-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Clarkson, Mike R (US SSA) wrote:
I just downloaded the policy source from redhat (serefpolicy-2.4.6) and attempted to build a strict-mls loadable module policy and got the following compile error:
Compiling mls base module /usr/bin/checkmodule -M base.conf -o tmp/base.mod /usr/bin/checkmodule: loading policy configuration from base.conf policy/modules/kernel/domain.te:174:ERROR 'unknown type ipsec_spd_t' at token ';' on line 10298: allow domain ipsec_spd_t:association polmatch; #line 174 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/base.mod] Error 1
Here is the offending portion of domain.te:
ifdef(`enable_mls',` tunable_policy(`allow_netlabel',` kernel_raw_recvfrom_unlabeled(domain) kernel_tcp_recvfrom_unlabeled(domain) kernel_udp_recvfrom_unlabeled(domain) ') tunable_policy(`allow_ipsec_label',` ipsec_labeled(domain) ') ')
Since domain is a base module and ipsec is a loadable module, doesn't the call to the ipsec_labeled interface need to be wrapped in an optional_policy statement? Since nesting conditional statements aren't supported, I had to comment out the tunable_policy statement to get this to compile: #tunable_policy(`allow_ipsec_label',` optional_policy(` ipsec_labeled(domain) ') #')
What's the right fix for this?
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You should move the option_policy lines outside of the tunable_policy, then it should work.
Also on modules-mls.conf has ipsec as a base module. While targeted has it as a module.