FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-29-2012, 12:39 AM
Alan Batie
 
Default Dipping into the policy waters

I'm trying a simple "first policy" with Eclipse and SLIDE, and getting
an error I don't understand. I'm hoping someone can point me in the
right direction:

Creating policy.xml
/usr/share/selinux/devel/include/support/segenxml.py: warning: unable to
find XML for interface peak_read_files()
/usr/share/selinux/devel/include/support/segenxml.py: warning: unable to
find XML for interface peak_read_config_files()
/usr/share/selinux/devel/include/support/segenxml.py: warning: orphan
XML comments at bottom of file ./peak_files.te
doc/policy.xml:65535: element module: validity error : Element module
content does not follow the DTD, expecting (summary , desc? , required?
, (interface | template)* , (bool | tunable)*), got (summary param
interface interface )
Document doc/policy.xml does not validate against
/usr/share/selinux/devel/include/support/policy.dtd
make: *** [doc/policy.xml] Error 3
Compiling targeted peak_files module

I'm guessing that means I haven't defined the interfaces somewhere I
ought to, but I have them in the Interfaces (.if) tab:

################################################## ##########
## <summary>
## Access to reading peak files
## </summary>
## <param name="domain">
## <summary>
## Source domain to give access to
## </summary>
## </param>
#
interface(`peak_read_files',`
gen_require(`
type peak_t;
')

allow $1 peak_t:dir list_dir_perms;
read_files_pattern($1,peak_t,peak_t)
')

################################################## ##########
## <summary>
## Access to reading peak config files
## </summary>
## <param name="domain">
## <summary>
## Source domain to give access to
## </summary>
## </param>
#
interface(`peak_read_config_files',`
gen_require(`
type peak_config_t;
')

allow $1 peak_config_t:dir list_dir_perms;
read_files_pattern($1,peak_config_t,peak_config_t)
')


The .te file is simple enough:

policy_module(peak_files,1.0.0)

################################################## ##########
## <summary>
## Peak local configuration files and scripts
## </summary>

# domain for peak files
type peak_t;
# domain for peak configuration files
type peak_config_t;
# domain for peak scripts to run in
type peak_exec_t;

files_type(peak_t)
files_type(peak_config_t)

# peak things can read peak config files
read_files_pattern(peak_t,peak_config_t,peak_confi g_t)


For completeness, the .fc file:

/peak(/.*)? gen_context(system_ubject_reak_t,s0))

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-29-2012, 12:54 PM
Miroslav Grepl
 
Default Dipping into the policy waters

On 02/29/2012 01:39 AM, Alan Batie wrote:

I'm trying a simple "first policy" with Eclipse and SLIDE, and getting
an error I don't understand. I'm hoping someone can point me in the
right direction:

Creating policy.xml
/usr/share/selinux/devel/include/support/segenxml.py: warning: unable to
find XML for interface peak_read_files()
/usr/share/selinux/devel/include/support/segenxml.py: warning: unable to
find XML for interface peak_read_config_files()
/usr/share/selinux/devel/include/support/segenxml.py: warning: orphan
XML comments at bottom of file ./peak_files.te
doc/policy.xml:65535: element module: validity error : Element module
content does not follow the DTD, expecting (summary , desc? , required?
, (interface | template)* , (bool | tunable)*), got (summary param
interface interface )
Document doc/policy.xml does not validate against
/usr/share/selinux/devel/include/support/policy.dtd
make: *** [doc/policy.xml] Error 3
Compiling targeted peak_files module

I'm guessing that means I haven't defined the interfaces somewhere I
ought to, but I have them in the Interfaces (.if) tab:

################################################## ##########
## <summary>
## Access to reading peak files
## </summary>
## <param name="domain">
## <summary>
## Source domain to give access to
## </summary>
## </param>
#
interface(`peak_read_files',`
gen_require(`
type peak_t;
')

allow $1 peak_t:dir list_dir_perms;
read_files_pattern($1,peak_t,peak_t)
')

################################################## ##########
## <summary>
## Access to reading peak config files
## </summary>
## <param name="domain">
## <summary>
## Source domain to give access to
## </summary>
## </param>
#
interface(`peak_read_config_files',`
gen_require(`
type peak_config_t;
')

allow $1 peak_config_t:dir list_dir_perms;
read_files_pattern($1,peak_config_t,peak_config_t)
')


The .te file is simple enough:

policy_module(peak_files,1.0.0)

################################################## ##########
## <summary>
## Peak local configuration files and scripts
## </summary>

# domain for peak files
type peak_t;
# domain for peak configuration files
type peak_config_t;
# domain for peak scripts to run in
type peak_exec_t;

files_type(peak_t)
files_type(peak_config_t)

# peak things can read peak config files
read_files_pattern(peak_t,peak_config_t,peak_confi g_t)


For completeness, the .fc file:

/peak(/.*)? gen_context(system_ubject_reak_t,s0))




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

What OS?



