| Main Archive Page > Month Archives > selinux archives |
Does the MLS range in modular file context have to be raw?
From: Joe Nall <joe_at_nospam>Date: Sun Apr 29 2007 - 14:48:33 GMT
To: SE Linux <selinux@tycho.nsa.gov>
In a modular policy context file
/var/opt/jcdx/ICM(/.*)? gen_context
(system_u:object_r:jcdx_icm_var_t,s15:c0.c1023)
works, but
/var/opt/jcdx/ICM(/.*)? gen_context
(system_u:object_r:jcdx_icm_var_t,SystemHigh)
does not with the following error during installation:
libsepol.mls_from_string: invalid MLS context SystemHigh
libsepol.mls_from_string: could not construct mls context structure
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:jcdx_icm_var_t:SystemHigh to sid
/etc/selinux/mls/contexts/files/file_contexts: line 818 has invalid
context system_u:object_r:jcdx_icm_var_t:SystemHigh
libsemanage.semanage_install_active: setfiles returned error code 1.
/usr/sbin/semodule: Failed!
In both cases the creation of the .pp file works.
This concerns me because we have a number of daemons that run at labels other than SystemHigh. The raw context for these daemons must be hardcoded in the policy developers environment, which presumes we know the mapping on the target machine, which we don't.
We can work around this in the RPM spec file, creating the .fc files on the fly using the setrans.conf of the target machine and compiling during the installation, but this is complex and feels like we are working around a bug.
How can I specify a file context with a human readable label in a modular policy?
joe -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.