I wrote a new policy contains new type definition (.te) and interface method (.if):
.te file:
policy_module(dummy, 1.0.0)
type dummy_t;
files_type(dummy_t)
.if file:
## <summary>
## Do Bla bla
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to read files.
## </summary>
## </param>
interface(`dummy_int',`
gen_require(`
type dummy_t;
')
allow $1 dummy_t:file read;
')
Now I'm writing a new policy and want to call dummy_int macro:
.te file:
policy_module(callinterface, 1.0.0)
type callinterface_t;
dummy_int(callinterface_t)
But - Compiling this policy generates the following error:
[root@localhost callinterface]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted callinterface module
callinterface.te:5:ERROR 'syntax error' at token 'dummy_int' on line 3329:
dummy_int(callinterface_t)
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/callinterface.mod] Error 1
The 'dummy' policy is compiled and installed properly.
What am I doing wrong? how do I make the compiler know this macro?
I tried to wrap the macro implementation with ifndef statement as described here: fedoraproject.org/wiki/SELinux/IndependentPolicy
under Backwards compatibility section - no change.
Thanks
Got it. The interface file should be stored in /usr/share/selinux/mcs/include/* or /usr/share/selinux/devel/include/* (depending on the Linux distribution).
creating-our-own-interface
When I copied the .if into this folder, the policy had compiled successfully.