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-29-2012, 02:04 PM
Dominick Grift
 
Default Dipping into the policy waters

On Wed, 2012-02-29 at 13:54 +0000, Miroslav Grepl wrote:
> On 02/29/2012 01:39 AM, Alan Batie wrote:
> > I'm trying a simple "first policy" with Eclipse and SLIDE, and getting
> > an error I don't understand. I'm hoping someone can point me in the
> > right direction:
> >
> > Creating policy.xml
> > /usr/share/selinux/devel/include/support/segenxml.py: warning: unable to
> > find XML for interface peak_read_files()
> > /usr/share/selinux/devel/include/support/segenxml.py: warning: unable to
> > find XML for interface peak_read_config_files()
> > /usr/share/selinux/devel/include/support/segenxml.py: warning: orphan
> > XML comments at bottom of file ./peak_files.te
> > doc/policy.xml:65535: element module: validity error : Element module
> > content does not follow the DTD, expecting (summary , desc? , required?
> > , (interface | template)* , (bool | tunable)*), got (summary param
> > interface interface )
> > Document doc/policy.xml does not validate against
> > /usr/share/selinux/devel/include/support/policy.dtd

It is complaining about your use of the XML headers.

Dont use them in type enforcement files:

################################################## ##########
## <summary>
## Peak local configuration files and scripts
## </summary>

Above is invalid i suspect

As for the errors in the interface files i am not sure but you need to
put a "##<summary></summary>" on the top of your interface file.

Make sure to use XML properly because troubleshooting errors in XML can
be very hard.

Look closely to other modules and how they use the XML. Just copy them
and change them to your requirements to avoid issues.

Also it is important that you stick to the style rules.
type peak_t is not a file type and if it is then it is named wrong.

If you want some interactive help with writing policy you can also come
join #fedora-selinux channel on irc://irc.freenode.net IRC network and
ping user grift.

I would be happy to give some guidance.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-29-2012, 02:44 PM
Daniel J Walsh
 
Default Dipping into the policy waters

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/28/2012 08:39 PM, Alan Batie wrote:
> /peak(/.*)? gen_context(system_ubject_reak_t,s0))

This looks wrong also, extra ")" at end.

I prefer to use sepolgen, but then again I am prejudiced.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9OR8sACgkQrlYvE4MpobMw1gCeNcg9APuxQP euN0LegxJ2YiyS
qT4AoKvgKT1+aadNXkUQtXQdghxBSUEO
=1Mk8
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-29-2012, 05:08 PM
Alan Batie
 
Default Dipping into the policy waters

On 2/29/12 7:44 AM, Daniel J Walsh wrote:
> On 02/28/2012 08:39 PM, Alan Batie wrote:
>> /peak(/.*)? gen_context(system_ubject_reak_t,s0))
>
> This looks wrong also, extra ")" at end.

Doh! Thanks... I need to get the vi hook into eclipse working ;-)

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 02-29-2012, 06:50 PM
Alan Batie
 
Default Dipping into the policy waters

I think my first reply got tossed when thunderbird changed my identity
on me...

On 2/29/12 7:04 AM, Dominick Grift wrote:

> It is complaining about your use of the XML headers.
>
> Dont use them in type enforcement files:

That worked, thanks! I'll see if I can find docs on the XML part, I was
just copying comments around from the templates eclipse created, which
now sounds silly as I knew it was doing things with the xml...

> Also it is important that you stick to the style rules.
> type peak_t is not a file type and if it is then it is named wrong.

I'm going from the tutorial at http://equivocation.org/selinux (by far
the easiest to understand selinux tutorial I've yet found!); there it
seems he's breaking things up into three management categories: general
application files (app_t), config files (app_config_t) and the
application executables (app_exec_t). This seems a reasonable division,
so I'm trying to follow it for now...

> If you want some interactive help with writing policy you can also come
> join #fedora-selinux channel on irc://irc.freenode.net IRC network and
> ping user grift.

Thanks! I'll try to avoid interrupting you with that, but it's good to
know it's available...

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-01-2012, 12:38 AM
Alan Batie
 
Default Dipping into the policy waters

OK, I got the base policy compiled and installed, and now trying to add
a policy that uses one of its interfaces:

-----
policy_module(bypass,1.0.0)

# bypass.validate process type
type bypass_t;
# bypass.validate executable file type
type bypass_exec_t;

# when bypass.validate is run from apache, transition to
# the bypass_t execution domain
apache_cgi_domain(bypass_t, bypass_exec_t)

# allow bypass.validate to run ifconfig,
can_exec(bypass_t, ifconfig_exec_t)

peak_read_config_files(bypass_t)
-----

The problem is I get a syntax error on the interface call
"peak_read_config_files" - it appears that it doesn't know it exists. I
did install it with "semodule -i peak_files.pp". I'm not sure what I
need to do to reference it...

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 04:33 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org