Got some problem when using the type_transition, look for some helps! thank you!

Got some problem when using the type_transition, look for some helps! thank you!

[kuangjiou]

[-- Attachment #1: Type: text/plain, Size: 911 bytes --]

Hello,everyone!

I am try to use the new features of the type_transition that can support to determine the type of the new file by the name of this new file,And when I
use the type_transisiton in my own policy module like this:

type_transition unconfined_t dentry_t:file file_t myfile;

I got the error: 'syntax error' at token 'myfile' on line 1195:

It seems like didn't support the fifth parameter 'myfile', And I am using the checkmodule (version 2.3) to compile my policy module, but I am not sure
the the version of the linux kernel (Linux nkgcinwslx00671 2.6.32.12-0.7-default #1 SMP 2010-05-20 11:14:20 +0200 x86_64 x86_64 x86_64 GNU/Linux) is
new enough to support this features.(I think the compiling should have nothing to do with the kernel?)

so, could anybody give me some suggestions to resolve this problem? I am  looking  forward to your replies! Thank you very much!


Sylar

[-- Attachment #2: Type: text/html, Size: 4064 bytes --]

Re: Got some problem when using the type_transition, look for some helps! thank you!

[Milos Malik]

Hi Sylar,

the filename must be surrounded by quotes:

type_transition unconfined_t dentry_t:file file_t "myfile";

Milos Malik
SELinux QE person
BaseOS QE Security team
Brno, The Czech Republic

----- Original Message -----
> 
> 
> Hello,everyone!
> 
> 
> 
> I am try to use the new features of the type_transition that can support to
> determine the type of the new file by the name of this new file,And when I
> 
> 
> 
> use the type_transisiton in my own policy module like this:
> 
> 
> 
> type_transition unconfined_t dentry_t:file file_t myfile;
> 
> 
> 
> I got the error: 'syntax error' at token 'myfile' on line 1195:
> 
> 
> 
> It seems like didn't support the fifth parameter 'myfile', And I am using the
> checkmodule (version 2.3) to compile my policy module, but I am not sure
> 
> 
> 
> the the version of the linux kernel (Linux nkgcinwslx00671
> 2.6.32.12-0.7-default #1 SMP 2010-05-20 11:14:20 +0200 x86_64 x86_64 x86_64
> GNU/Linux) is
> 
> 
> 
> new enough to support this features.(I think the compiling should have
> nothing to do with the kernel?)
> 
> 
> 
> so, could anybody give me some suggestions to resolve this problem? I am
> looking forward to your replies! Thank you very much!
> 
> 
> 
> 
> 
> Sylar
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.

Re: Got some problem when using the type_transition, look for some helps! thank you!

[Milos Malik]

Hi Sylar,

I forgot to mention that filename transition rules are not supported on RHEL-6.x. Based on the kernel version you provided I guess that you are not running RHEL-7.x, where the filename transition rules are supported.

# uname -srv
Linux 2.6.32-504.12.2.el6.i686 #1 SMP Sun Feb 1 12:14:25 EST 2015
# cat mypolicy.te 
policy_module(mypolicy,1.0)

require {
  type unconfined_t;
  type dentry_t;
  type file_t;
  class file { create };
}

type_transition unconfined_t dentry_t:file file_t "myfile";

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted mypolicy module
/usr/bin/checkmodule:  loading policy configuration from tmp/mypolicy.tmp
mypolicy.te":10:WARNING 'unrecognized character' at token '"' on line 3220:
type_transition unconfined_t dentry_t:file file_t "myfile";

mypolicy.te":10:ERROR 'syntax error' at token 'myfile' on line 3220:
type_transition unconfined_t dentry_t:file file_t "myfile";

