Comments (4)
Apparently you did not understand me.
The problem is not that chromium_t doesn't have 'self:user_namespace create;'
and the problem is that I can't build
a module with that permission
F_MAKE is :
export REFMAKE=/usr/share/selinux/$(sestatus |grep Load|grep --color -Ei "[ ]{2,}.*" -o|grep -Eio "[a-z0-9].*")/include/Makefile
#REFMAKE is /usr/share/selinux/refpolicy-freedom1b2830-1677953396/include/Makefile
F_MAKE(){
make -f $REFMAKE $1.pp && semodule -i $1.pp
}
EEE.te
policy_module(EEE, 1.0)
require {
type chromium_t;
class user_namespace create;
}
#============= chromium_t ==============
allow chromium_t self:user_namespace create;
cmd:F_MAKE EEE
Compiling refpolicy-freedom1b2830-1677953396 EEE module
Creating refpolicy-freedom1b2830-1677953396 EEE.pp policy package
rm tmp/EEE.mod tmp/EEE.mod.fc
Failed to resolve allow statement at /var/lib/selinux/refpolicy-freedom1b2830-1677953396/tmp/modules/400/EEE/cil:3
Failed to resolve AST
semodule: Failed!
and so on for all domains that require user_namespace
from refpolicy.
UDP: I found the solution in your latest commits.
0e1cc1e
Where can I read more about this permission?
from refpolicy.
There isn't too much documentation because it is a new check in Linux 6.1. In short, it controls if a domain can create a user namespace. See https://paul-moore.com/blog/d/2022/12/linux_v61.html
from refpolicy.
Thank you. I read it. We close the topic.
from refpolicy.
Related Issues (20)
- google chrome sound problem resolution for ArchLinux HOT 3
- Fail to build with POLICY_TYPE MLS HOT 1
- Fail to build policy fapolicyd if DIRECT_INITRC=y HOT 3
- Q:java based application HOT 5
- Problem when building policy HOT 3
- libsepol.validate_user_datum: Invalid user datum HOT 4
- How to write modules for systemd user services? HOT 7
- chrome->nacl_helper: user_namespace HOT 2
- 2 questions HOT 1
- Need help with transitions HOT 1
- Container issues in enforcing mode on Debian 12 HOT 13
- How to transfer the current process or its thread to another context? HOT 4
- Possible missing rule for ssh -> java HOT 2
- Debian 12.1 statd and mountd fail to start with fixed ports HOT 13
- Question: sudo HOT 5
- [Q] Permission cmd in class io_uring not defined in policy. HOT 3
- /root directory has no label specified HOT 4
- systemd v255 executor helper
- Information Disclosure vulnerability related to SSL Private Keys and CSR used by the HTTP daemon HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from refpolicy.