List Archive: gentoo-hardened
Dear list,
I am running a freshly intalled SELinux system with
sec-policy/selinux-base-policy 20070329 in strict/permissive mode.
When I try to write a TE module for my avc denials the compiler doesn't
resolve the necesary types. For example, considerung the following avc
entry for type consoletype:
vmdefault # dmesg | grep avc
audit(1190988750.096:3): avc: denied { read } for pid=26115
comm="consoletype" name="ld.so.cache" dev=sda1 ino=336323476
scontext=system_u:system_r:consoletype_t tcontext=root:object_r:etc_t
tclass=file
audit(1190988750.096:4): avc: denied { getattr } for pid=26115
comm="consoletype" name="ld.so.cache" dev=sda1 ino=336323476
scontext=system_u:system_r:consoletype_t tcontext=root:object_r:etc_t
tclass=file
My policy module looks like this:
policy_module(local,1.0.0)
type local_t;
files_read_etc_files(consoletype_t)
When I try to compile, the compiler gives me an unknown type error:
vmdefault include # make -f /usr/share/selinux/strict/include/Makefile
Compiling strict local module
/usr/bin/checkmodule: loading policy configuration from tmp/local.tmp
local.te:11:ERROR 'unknown type consoletype_t' at token ';' on line
78133:
allow consoletype_t etc_t:dir { getattr search read lock
ioctl };
#line 11
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/local.mod] Error 1
Seems to me that the compiler does not resolve the types against the
base policy.
Any ideas? Comments are highly appreciated.
Dominik
--
gentoo-hardened@g.o mailing list
|
|
