1:18 p.m.
I am writing a policy module on Fedora trying to limit running the who command only to
specific user. Checkmodule issues following error for my script :
Error 'syntax error' at token 'domain_auto_trans' on line
20
But I checked the syntax and there is no typo in it. Here is my whole script. What is the
error in it?
module who 1.0;
require {
attribute domain;
attribute file_type;
attribute exec_type;
type sysadm_t;
attribute sysadm_r;
class process transition;
role sysadm_r; }
type who_t;
typeattribute who_t domain;
type who_exec_t;
typeattribute who_exec_t file_type;
typeattribute who_exec_t exec_type;
role sysadm_r types who_t;
domain_auto_trans (sysadm_t, who_exec_t, who_t)
Another problem is that when I transfer this script to Centos, checkmodule of centos
issues other kind of errors. Why this happens? Kinds of errors differ by fedora or
centos?
3:06 a.m.
On 04/06/2016 08:18 PM, amir sheng wrote:
I am writing a policy module on Fedora trying to limit running the
who command only to specific user. Checkmodule issues following error for my script :
Error 'syntax error' at token 'domain_auto_trans' on line
20
But I checked the syntax and there is no typo in it. Here is my whole script. What is the
error in it?
module who 1.0;
require {
attribute domain;
attribute file_type;
attribute exec_type;
type sysadm_t;
attribute sysadm_r;
class process transition;
role sysadm_r; }
type who_t;
typeattribute who_t domain;
type who_exec_t;
typeattribute who_exec_t file_type;
typeattribute who_exec_t exec_type;
role sysadm_r types who_t;
domain_auto_trans (sysadm_t, who_exec_t, who_t)
Hello Amir,
the problem is you call the domain_auto_trans() macro which is supposed
to be used for module policies using reference policy.
If you apply the following fix
-module who 1.0;
+policy_module(who, 1.0)
it will work for you. You create a policy module using reference policy
with this change so you can call macros.
Another problem is that when I transfer this script to Centos, checkmodule of centos
issues other kind of errors. Why this happens? Kinds of errors differ by fedora or
centos?
Can you elaborate it more?
--
selinux mailing list
selinux(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Thank you.
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
10:20 a.m.
Thank you Miroslav.
But I still cannot understand the differences between reference policy, target policy or a
policy module? furthermore, I installed SElinux on Fedora and the only policy that I can
see is available is in directory /etc/selinux/targeted/. By using Fedora 23 Terminal (i.e,
dnf install selinux-policy-*******) there are other different policies to install whose
names are:
(1) "selinux-policy-3.13.1.fc23.noarch"
(2)"selinux-policy-devel-3.13.1-152.fc23.noarch"
(3)"selinux-policy-doc-3.13.1-152.fc23.noarch"
(4)"selinux-policy-minimum-3.13.1-152.fc23.noarch"
(5)"selinux-policy-mls-3.13.1-158.11.fc23.noarch"
(6)"selinux--policy-sandbox-3.13.1-152.fc23.noarch"
(7)" selinux-policy-targeted-3.13.1-158.11.fc23.noarch"
What is the difference between this policies(specially between(1) and (7))? using Apol I
can load "policy.29" that is in directory /etc/selinux/targeted/. Where are the
other policy's file that I can load to Apol and analyse them.
10:40 a.m.
I did the
- module who 1.0;
+ policy_module(who,1.0);
But the error changed to " ERROR 'Building a policy module, but no module
specification found.' at token 'policy_module' on line 1 "
3:39 a.m.
On 04/15/2016 05:40 PM, amir sheng wrote:
I did the
- module who 1.0;
+ policy_module(who,1.0);
But the error changed to " ERROR 'Building a policy module, but no module
specification found.' at token 'policy_module' on line 1 "
--
selinux mailing list
selinux(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Could you please show us how your changed policy looks?
Thank you.
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
1:47 p.m.
Now the module is like the following:
module who 1.0;
require {
attribute domain;
class file getattr;
class file execute;
class file entrypoint;
attribute file_type;
attribute exec_type;
type unconfined_t;
class process transition;
role unconfined_r; }
type who_t;
typeattribute who_t domain;
type who_exec_t;
typeattribute who_exec_t file_type;
typeattribute who_exec_t exec_type;
role unconfined_r types who_t;
type_transition unconfined_t who_exec_t:process who_t;
allow unconfined_t who_exec_t : file *;
allow unconfined_t who_t:process transition;
allow who_t who_exec_t: file entrypoint;
domain_auto_trans (sysadm_t, who_exec_t, who_t)
2:11 p.m.
Oh sorry, it is as the following and the error using "$ checkmodule -M -m -o who.mod
who.te" in Fedora 22 is :
ERROR ' Building a policy module, but no module specification found.' at token
' policy_module' on line 1:
checkmodule: error(s) encountered while parsing configuration
------------------------------------------------------------------------------------
policy_module (who, 1.0);
require {
attribute domain;
class file getattr;
class file execute;
class file entrypoint;
attribute file_type;
attribute exec_type;
type unconfined_t;
class process transition;
role unconfined_r; }
type who_t;
typeattribute who_t domain;
type who_exec_t;
typeattribute who_exec_t file_type;
typeattribute who_exec_t exec_type;
role unconfined_r types who_t;
type_transition unconfined_t who_exec_t:process who_t;
allow unconfined_t who_exec_t : file *;
allow unconfined_t who_t:process transition;
allow who_t who_exec_t: file entrypoint;
domain_auto_trans (sysadm_t, who_exec_t, who_t)
6:09 a.m.
On 04/25/2016 09:11 PM, amir sheng wrote:
Oh sorry, it is as the following and the error using "$
checkmodule -M -m -o who.mod who.te" in Fedora 22 is :
ERROR ' Building a policy module, but no module specification found.' at token
' policy_module' on line 1:
checkmodule: error(s) encountered while parsing configuration
------------------------------------------------------------------------------------
policy_module (who, 1.0);
require {
attribute domain;
class file getattr;
class file execute;
class file entrypoint;
attribute file_type;
attribute exec_type;
type unconfined_t;
class process transition;
role unconfined_r; }
type who_t;
typeattribute who_t domain;
type who_exec_t;
typeattribute who_exec_t file_type;
typeattribute who_exec_t exec_type;
role unconfined_r types who_t;
type_transition unconfined_t who_exec_t:process who_t;
allow unconfined_t who_exec_t : file *;
allow unconfined_t who_t:process transition;
allow who_t who_exec_t: file entrypoint;
domain_auto_trans (sysadm_t, who_exec_t, who_t)
--
selinux mailing list
selinux(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Ah, ok it makes sense now. The problem is you mix reference and
non-reference policy.
If we use m4 macros
domain_auto_trans (sysadm_t, who_exec_t, who_t)
we say that you use reference policy. m4 macros need to be expanded by
m4. It is a reason why you fail with checkmodule. You can use
/usr/share/selinux/devel/include/Makefile
to build your policy. It will do a job for you.
# make -f /usr/share/selinux/devel/Makefile who.pp
# semodule -i who.pp
You can see Makefile to check what is happening.
Thank you.
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
2778
days inactive
2799
days old
selinux@lists.fedoraproject.org
8 comments
3 participants
participants (3)
-
amir sheng -
amir sheng -
Miroslav Grepl