as i infer (i'm not sure):
the interface will not be checked, unless someone invoke it, because if
there are not invokes, the parameter can not be determined.
when you build vmware module, you will not use your own interface in
own module, so build process will not detect error.
How do you ensure that the changes at vmware.if effective? (well at least cause some
compilation errors?)
Thanks,
Louis
----- Original Message ----
From: Ken YANG <spng.yang(a)gmail.com>
To: Louis Lam <lshoujun(a)yahoo.com>
Cc: Daniel J Walsh <dwalsh(a)redhat.com>; fedora-selinux-list(a)redhat.com
Sent: Saturday, July 28, 2007 5:28:25 PM
Subject: Re: Containing vmware player 2.0.0 with SELINUX
Louis Lam wrote:
> My mistakes, apologies for the confusion, under part 2, I was trying to do
domain_auto_trans instead of doman_entry_file, so...
>
> 2. Created a domain transition so that the vmware user programs e.g.
> /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are
> labelleled system_u:object_r:vmware_exec_t will transit to
> system_u:object_r:vmware_t when executed. I put it also in vmware.te:
>
> domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t)
>
> but
> on making the vmware.pp module I get this warning and error:
>
> 'syntax error' at token '1' on line 81143:
> #line 13
> allow $1_t vmware_exec_t: file {getattr read execute};
this rule is generated by domain_auto_trans, so i think the
syntax error should be caused by other rules.
you may check other rules in your policy.
> Thanks in advance,
> Louis
>
>
> ----- Original Message ----
> From: Louis Lam <lshoujun(a)yahoo.com>
> To: Daniel J Walsh <dwalsh(a)redhat.com>
> Cc: fedora-selinux-list(a)redhat.com
> Sent: Friday, July 27, 2007 5:05:05 AM
> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>
> Thanks Daniel for the information, hi everyone
>
> I've tried to make the following changes:
>
> 1. Defined the vmware_t type in vmware.te:
> type vmware_t;
>
> I need to do this since I'm trying to let the vmware user program run under
vmware_t domain but this is not defined. In terms of overall code compliance is it correct
to define here? or should be at the vmware.if?
type definition should be in vmware.te
Send instant messages to your online friends http://uk.messenger.yahoo.com
6115
days inactive
6115
days old
selinux@lists.fedoraproject.org
1 comments
2 participants
participants (2)
-
Louis Lam -
NZzi