Making new roles

Making new roles

[Julian Onions]

[-- Attachment #1: Type: text/plain, Size: 950 bytes --]

What do I need to add a new role such that I can change to it with newrole?

I can't seem to find any rules that allow it to work. This is for a monolithic policy we developed based from the reference policy on redhat 5.2

I have the following
I want to change from root:sysadm_r:sysadm_t:s0 to this one root:mynewrole_r:mynewrole_t:s0
I have the following rules (amongst lots of others!)

type mynewrole_t;
role sysadm_r, mynewrole_r;
allow sysadm_r mynewrole_r;
role mynewrole_r types mynewtype_t;
user root roles { sysadm_r secadm_r auditadm_r  mynewrole_r } level s0 range s0 - s0:c0.c255;

I also have an entry in default_type that picks the right combination.
I get the error reported that it is not a valid context.
This is true even with enforcing disabled.
# newrole -r mynewrole_r
root:mynewrole_r:mynewrole_t:s0 is not a valid context.

Wondering what I'm missing to define a new role? Any ideas?

Thanks
Julian.


[-- Attachment #2: Type: text/html, Size: 3363 bytes --]

Re: Making new roles

[Stephen Smalley]

On Tue, 2011-07-12 at 03:55 -0700, Julian Onions wrote:
> What do I need to add a new role such that I can change to it with
> newrole?

See
http://selinuxproject.org/page/RefpolicyBasicRoleCreation

> type mynewrole_t;
<snip>
> role mynewrole_r types mynewtype_t;

Which is it supposed to be?  mynewrole_t or mynewtype_t?

> This is true even with enforcing disabled.
> 
> # newrole –r mynewrole_r
> 
> root:mynewrole_r:mynewrole_t:s0 is not a valid context.

I'd guess that this is due to not specifying:
role mynewrole_r types mynewrole_t;
in your policy (you specified mynewtype_t instead above).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.