What is missing with this policy

Dominick Grift domg472 at gmail.com
Fri Nov 12 11:45:58 UTC 2010 

On Thu, Nov 11, 2010 at 06:55:44PM -0800, David Highley wrote:
> When I install the following policy I see these warnings, what is
> missing?
> 
> libsemanage.semanage_fc_sort: WARNING: semanage_fc_sort: Incomplete context.
> libsemanage.semanage_fc_sort: WARNING: semanage_fc_sort: Incomplete context.
> 
> sshdfilter.fc:
> /etc/rc\.d/init\.d/sshdfilter --
> gen_context(system_u:object_r:sshdfilter_initrc_exec_t, s0)
> /etc/sshdfilterrc.* -- gen_context(system_u:object_r:sshdfilter_etc_t, s0)
> /usr/sbin/sshdfilter -- gen_context(system_u:object_r:sshdfilter_exec_t, s0)
> #/var/run/sshdfilter.fifo -- gen_context(system_u:object_r:sshdfilter_syslog_t, s0)

try removing the commented line from the .fc file. Also what text editor are you using? Ive seen issues with some editors appending hidden symbols on end of line which caused problems (emacs)

> 
> sshdfilter.if:
> ## <summary></summary>
> 
> sshdfilter.te:
> policy_module(sshdfilter, 1.0.7)
> 
> type sshdfilter_t;
> type sshdfilter_exec_t;
> init_daemon_domain(sshdfilter_t, sshdfilter_exec_t)
> 
> type sshdfilter_initrc_exec_t;
> init_script_file(sshdfilter_initrc_exec_t)
> 
> type sshdfilter_etc_t;
> files_config_file(sshdfilter_etc_t)
> 
> dev_read_urand(sshdfilter_t)
> corecmd_search_bin(sshdfilter_t)
> miscfiles_read_localization(sshdfilter_t)
> 
> require {
>         type var_run_t;
>         type usr_t;
>         type syslogd_t;
>         type etc_t;
>         type shell_exec_t;
>         type sshdfilter_t;
>         type bin_t;
>         type devlog_t;
>         type sshdfilter_etc_t;
>         type proc_t;
>         type net_conf_t;
>         class sock_file { write getattr };
>         class lnk_file read;
>         class unix_dgram_socket { write create connect ioctl sendto };
>         class file { execute read ioctl execute_no_trans getattr open create };
>         class fifo_file { write ioctl read open getattr };
>         class dir { write add_name remove_name };
> }
> 
> #============= sshdfilter_t ==============
> allow sshdfilter_t bin_t:file { read getattr open execute execute_no_trans };
> allow sshdfilter_t bin_t:lnk_file read;
> allow sshdfilter_t devlog_t:sock_file { write getattr };
> allow sshdfilter_t etc_t:file { read getattr open };
> allow sshdfilter_t proc_t:file { read getattr open };
> allow sshdfilter_t self:fifo_file { read write ioctl getattr };
> allow sshdfilter_t self:unix_dgram_socket { write create ioctl connect };
> allow sshdfilter_t shell_exec_t:file { read execute open getattr execute_no_trans };
> allow sshdfilter_t sshdfilter_etc_t:file { read ioctl open getattr };
> allow sshdfilter_t syslogd_t:unix_dgram_socket sendto;
> allow sshdfilter_t usr_t:file { read getattr open ioctl };
> allow sshdfilter_t var_run_t:dir { write add_name remove_name };
> allow sshdfilter_t var_run_t:file { write getattr unlink open create ioctl };
> allow sshdfilter_t var_run_t:fifo_file { read open ioctl getattr };
> allow sshdfilter_t net_conf_t:file { read getattr open };
> 
> optional_policy(`
>         iptables_domtrans(sshdfilter_t)
> ')
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20101112/31f25e83/attachment.bin

More information about the selinux mailing list