From: Dominick Grift <dac.override@gmail.com>
To: selinux@tycho.nsa.gov, eparis@parisplace.org
Subject: Re: 答复: Got some problem when using the type_transition, look for some helps! thank you!
Date: Thu, 19 Mar 2015 12:49:15 +0100 [thread overview]
Message-ID: <20150319114914.GA4249@localhost.localdomain> (raw)
In-Reply-To: <60ABE64B4BE4AC45964F1A967BA76CB201569E97@szxeml522-mbx.china.huawei.com>
[-- Attachment #1: Type: text/plain, Size: 4254 bytes --]
On Thu, Mar 19, 2015 at 01:47:29AM +0000, kuangjiou wrote:
> Milos ,Thanks for your reply, It helps me a lot.
> now I can compile the module success. But when I try to semodule the .pp to the policydb, it got this message: libsepol.policydb_write: Discarding filename type transition rules. I think it must because the kernel version is not new enough to support the filename type transition rules. But I don't want to change my linux kernel , I just plan to update the SElinux codes and built a new linux kernel. And I don't know where to get the SELinux code that is new enough to support the filename type transition rules, So, is that anyone can help me out with this ?
Paris (CC'd), may be able to help identify what is needed to port that code to older kernels if that is reasonably possible.
I am wondering as well though why that code was not ported to EL 6.*
>
> -----邮件原件-----
> 发件人: Milos Malik [mailto:mmalik@redhat.com]
> 发送时间: 2015年3月18日 17:05
> 收件人: kuangjiou
> 抄送: selinux@tycho.nsa.gov
> 主题: Re: Got some problem when using the type_transition, look for some helps! thank you!
>
> Hi Sylar,
>
> I forgot to mention that filename transition rules are not supported on RHEL-6.x. Based on the kernel version you provided I guess that you are not running RHEL-7.x, where the filename transition rules are supported.
>
> # uname -srv
> Linux 2.6.32-504.12.2.el6.i686 #1 SMP Sun Feb 1 12:14:25 EST 2015 # cat mypolicy.te
> policy_module(mypolicy,1.0)
>
> require {
> type unconfined_t;
> type dentry_t;
> type file_t;
> class file { create };
> }
>
> type_transition unconfined_t dentry_t:file file_t "myfile";
>
> # make -f /usr/share/selinux/devel/Makefile Compiling targeted mypolicy module
> /usr/bin/checkmodule: loading policy configuration from tmp/mypolicy.tmp mypolicy.te":10:WARNING 'unrecognized character' at token '"' on line 3220:
> type_transition unconfined_t dentry_t:file file_t "myfile";
>
> mypolicy.te":10:ERROR 'syntax error' at token 'myfile' on line 3220:
> type_transition unconfined_t dentry_t:file file_t "myfile";
>
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/mypolicy.mod] Error 1
> #
>
> Milos Malik
> SELinux QE person
> BaseOS QE Security team
> Brno, The Czech Republic
>
> ----- Original Message -----
> >
> >
> > Hello,everyone!
> >
> >
> >
> > I am try to use the new features of the type_transition that can
> > support to determine the type of the new file by the name of this new
> > file,And when I
> >
> >
> >
> > use the type_transisiton in my own policy module like this:
> >
> >
> >
> > type_transition unconfined_t dentry_t:file file_t myfile;
> >
> >
> >
> > I got the error: 'syntax error' at token 'myfile' on line 1195:
> >
> >
> >
> > It seems like didn't support the fifth parameter 'myfile', And I am
> > using the checkmodule (version 2.3) to compile my policy module, but I
> > am not sure
> >
> >
> >
> > the the version of the linux kernel (Linux nkgcinwslx00671
> > 2.6.32.12-0.7-default #1 SMP 2010-05-20 11:14:20 +0200 x86_64 x86_64
> > x86_64
> > GNU/Linux) is
> >
> >
> >
> > new enough to support this features.(I think the compiling should have
> > nothing to do with the kernel?)
> >
> >
> >
> > so, could anybody give me some suggestions to resolve this problem? I
> > am looking forward to your replies! Thank you very much!
> >
> >
> >
> >
> >
> > Sylar
> >
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to
> > Selinux-request@tycho.nsa.gov.
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]
prev parent reply other threads:[~2015-03-19 11:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-18 2:22 Got some problem when using the type_transition, look for some helps! thank you! kuangjiou
2015-03-18 8:58 ` Milos Malik
2015-03-18 9:05 ` Milos Malik
2015-03-19 1:47 ` 答复: " kuangjiou
2015-03-19 11:49 ` Dominick Grift [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150319114914.GA4249@localhost.localdomain \
--to=dac.override@gmail.com \
--cc=eparis@parisplace.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.