/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/mypolicy.mod] Error 1
#

Milos Malik
SELinux QE person
BaseOS QE Security team
Brno, The Czech Republic

----- Original Message -----
> 
> 
> Hello,everyone!
> 
> 
> 
> I am try to use the new features of the type_transition that can support to
> determine the type of the new file by the name of this new file,And when I
> 
> 
> 
> use the type_transisiton in my own policy module like this:
> 
> 
> 
> type_transition unconfined_t dentry_t:file file_t myfile;
> 
> 
> 
> I got the error: 'syntax error' at token 'myfile' on line 1195:
> 
> 
> 
> It seems like didn't support the fifth parameter 'myfile', And I am using the
> checkmodule (version 2.3) to compile my policy module, but I am not sure
> 
> 
> 
> the the version of the linux kernel (Linux nkgcinwslx00671
> 2.6.32.12-0.7-default #1 SMP 2010-05-20 11:14:20 +0200 x86_64 x86_64 x86_64
> GNU/Linux) is
> 
> 
> 
> new enough to support this features.(I think the compiling should have
> nothing to do with the kernel?)
> 
> 
> 
> so, could anybody give me some suggestions to resolve this problem? I am
> looking forward to your replies! Thank you very much!
> 
> 
> 
> 
> 
> Sylar
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.

答复: Got some problem when using the type_transition, look for some helps! thank you!

[kuangjiou]

Milos ,Thanks for your reply,  It helps me a lot.
now I can compile the module success. But when I try to semodule the .pp to the policydb, it got this message: libsepol.policydb_write: Discarding filename type transition rules. I think it must because the kernel version is not new enough to support the filename type transition rules. But I don't want to change my linux kernel , I just plan to update the SElinux codes and built a new linux kernel. And I don't know where to get the SELinux code that is new enough to support the filename type transition rules, So, is that anyone can help me out with this ?

-----邮件原件-----
发件人: Milos Malik [mailto:mmalik@redhat.com] 
发送时间: 2015年3月18日 17:05
收件人: kuangjiou
抄送: selinux@tycho.nsa.gov
主题: Re: Got some problem when using the type_transition, look for some helps! thank you!

Hi Sylar,

I forgot to mention that filename transition rules are not supported on RHEL-6.x. Based on the kernel version you provided I guess that you are not running RHEL-7.x, where the filename transition rules are supported.

# uname -srv
Linux 2.6.32-504.12.2.el6.i686 #1 SMP Sun Feb 1 12:14:25 EST 2015 # cat mypolicy.te
policy_module(mypolicy,1.0)

require {
  type unconfined_t;
  type dentry_t;
  type file_t;
  class file { create };
}

type_transition unconfined_t dentry_t:file file_t "myfile";

# make -f /usr/share/selinux/devel/Makefile Compiling targeted mypolicy module
/usr/bin/checkmodule:  loading policy configuration from tmp/mypolicy.tmp mypolicy.te":10:WARNING 'unrecognized character' at token '"' on line 3220:
type_transition unconfined_t dentry_t:file file_t "myfile";

mypolicy.te":10:ERROR 'syntax error' at token 'myfile' on line 3220:
type_transition unconfined_t dentry_t:file file_t "myfile";

/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/mypolicy.mod] Error 1
#

Milos Malik
SELinux QE person
BaseOS QE Security team
Brno, The Czech Republic

----- Original Message -----
> 
> 
> Hello,everyone!
> 
> 
> 
> I am try to use the new features of the type_transition that can 
> support to determine the type of the new file by the name of this new 
> file,And when I
> 
> 
> 
> use the type_transisiton in my own policy module like this:
> 
> 
> 
> type_transition unconfined_t dentry_t:file file_t myfile;
> 
> 
> 
> I got the error: 'syntax error' at token 'myfile' on line 1195:
> 
> 
> 
> It seems like didn't support the fifth parameter 'myfile', And I am 
> using the checkmodule (version 2.3) to compile my policy module, but I 
> am not sure
> 
> 
> 
> the the version of the linux kernel (Linux nkgcinwslx00671 
> 2.6.32.12-0.7-default #1 SMP 2010-05-20 11:14:20 +0200 x86_64 x86_64 
> x86_64
> GNU/Linux) is
> 
> 
> 
> new enough to support this features.(I think the compiling should have 
> nothing to do with the kernel?)
> 
> 
> 
> so, could anybody give me some suggestions to resolve this problem? I 
> am looking forward to your replies! Thank you very much!
> 
> 
> 
> 
> 
> Sylar
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to 
> Selinux-request@tycho.nsa.gov.

