On Fri, 2017-02-03 at 10:22 -0800, Bassam Alsanie wrote: > I have an app that need to have search access to all directories on > the system. > I am trying to use this TE in my policy: > > > allow myapp_t *:dir { search_dir_perms } ; > > When compile with make, I am getting this error messages: > > > $ make > > Compiling targeted myapp module > > here it is /usr/share/selinux/devel/include > > /usr/bin/checkmodule: loading policy configuration from > > tmp/myapp.tmp > > myapp.te:678:ERROR '* not allowed in this type of rule' at token > > ';' on line 5114: > > allow myapp_t *:dir { { getattr search open } }; > > > > /usr/bin/checkmodule: error(s) encountered while parsing > > configuration > > /usr/share/selinux/devel/include/Makefile:154: recipe for target > > 'tmp/myapp.mod' failed > > make: *** [tmp/myapp.mod] Error 1 > > I running on Fedora 25. files_search_all(myapp_t)

On Fri, 2017-02-03 at 11:13 -0800, Bassam Alsanie wrote: > Thanks Steven. > Is there an interface close to this logic? > > allow myapp_t *:process signull; You can browse for interfaces by installing selinux-policy-doc (or in older releases, selinux-policy-devel) and running /usr/share/selinux/devel/policyhelp to open the interface docs in a browser. Upstream refpolicy also provides its generated docs online at http://oss.tresys.com/docs/refpolicy/api/ Looks like domain_signull_all_domains(myapp_t) should do it for you. > > > > > > On Fri, Feb 3, 2017 at 10:40 AM, Stephen Smalley <sds(a)tycho.nsa.gov&gt; > wrote: > > On Fri, 2017-02-03 at 10:22 -0800, Bassam Alsanie wrote: > > > I have an app that need to have search access to all directories > > on > > > the system. > > > I am trying to use this TE in my policy: > > > > > > > allow myapp_t *:dir { search_dir_perms } ; > > > > > > When compile with make, I am getting this error messages: > > > > > > > $ make > > > > Compiling targeted myapp module > > > > here it is /usr/share/selinux/devel/include > > > > /usr/bin/checkmodule: loading policy configuration from > > > > tmp/myapp.tmp > > > > myapp.te:678:ERROR '* not allowed in this type of rule' at > > token > > > > ';' on line 5114: > > > > allow myapp_t *:dir { { getattr search open } }; > > > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing > > > > configuration > > > > /usr/share/selinux/devel/include/Makefile:154: recipe for > > target > > > > 'tmp/myapp.mod' failed > > > > make: *** [tmp/myapp.mod] Error 1 > > > > > > I running on Fedora 25. > > > > files_search_all(myapp_t) > > > > >