policy bug

policy bug

[Dale Amon]

Here's another for you Russ. Fresh from today:

ERROR 'name conflict for type run_init_conf_t' at token ';' on line 42023:

type run_init_conf_t, file_type, sysadmfile;
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration
make: *** [/etc/security/selinux/policy.15] Error 1

Let me know if you need any other specifics.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy bug

[Dale Amon]

On Sun, Nov 16, 2003 at 01:31:09PM +0000, Dale Amon wrote:
> Here's another for you Russ. Fresh from today:

And another one:

ERROR 'unknown type insmod_t' at token ';' on line 17114:
dontaudit insmod_t initctl_t:fifo_file { read write };

/usr/bin/checkpolicy:  error(s) encountered while parsing configuration

and

ERROR 'unknown type hotplug_t' at token ';' on line 17115:
dontaudit hotplug_t initctl_t:fifo_file { read write };
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration

and 

ERROR 'unknown type cupsd_t' at token ';' on line 17239:

allow cupsd_t var_log_t:dir { getattr };
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration

which are also in domains/misc/later.te.

I think you need to put a few conditionals in later.

With all these commented out, the policy builds.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy bug

[Russell Coker]

On Mon, 17 Nov 2003 00:31, Dale Amon <amon@vnl.com> wrote:
> Here's another for you Russ. Fresh from today:
>
> ERROR 'name conflict for type run_init_conf_t' at token ';' on line 42023:
>
> type run_init_conf_t, file_type, sysadmfile;

Just remove the run_init_conf_t entries from later.te.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy bug

[Russell Coker]

On Mon, 17 Nov 2003 09:17, Dale Amon <amon@vnl.com> wrote:
> I think you need to put a few conditionals in later.

later.te is a file containing things I'll sort out later.  I put it in to 
allow Dan to get things working as a temporary measure.  If you run Fedora in 
a somewhat default config then later.te would work (apart from the 
double-define issue).  If you don't use Fedora then you don't want later.te.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy bug

[Dale Amon]

On Mon, Nov 17, 2003 at 11:30:28AM +1100, Russell Coker wrote:
> On Mon, 17 Nov 2003 09:17, Dale Amon <amon@vnl.com> wrote:
> > I think you need to put a few conditionals in later.
> 
> later.te is a file containing things I'll sort out later.  I put it in to 
> allow Dan to get things working as a temporary measure.  If you run Fedora in 
> a somewhat default config then later.te would work (apart from the 
> double-define issue).  If you don't use Fedora then you don't want later.te.

Yeah, I'd already done a work around, just wanted to
make sure you had the data in case my particular
selection had stumbled across a corner case you'd
not seen.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.