I have an app that need to have search access to all directories on the system. I am trying to use this TE in my policy:
allow myapp_t *:dir { search_dir_perms } ;
When compile with make, I am getting this error messages:
$ make
Compiling targeted myapp module here it is /usr/share/selinux/devel/include /usr/bin/checkmodule: loading policy configuration from tmp/myapp.tmp myapp.te:678:ERROR '* not allowed in this type of rule' at token ';' on line 5114: allow myapp_t *:dir { { getattr search open } };
/usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/share/selinux/devel/include/Makefile:154: recipe for target 'tmp/myapp.mod' failed make: *** [tmp/myapp.mod] Error 1
I running on Fedora 25.
Thank you Bassam
On Fri, 2017-02-03 at 10:22 -0800, Bassam Alsanie wrote:
I have an app that need to have search access to all directories on the system. I am trying to use this TE in my policy:
allow myapp_t *:dir { search_dir_perms } ;
When compile with make, I am getting this error messages:
$ make Compiling targeted myapp module here it is /usr/share/selinux/devel/include /usr/bin/checkmodule: loading policy configuration from tmp/myapp.tmp myapp.te:678:ERROR '* not allowed in this type of rule' at token ';' on line 5114: allow myapp_t *:dir { { getattr search open } };
/usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/share/selinux/devel/include/Makefile:154: recipe for target 'tmp/myapp.mod' failed make: *** [tmp/myapp.mod] Error 1
I running on Fedora 25.
files_search_all(myapp_t)
Thanks Steven. Is there an interface close to this logic?
allow myapp_t *:process signull;
On Fri, Feb 3, 2017 at 10:40 AM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Fri, 2017-02-03 at 10:22 -0800, Bassam Alsanie wrote:
I have an app that need to have search access to all directories on the system. I am trying to use this TE in my policy:
allow myapp_t *:dir { search_dir_perms } ;
When compile with make, I am getting this error messages:
$ make Compiling targeted myapp module here it is /usr/share/selinux/devel/include /usr/bin/checkmodule: loading policy configuration from tmp/myapp.tmp myapp.te:678:ERROR '* not allowed in this type of rule' at token ';' on line 5114: allow myapp_t *:dir { { getattr search open } };
/usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/share/selinux/devel/include/Makefile:154: recipe for target 'tmp/myapp.mod' failed make: *** [tmp/myapp.mod] Error 1
I running on Fedora 25.
files_search_all(myapp_t)
On Fri, 2017-02-03 at 11:13 -0800, Bassam Alsanie wrote:
Thanks Steven. Is there an interface close to this logic?
allow myapp_t *:process signull;
You can browse for interfaces by installing selinux-policy-doc (or in older releases, selinux-policy-devel) and running /usr/share/selinux/devel/policyhelp to open the interface docs in a browser. Upstream refpolicy also provides its generated docs online at http://oss.tresys.com/docs/refpolicy/api/
Looks like domain_signull_all_domains(myapp_t) should do it for you.
On Fri, Feb 3, 2017 at 10:40 AM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Fri, 2017-02-03 at 10:22 -0800, Bassam Alsanie wrote:
I have an app that need to have search access to all directories
on
the system. I am trying to use this TE in my policy:
allow myapp_t *:dir { search_dir_perms } ;
When compile with make, I am getting this error messages:
$ make Compiling targeted myapp module here it is /usr/share/selinux/devel/include /usr/bin/checkmodule: loading policy configuration from tmp/myapp.tmp myapp.te:678:ERROR '* not allowed in this type of rule' at
token
';' on line 5114: allow myapp_t *:dir { { getattr search open } };
/usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/share/selinux/devel/include/Makefile:154: recipe for
target
'tmp/myapp.mod' failed make: *** [tmp/myapp.mod] Error 1
I running on Fedora 25.
files_search_all(myapp_t)
Great, thanks again. That will make me busy little bit :)
On Fri, Feb 3, 2017 at 11:26 AM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Fri, 2017-02-03 at 11:13 -0800, Bassam Alsanie wrote:
Thanks Steven. Is there an interface close to this logic?
allow myapp_t *:process signull;
You can browse for interfaces by installing selinux-policy-doc (or in older releases, selinux-policy-devel) and running /usr/share/selinux/devel/policyhelp to open the interface docs in a browser. Upstream refpolicy also provides its generated docs online at http://oss.tresys.com/docs/refpolicy/api/
Looks like domain_signull_all_domains(myapp_t) should do it for you.
On Fri, Feb 3, 2017 at 10:40 AM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Fri, 2017-02-03 at 10:22 -0800, Bassam Alsanie wrote:
I have an app that need to have search access to all directories
on
the system. I am trying to use this TE in my policy:
allow myapp_t *:dir { search_dir_perms } ;
When compile with make, I am getting this error messages:
$ make Compiling targeted myapp module here it is /usr/share/selinux/devel/include /usr/bin/checkmodule: loading policy configuration from tmp/myapp.tmp myapp.te:678:ERROR '* not allowed in this type of rule' at
token
';' on line 5114: allow myapp_t *:dir { { getattr search open } };
/usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/share/selinux/devel/include/Makefile:154: recipe for
target
'tmp/myapp.mod' failed make: *** [tmp/myapp.mod] Error 1
I running on Fedora 25.
files_search_all(myapp_t)
selinux@lists.fedoraproject.org