defining a new class in a policy module

defining a new class in a policy module

[Mohamed Hassan]

Hi,
I created a new policy inside the refpolicy. I am trying to define a new
class inside this module. When I compile, it fails with parsing error:

/usr/bin/checkmodule -M -m tmp/gsmd.tmp -o tmp/gsmd.mod
/usr/bin/checkmodule:  loading policy configuration from tmp/gsmd.tmp
policy/modules/services/gsmd.te:3:ERROR 'syntax error' at token 'Class'
on line 1185:

Class gsmd { send_sms_msg receive_sms_msg };
/usr/bin/checkmodule:  error(s) encountered while parsing configuration


Here is my class definition:
Class gsmd { send_sms_msg receive_sms_msg };

I would like to know how to define a new class in policy module?

Thanks,
-M Hassan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: defining a new class in a policy module

[Joshua Brindle]

Mohamed Hassan wrote:
> Hi,
> I created a new policy inside the refpolicy. I am trying to define a new
> class inside this module. When I compile, it fails with parsing error:
> 
> /usr/bin/checkmodule -M -m tmp/gsmd.tmp -o tmp/gsmd.mod
> /usr/bin/checkmodule:  loading policy configuration from tmp/gsmd.tmp
> policy/modules/services/gsmd.te:3:ERROR 'syntax error' at token 'Class'
> on line 1185:
> 
> Class gsmd { send_sms_msg receive_sms_msg };
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> 
> 
> Here is my class definition:
> Class gsmd { send_sms_msg receive_sms_msg };
> 
> I would like to know how to define a new class in policy module?
> 

It isn't supported, mainly because class and permission ordering is still very static in the policy. To be sure that policy/library/kernel updates won't disturb the number assigned to your object class it is best to submit a reference policy patch to the flask/ directory and let those header changes propagate to the library and kernel.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: defining a new class in a policy module

[Mohamed Hassan]

Thank you for the response. When I modify the flask/ directory and run
make (flask.py) it will generate 2 directories kernel and selinux. The
kernel one will go under <kernel-src>/security/selinux/include/ and the
selinux headers will go under libselinux/include/selinux. 

There is another flask.h file under
libsepol/include/sepol/policydb/flask.h do I need to update that file
for checkpolicy and semodule to work properly?


 
On Sun, 2008-06-15 at 23:50 -0400, Joshua Brindle wrote:
> Mohamed Hassan wrote:
> > Hi,
> > I created a new policy inside the refpolicy. I am trying to define a new
> > class inside this module. When I compile, it fails with parsing error:
> > 
> > /usr/bin/checkmodule -M -m tmp/gsmd.tmp -o tmp/gsmd.mod
> > /usr/bin/checkmodule:  loading policy configuration from tmp/gsmd.tmp
> > policy/modules/services/gsmd.te:3:ERROR 'syntax error' at token 'Class'
> > on line 1185:
> > 
> > Class gsmd { send_sms_msg receive_sms_msg };
> > /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> > 
> > 
> > Here is my class definition:
> > Class gsmd { send_sms_msg receive_sms_msg };
> > 
> > I would like to know how to define a new class in policy module?
> > 
> 
> It isn't supported, mainly because class and permission ordering is still very static in the policy. To be sure that policy/library/kernel updates won't disturb the number assigned to your object class it is best to submit a reference policy patch to the flask/ directory and let those header changes propagate to the library and kernel.
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: defining a new class in a policy module

[Joshua Brindle]

Mohamed Hassan wrote:
> Thank you for the response. When I modify the flask/ directory and run
> make (flask.py) it will generate 2 directories kernel and selinux. The
> kernel one will go under <kernel-src>/security/selinux/include/ and the
> selinux headers will go under libselinux/include/selinux. 
> 
> There is another flask.h file under
> libsepol/include/sepol/policydb/flask.h do I need to update that file
> for checkpolicy and semodule to work properly?
> 
> 

After adding them to access_vectors and security_classes you want to rebuild your base.pp from that repo so that you'll have those classes included in the policy you are linking your module against. 

The module will then need to require the classes and permissions:

require {
	class gsmd { send_sms_msg receive_sms_msg };
}

in order to use those in the module.

You won't necessarily need to do anything with the headers, but like I said, if you want the numbers reserved you need to send a patch to refpolicy for the flask dir (minus the headers)

>  
> On Sun, 2008-06-15 at 23:50 -0400, Joshua Brindle wrote:
>> Mohamed Hassan wrote:
>>> Hi,
>>> I created a new policy inside the refpolicy. I am trying to define a new
>>> class inside this module. When I compile, it fails with parsing error:
>>>
>>> /usr/bin/checkmodule -M -m tmp/gsmd.tmp -o tmp/gsmd.mod
>>> /usr/bin/checkmodule:  loading policy configuration from tmp/gsmd.tmp
>>> policy/modules/services/gsmd.te:3:ERROR 'syntax error' at token 'Class'
>>> on line 1185:
>>>
>>> Class gsmd { send_sms_msg receive_sms_msg };
>>> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
>>>
>>>
>>> Here is my class definition:
>>> Class gsmd { send_sms_msg receive_sms_msg };
>>>
>>> I would like to know how to define a new class in policy module?
>>>
>> It isn't supported, mainly because class and permission ordering is still very static in the policy. To be sure that policy/library/kernel updates won't disturb the number assigned to your object class it is best to submit a reference policy patch to the flask/ directory and let those header changes propagate to the library and kernel.
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
> 
> 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.