Results 1 to 2 of 2

Thread: [selinux] Policy

  1. #1
    Join Date
    Nov 2012
    Beans
    1

    [selinux] Policy

    Hi,

    I created my own basic policy:

    Code:
    module mypolicy 1.0.0;
    
    require {
        type user_t;
        role user_r;
        class file { getattr execute read open ioctl entrypoint };
        class process { transition sigkill sigstop signull signal getattr };
    }
    
    type mytype_t;
    type mytype_exec_t;
    
    allow mytype_t mytype_exec_t:file { entrypoint };
    
    allow user_t mytype_t:process { transition sigkill sigstop signull signal getattr };
    allow user_t mytype_t:file { getattr execute read open ioctl };
    
    type_transition user_t mytype_exec_t:process mytype_t;
    
    role user_r types mytype_t;

    When I install it with semodule -i I get an error:

    Code:
    libsepol.check_assertion_helper: neverallow violated by allow user_t mytype_t:process { transition sigkill sigstop signull signal getattr };
    libsemanage.semanage_expand_sandbox: Expand module failed
    semodule:  Failed!
    What am I doing wrong ? Which rule is preventing me from installing the above policy ?

  2. #2
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: [selinux] Policy

    Quote Originally Posted by MarcAndreson View Post
    What am I doing wrong ?
    You're doing something you just should not do. BTW Ubuntu didn't choose SELinux as distro default but AppArmor, consequently the amount and quality of help offered elsewhere may be less limited.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •