I am writing a policy module on Fedora trying to limit running the who command only to specific user. Checkmodule issues following error for my script : Error 'syntax error' at token 'domain_auto_trans' on line 20
But I checked the syntax and there is no typo in it. Here is my whole script. What is the error in it?
module who 1.0; require { attribute domain; attribute file_type; attribute exec_type; type sysadm_t; attribute sysadm_r; class process transition; role sysadm_r; }
type who_t; typeattribute who_t domain;
type who_exec_t; typeattribute who_exec_t file_type; typeattribute who_exec_t exec_type;
role sysadm_r types who_t; domain_auto_trans (sysadm_t, who_exec_t, who_t)
Another problem is that when I transfer this script to Centos, checkmodule of centos issues other kind of errors. Why this happens? Kinds of errors differ by fedora or centos?
On 04/06/2016 08:18 PM, amir sheng wrote:
I am writing a policy module on Fedora trying to limit running the who command only to specific user. Checkmodule issues following error for my script : Error 'syntax error' at token 'domain_auto_trans' on line 20
But I checked the syntax and there is no typo in it. Here is my whole script. What is the error in it?
module who 1.0; require { attribute domain; attribute file_type; attribute exec_type; type sysadm_t; attribute sysadm_r; class process transition; role sysadm_r; }
type who_t; typeattribute who_t domain;
type who_exec_t; typeattribute who_exec_t file_type; typeattribute who_exec_t exec_type;
role sysadm_r types who_t; domain_auto_trans (sysadm_t, who_exec_t, who_t)
Hello Amir, the problem is you call the domain_auto_trans() macro which is supposed to be used for module policies using reference policy.
If you apply the following fix
-module who 1.0; +policy_module(who, 1.0)
it will work for you. You create a policy module using reference policy with this change so you can call macros.
Another problem is that when I transfer this script to Centos, checkmodule of centos issues other kind of errors. Why this happens? Kinds of errors differ by fedora or centos?
Can you elaborate it more?
-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Thank you.
Thank you Miroslav.
But I still cannot understand the differences between reference policy, target policy or a policy module? furthermore, I installed SElinux on Fedora and the only policy that I can see is available is in directory /etc/selinux/targeted/. By using Fedora 23 Terminal (i.e, dnf install selinux-policy-*******) there are other different policies to install whose names are: (1) "selinux-policy-3.13.1.fc23.noarch" (2)"selinux-policy-devel-3.13.1-152.fc23.noarch" (3)"selinux-policy-doc-3.13.1-152.fc23.noarch" (4)"selinux-policy-minimum-3.13.1-152.fc23.noarch" (5)"selinux-policy-mls-3.13.1-158.11.fc23.noarch" (6)"selinux--policy-sandbox-3.13.1-152.fc23.noarch" (7)" selinux-policy-targeted-3.13.1-158.11.fc23.noarch"
What is the difference between this policies(specially between(1) and (7))? using Apol I can load "policy.29" that is in directory /etc/selinux/targeted/. Where are the other policy's file that I can load to Apol and analyse them.
I did the - module who 1.0; + policy_module(who,1.0);
But the error changed to " ERROR 'Building a policy module, but no module specification found.' at token 'policy_module' on line 1 "
On 04/15/2016 05:40 PM, amir sheng wrote:
I did the
- module who 1.0;
- policy_module(who,1.0);
But the error changed to " ERROR 'Building a policy module, but no module specification found.' at token 'policy_module' on line 1 "
selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Could you please show us how your changed policy looks?
Thank you.
Now the module is like the following:
module who 1.0; require { attribute domain; class file getattr; class file execute; class file entrypoint; attribute file_type; attribute exec_type; type unconfined_t; class process transition; role unconfined_r; }
type who_t; typeattribute who_t domain;
type who_exec_t; typeattribute who_exec_t file_type; typeattribute who_exec_t exec_type;
role unconfined_r types who_t; type_transition unconfined_t who_exec_t:process who_t;
allow unconfined_t who_exec_t : file *; allow unconfined_t who_t:process transition; allow who_t who_exec_t: file entrypoint;
domain_auto_trans (sysadm_t, who_exec_t, who_t)
Oh sorry, it is as the following and the error using "$ checkmodule -M -m -o who.mod who.te" in Fedora 22 is :
ERROR ' Building a policy module, but no module specification found.' at token ' policy_module' on line 1: checkmodule: error(s) encountered while parsing configuration
------------------------------------------------------------------------------------ policy_module (who, 1.0); require { attribute domain; class file getattr; class file execute; class file entrypoint; attribute file_type; attribute exec_type; type unconfined_t; class process transition; role unconfined_r; }
type who_t; typeattribute who_t domain;
type who_exec_t; typeattribute who_exec_t file_type; typeattribute who_exec_t exec_type;
role unconfined_r types who_t; type_transition unconfined_t who_exec_t:process who_t;
allow unconfined_t who_exec_t : file *; allow unconfined_t who_t:process transition; allow who_t who_exec_t: file entrypoint;
domain_auto_trans (sysadm_t, who_exec_t, who_t)
On 04/25/2016 09:11 PM, amir sheng wrote:
Oh sorry, it is as the following and the error using "$ checkmodule -M -m -o who.mod who.te" in Fedora 22 is :
ERROR ' Building a policy module, but no module specification found.' at token ' policy_module' on line 1: checkmodule: error(s) encountered while parsing configuration
policy_module (who, 1.0); require { attribute domain; class file getattr; class file execute; class file entrypoint; attribute file_type; attribute exec_type; type unconfined_t; class process transition; role unconfined_r; }
type who_t; typeattribute who_t domain;
type who_exec_t; typeattribute who_exec_t file_type; typeattribute who_exec_t exec_type;
role unconfined_r types who_t; type_transition unconfined_t who_exec_t:process who_t;
allow unconfined_t who_exec_t : file *; allow unconfined_t who_t:process transition; allow who_t who_exec_t: file entrypoint;
domain_auto_trans (sysadm_t, who_exec_t, who_t)
selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Ah, ok it makes sense now. The problem is you mix reference and non-reference policy.
If we use m4 macros
domain_auto_trans (sysadm_t, who_exec_t, who_t)
we say that you use reference policy. m4 macros need to be expanded by m4. It is a reason why you fail with checkmodule. You can use
/usr/share/selinux/devel/include/Makefile
to build your policy. It will do a job for you.
# make -f /usr/share/selinux/devel/Makefile who.pp # semodule -i who.pp
You can see Makefile to check what is happening.
Thank you.
selinux@lists.fedoraproject.org