On 01/05/2015 02:41 PM, Daniel J Walsh wrote:
On 01/05/2015 10:11 AM, Robert Nichols wrote:
On 01/05/2015 03:29 AM, Miroslav Grepl wrote:
On 01/05/2015 01:55 AM, Robert Nichols wrote:
Would someone please help me translate this module into something that will build on a current system (CentOS 6, checkpolicy-2.0.22-1.el6):
policy_module(procmail_uncon, 1.0.18)
=============== cut =================== gen_require(` type unconfined_t; type unconfined_exec_t; type procmail_t; role system_r; ')
type my_uncon_exec_t; files_type(my_uncon_exec_t)
allow procmail_t unconfined_t : process { transition sigchld }; domain_auto_trans(procmail_t, my_uncon_exec_t, unconfined_t) role system_r types unconfined_t;
You say you are not able to build the above policy module on CentOS 6?
I cannot. With that in a file called procmail_uncon.te in a directory with a Makefile copied from /usr/share/linux/devel, running "make" yields:
======== Compiling targeted procmail_uncon module /usr/bin/checkmodule: loading policy configuration from tmp/procmail_uncon.tmp procmail_uncon.te":13:ERROR 'unknown class file used in rule' at token ';' on line 1045: #line 13 allow procmail_t my_uncon_exec_t:file { getattr open read execute }; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/procmail_uncon.mod] Error 1 ========
The following packages are installed: libselinux-2.0.94-5.8.el6.x86_64 libselinux-devel-2.0.94-5.8.el6.x86_64 libselinux-python-2.0.94-5.8.el6.x86_64 libselinux-utils-2.0.94-5.8.el6.x86_64 selinux-policy-3.7.19-260.el6_6.1.noarch libsepol-devel-2.0.41-4.el6.x86_64 selinux-policy-targeted-3.7.19-260.el6_6.1.noarch
I did dig up a procmail_uncon.pp file from an old Fedora 12 backup, and that file seems to install OK, so the problem is no longer critical for me, but I'd like to get this resolved.
You need to run the Makefile on the te file with the policy_module(procmail_uncon, 1.0.18) line.
I have no idea what you mean by that. You don't run a Makefile _on_ a source file. OK, I'll try it anyway: ======== # make procmail_uncon.te make: Nothing to be done for `procmail_uncon.te'. ======== Yes, it already exists and has no dependencies.