Re: 答复: Got some problem when using the type_transition, look for some helps! thank you!

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 4254 bytes --]

On Thu, Mar 19, 2015 at 01:47:29AM +0000, kuangjiou wrote:
> Milos ,Thanks for your reply,  It helps me a lot.
> now I can compile the module success. But when I try to semodule the .pp to the policydb, it got this message: libsepol.policydb_write: Discarding filename type transition rules. I think it must because the kernel version is not new enough to support the filename type transition rules. But I don't want to change my linux kernel , I just plan to update the SElinux codes and built a new linux kernel. And I don't know where to get the SELinux code that is new enough to support the filename type transition rules, So, is that anyone can help me out with this ?

Paris (CC'd), may be able to help identify what is needed to port that code to older kernels if that is reasonably possible.

I am wondering as well though why that code was not ported to EL 6.*

> 
> -----邮件原件-----
> 发件人: Milos Malik [mailto:mmalik@redhat.com] 
> 发送时间: 2015年3月18日 17:05
> 收件人: kuangjiou
> 抄送: selinux@tycho.nsa.gov
> 主题: Re: Got some problem when using the type_transition, look for some helps! thank you!
> 
> Hi Sylar,
> 
> I forgot to mention that filename transition rules are not supported on RHEL-6.x. Based on the kernel version you provided I guess that you are not running RHEL-7.x, where the filename transition rules are supported.
> 
> # uname -srv
> Linux 2.6.32-504.12.2.el6.i686 #1 SMP Sun Feb 1 12:14:25 EST 2015 # cat mypolicy.te
> policy_module(mypolicy,1.0)
> 
> require {
>   type unconfined_t;
>   type dentry_t;
>   type file_t;
>   class file { create };
> }
> 
> type_transition unconfined_t dentry_t:file file_t "myfile";
> 
> # make -f /usr/share/selinux/devel/Makefile Compiling targeted mypolicy module
> /usr/bin/checkmodule:  loading policy configuration from tmp/mypolicy.tmp mypolicy.te":10:WARNING 'unrecognized character' at token '"' on line 3220:
> type_transition unconfined_t dentry_t:file file_t "myfile";
> 
> mypolicy.te":10:ERROR 'syntax error' at token 'myfile' on line 3220:
> type_transition unconfined_t dentry_t:file file_t "myfile";
> 
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> make: *** [tmp/mypolicy.mod] Error 1
> #
> 
> Milos Malik
> SELinux QE person
> BaseOS QE Security team
> Brno, The Czech Republic
> 
> ----- Original Message -----
> > 
> > 
> > Hello,everyone!
> > 
> > 
> > 
> > I am try to use the new features of the type_transition that can 
> > support to determine the type of the new file by the name of this new 
> > file,And when I
> > 
> > 
> > 
> > use the type_transisiton in my own policy module like this:
> > 
> > 
> > 
> > type_transition unconfined_t dentry_t:file file_t myfile;
> > 
> > 
> > 
> > I got the error: 'syntax error' at token 'myfile' on line 1195:
> > 
> > 
> > 
> > It seems like didn't support the fifth parameter 'myfile', And I am 
> > using the checkmodule (version 2.3) to compile my policy module, but I 
> > am not sure
> > 
> > 
> > 
> > the the version of the linux kernel (Linux nkgcinwslx00671 
> > 2.6.32.12-0.7-default #1 SMP 2010-05-20 11:14:20 +0200 x86_64 x86_64 
> > x86_64
> > GNU/Linux) is
> > 
> > 
> > 
> > new enough to support this features.(I think the compiling should have 
> > nothing to do with the kernel?)
> > 
> > 
> > 
> > so, could anybody give me some suggestions to resolve this problem? I 
> > am looking forward to your replies! Thank you very much!
> > 
> > 
> > 
> > 
> > 
> > Sylar
> > 
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to 
> > Selinux-request@tycho.nsa.gov.
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]