conditional. policy does not take effect.

conditional. policy does not take effect.

[JanuGerman]

Hi every one,

  My cond. policies are not taking effect. Following are the contents of my lodable policy module.

policy_module(myapp,1.0)  
require {
        type unconfined_t;
        type fs_t;
}
type x_t;
bool test true;
auditallow x_t fs_t:filesystem associate;
if (test) {
    auditallow unconfined_t x_t:dir *;
    auditallow unconfined_t x_t:file *;
} else {
      auditallow unconfined_t x_t:dir { getattr read search };
      auditallow unconfined_t x_t:file {getattr };
}

and

/root/medicalpolicy  -- gen_context(root:object_r:x_t)

After compiling the module and adding it to the base policy using "semodule -i myapp.pp",
when i execute the command: "chcon -u root -r object_r -t x_t /root/medicalpolicy"

I get the following error message:
chcon: failed to change context of /root/medicalpolicy to root:object_r:x_t: Permission denied

when i unload the module, the same command says:
chcon: failed to change context of /root/medicalpolicy to root:object_r:x_t: Invalid argument

Previously, the module was working, I just changed the allow to audit, in order to see its effect in the /var/log/audit/audit.log.

The boolean variable test, is set or not, it has no effect on the file, possibly due to  labelling problem, i think so.  Further, i can see the messages in the audit, particularly, when chcon command gives denied message.


Thanks,
JG







		
___________________________________________________________ 
Copy addresses and emails from any email account to Yahoo! Mail - quick, easy and free. http://uk.docs.yahoo.com/trueswitch2.html

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: conditional. policy does not take effect.

[Christopher J. PeBenito]

On Fri, 2007-04-06 at 09:34 +0000, JanuGerman wrote:
> Hi every one,
> 
>   My cond. policies are not taking effect. Following are the contents of my lodable policy module.
> 
> policy_module(myapp,1.0)  
> require {
>         type unconfined_t;
>         type fs_t;
> }
> type x_t;
> bool test true;
> auditallow x_t fs_t:filesystem associate;
> if (test) {
>     auditallow unconfined_t x_t:dir *;
>     auditallow unconfined_t x_t:file *;
> } else {
>       auditallow unconfined_t x_t:dir { getattr read search };
>       auditallow unconfined_t x_t:file {getattr };
> }

auditallow does not allow anything.  It makes audit messages when
something is allowed.  You need an allow message too.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: conditional. policy does not take effect.

[Daniel J Walsh]

JanuGerman wrote:
> Hi every one,
>
>   My cond. policies are not taking effect. Following are the contents of my lodable policy module.
>
> policy_module(myapp,1.0)  
> require {
>         type unconfined_t;
>         type fs_t;
> }
> type x_t;
> bool test true;
> auditallow x_t fs_t:filesystem associate;
> if (test) {
>     auditallow unconfined_t x_t:dir *;
>     auditallow unconfined_t x_t:file *;
> } else {
>       auditallow unconfined_t x_t:dir { getattr read search };
>       auditallow unconfined_t x_t:file {getattr };
> }
>
> and
>
> /root/medicalpolicy  -- gen_context(root:object_r:x_t)
>
> After compiling the module and adding it to the base policy using "semodule -i myapp.pp",
> when i execute the command: "chcon -u root -r object_r -t x_t /root/medicalpolicy"
>
> I get the following error message:
> chcon: failed to change context of /root/medicalpolicy to root:object_r:x_t: Permission denied
>
> when i unload the module, the same command says:
> chcon: failed to change context of /root/medicalpolicy to root:object_r:x_t: Invalid argument
>
> Previously, the module was working, I just changed the allow to audit, in order to see its effect in the /var/log/audit/audit.log.
>
> The boolean variable test, is set or not, it has no effect on the file, possibly due to  labelling problem, i think so.  Further, i can see the messages in the audit, particularly, when chcon command gives denied message.
>
>
> Thanks,
> JG
>
>
>
>
>   
Try to add

files_type(x_t)
>
>
> 		
> ___________________________________________________________ 
> Copy addresses and emails from any email account to Yahoo! Mail - quick, easy and free. http://uk.docs.yahoo.com/trueswitch2.html
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>   



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.