xen, selinux, FC5
Robin Bowes
robin-lists at robinbowes.com
Fri Oct 13 18:51:53 UTC 2006
Stephen Smalley wrote:
> You need to do something different if you want to use refpolicy
> interfaces (which are presently m4 macros, but will eventually be first
> class constructs in the language that will be handled at link time);
> storage_raw_read_fixed_disk() is such an interface. The easiest thing
> to do is to use the devel Makefile. Instead of manually running
> checkmodule and semodule_package, you just do:
> mkdir xen
> cp xen.te xen/
> cd xen
> make -f /usr/share/selinux/devel/Makefile
>
> The Makefile will then handle pulling in the refpolicy interface
> headers, applying m4, running checkmodule on the result, and running
> semodule_package, leaving you with a xen.pp file that you can install.
>
Ok, I followed those instructions using the following .te file:
module local 1.0;
require {
class blk_file read;
class chr_file { read write };
class dir { add_name create search setattr write };
class fd use;
class file { append create read write };
class unix_stream_socket { read write };
type fixed_disk_device_t;
type home_root_t;
type ifconfig_t;
type local_login_t;
type netutils_t;
type proc_xen_t;
type tmp_t;
type tty_device_t;
type user_home_dir_t;
type user_home_t;
type var_log_t;
type var_run_t;
type xend_t;
type xend_var_log_t;
type xm_t;
role system_r;
};
allow ifconfig_t var_log_t:file append;
allow netutils_t proc_xen_t:file { read write };
allow netutils_t xend_t:unix_stream_socket { read write };
allow netutils_t xend_var_log_t:file { append write };
allow xend_t home_root_t:dir { search write };
allow xend_t local_login_t:fd use;
allow xend_t tmp_t:dir search;
allow xend_t tty_device_t:chr_file { read write };
allow xend_t user_home_dir_t:dir { search write };
allow xend_t user_home_t:dir { add_name search write };
allow xend_t user_home_t:file { create write };
allow xend_t var_run_t:dir { create setattr };
allow xm_t fixed_disk_device_t:blk_file read;
When I tried to install the module, I got this error:
# semodule -i xen.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow
xm_t fixed_disk_device_t:blk_file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
What am I doing wrong?
Thanks,
R.
More information about the selinux
mailing list