xen, selinux, FC5

Robin Bowes robin-lists at robinbowes.com
Fri Oct 13 18:51:53 UTC 2006 

Stephen Smalley wrote:
> You need to do something different if you want to use refpolicy
> interfaces (which are presently m4 macros, but will eventually be first
> class constructs in the language that will be handled at link time);
> storage_raw_read_fixed_disk() is such an interface.  The easiest thing
> to do is to use the devel Makefile.  Instead of manually running
> checkmodule and semodule_package, you just do:
> 	mkdir xen
> 	cp xen.te xen/
> 	cd xen
> 	make -f /usr/share/selinux/devel/Makefile
> 
> The Makefile will then handle pulling in the refpolicy interface
> headers, applying m4, running checkmodule on the result, and running
> semodule_package, leaving you with a xen.pp file that you can install.
> 

Ok, I followed those instructions using the following .te file:

module local 1.0;

require {
        class blk_file read;
        class chr_file { read write };
        class dir { add_name create search setattr write };
        class fd use;
        class file { append create read write };
        class unix_stream_socket { read write };
        type fixed_disk_device_t;
        type home_root_t;
        type ifconfig_t;
        type local_login_t;
        type netutils_t;
        type proc_xen_t;
        type tmp_t;
        type tty_device_t;
        type user_home_dir_t;
        type user_home_t;
        type var_log_t;
        type var_run_t;
        type xend_t;
        type xend_var_log_t;
        type xm_t;
        role system_r;
};

allow ifconfig_t var_log_t:file append;
allow netutils_t proc_xen_t:file { read write };
allow netutils_t xend_t:unix_stream_socket { read write };
allow netutils_t xend_var_log_t:file { append write };
allow xend_t home_root_t:dir { search write };
allow xend_t local_login_t:fd use;
allow xend_t tmp_t:dir search;
allow xend_t tty_device_t:chr_file { read write };
allow xend_t user_home_dir_t:dir { search write };
allow xend_t user_home_t:dir { add_name search write };
allow xend_t user_home_t:file { create write };
allow xend_t var_run_t:dir { create setattr };
allow xm_t fixed_disk_device_t:blk_file read;


When I tried to install the module, I got this error:

# semodule -i xen.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow
xm_t fixed_disk_device_t:blk_file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

What am I doing wrong?

Thanks,

R.

More information about the selinux mailing list