• 1

how can I add new role

Dear Dan,
I now SELinux have many default roles but if I wont create new role for example like package_admin in windows its possible?
How can I create new role in SELinux? I read some old tutorial about this topis but seedit doesnt work for me fedora 19. Its possible copy default role and just change some privilege?

Re: how can I add new role

You need to write policy to add a new role.

In Fedora and RHEL7 you can execute

# sepolicy generate --confined_admin -n package_admin

Then I would add a something like the following to my package_admin.te

rpm_run(package_admin_t, package_admin_r)

Re: how can I add new role

Thanks for your interesting about it
But if I create your comand
[root@localhost roles]# sepolicy generate --confined_admin -n package_admin
Created the following files:
/usr/share/selinux/devel/include/roles/package_admin.te # Type Enforcement file
/usr/share/selinux/devel/include/roles/package_admin.if # Interface file
/usr/share/selinux/devel/include/roles/package_admin.fc # File Contexts file
/usr/share/selinux/devel/include/roles/package_admin_selinux.spec # Spec file
/usr/share/selinux/devel/include/roles/package_admin.sh # Setup Script

And after I compile it with make -f I get a bug
[root@localhost roles]# make -f /usr/share/selinux/devel/Makefile
m4:/usr/share/selinux/devel/include/roles/package_admin.if:2: ERROR: end of file in comment
Compiling targeted package_admin module
/usr/bin/checkmodule: loading policy configuration from tmp/package_admin.tmp
package_admin.te":22:ERROR 'syntax error' at token 'domain_type' on line 3235:
#line 22
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/package_admin.mod] Error 1

Where can be a problem?
I wont try implement my owen role but I dont found a tutorial for RHEL 7 and creating new role I read your journal but I found implementation just for RHEL 5, and this not working for me :(

Re: how can I add new role

What policy are you using

rpm -q selinux-policy

domain_type interface should be defined in the /usr/share/selinux/devel/include/kernel/domain.if

It would probably be easier to carry on this conversation on email.


  • 1

Log in