Re: conditional. policy does not take effect.

JanuGerman wrote:
> Hi every one,
>
> My cond. policies are not taking effect. Following are the contents of my lodable policy module.
>
> policy_module(myapp,1.0)
> require {
> type unconfined_t;
> type fs_t;
> }
> type x_t;
> bool test true;
> auditallow x_t fs_t:filesystem associate;
> if (test) {
> auditallow unconfined_t x_t:dir *;
> auditallow unconfined_t x_t:file *;
> } else {
> auditallow unconfined_t x_t:dir { getattr read search };
> auditallow unconfined_t x_t:file {getattr };
> }
>
> and
>
> /root/medicalpolicy -- gen_context(root:object_r:x_t)
>
> After compiling the module and adding it to the base policy using "semodule -i myapp.pp",
> when i execute the command: "chcon -u root -r object_r -t x_t /root/medicalpolicy"
>
> I get the following error message:
> chcon: failed to change context of /root/medicalpolicy to root:object_r:x_t: Permission denied
>
> when i unload the module, the same command says:
> chcon: failed to change context of /root/medicalpolicy to root:object_r:x_t: Invalid argument
>
> Previously, the module was working, I just changed the allow to audit, in order to see its effect in the /var/log/audit/audit.log.
>
> The boolean variable test, is set or not, it has no effect on the file, possibly due to labelling problem, i think so. Further, i can see the messages in the audit, particularly, when chcon command gives denied message.
>
>
> Thanks,
> JG
>
>
>
>
>

Try to add

files_type(x_t)
>
>
>
> ___________________________________________________________
> Copy addresses and emails from any email account to Yahoo! Mail - quick, easy and free. http://uk.docs.yahoo.com/trueswitch2.html
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

• This message: [ Message body ]
• Next message: James Carter: "[patch 0/2] libselinux: add support for getting contexts for kernel initial SIDs from selinuxfs"
• Previous message: James Carter: "Re: [patch] selinux: export initial SID contexts via selinuxfs (v2)"
• In reply to: JanuGerman: "conditional. policy does not take effect."

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]