* LTP SELinux policy error
@ 2009-01-29 10:32 James Morris
2009-01-29 13:42 ` Christopher J. PeBenito
0 siblings, 1 reply; 15+ messages in thread
From: James Morris @ 2009-01-29 10:32 UTC (permalink / raw)
To: ltp-list; +Cc: selinux
I'm trying to run the LTP SELinux tests using the latest CVS version of
LTP and current Fedora development, and get the following policy
compilation error:
----
Compiling targeted test_policy module
test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
[lots of warnings similar to the above]
/usr/bin/checkmodule: loading policy configuration from
tmp/test_policy.tmp
test_policy.te":16:ERROR 'syntax error' at token
'userdom_use_sysadm_terms' on line 3198:
userdom_use_sysadm_terms(testdomain)
# This allows read and write sysadm ttys and ptys.
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make[1]: *** [tmp/test_policy.mod] Error 1
make[1]: Leaving directory `/usr/share/selinux/devel'
make: *** [load] Error 2
Failed to build and load test_policy module, aborting test run.
----
Is this likely to be fixed soon, and/or any suggestions for a workaround?
- James
--
James Morris
<jmorris@namei.org>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: LTP SELinux policy error
2009-01-29 10:32 LTP SELinux policy error James Morris
@ 2009-01-29 13:42 ` Christopher J. PeBenito
2009-01-29 16:51 ` Christopher J. PeBenito
0 siblings, 1 reply; 15+ messages in thread
From: Christopher J. PeBenito @ 2009-01-29 13:42 UTC (permalink / raw)
To: James Morris; +Cc: ltp-list, selinux
On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote:
> I'm trying to run the LTP SELinux tests using the latest CVS version of
> LTP and current Fedora development, and get the following policy
> compilation error:
>
> ----
> Compiling targeted test_policy module
>
> test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
> test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
> [lots of warnings similar to the above]
>
> /usr/bin/checkmodule: loading policy configuration from
> tmp/test_policy.tmp
> test_policy.te":16:ERROR 'syntax error' at token
> 'userdom_use_sysadm_terms' on line 3198:
> userdom_use_sysadm_terms(testdomain)
> # This allows read and write sysadm ttys and ptys.
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make[1]: *** [tmp/test_policy.mod] Error 1
> make[1]: Leaving directory `/usr/share/selinux/devel'
> make: *** [load] Error 2
> Failed to build and load test_policy module, aborting test run.
> ----
>
> Is this likely to be fixed soon, and/or any suggestions for a workaround?
It won't compile with the current trunk refpolicy, since the current
release was a major, API breaking change. I'll try to get a patch out
shortly.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: LTP SELinux policy error
2009-01-29 13:42 ` Christopher J. PeBenito
@ 2009-01-29 16:51 ` Christopher J. PeBenito
2009-01-29 18:09 ` Stephen Smalley
2009-02-02 13:39 ` [LTP] " Subrata Modak
0 siblings, 2 replies; 15+ messages in thread
From: Christopher J. PeBenito @ 2009-01-29 16:51 UTC (permalink / raw)
To: James Morris; +Cc: ltp-list, selinux
[-- Attachment #1: Type: text/plain, Size: 2022 bytes --]
On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote:
> On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote:
> > I'm trying to run the LTP SELinux tests using the latest CVS version of
> > LTP and current Fedora development, and get the following policy
> > compilation error:
> >
> > ----
> > Compiling targeted test_policy module
> >
> > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
> > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
> > [lots of warnings similar to the above]
> >
> > /usr/bin/checkmodule: loading policy configuration from
> > tmp/test_policy.tmp
> > test_policy.te":16:ERROR 'syntax error' at token
> > 'userdom_use_sysadm_terms' on line 3198:
> > userdom_use_sysadm_terms(testdomain)
> > # This allows read and write sysadm ttys and ptys.
> > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > make[1]: *** [tmp/test_policy.mod] Error 1
> > make[1]: Leaving directory `/usr/share/selinux/devel'
> > make: *** [load] Error 2
> > Failed to build and load test_policy module, aborting test run.
> > ----
> >
> > Is this likely to be fixed soon, and/or any suggestions for a workaround?
>
> It won't compile with the current trunk refpolicy, since the current
> release was a major, API breaking change. I'll try to get a patch out
> shortly.
I updated the policy since its fairly old, though I didn't convert its
raw rules over to use interfaces. However this didn't completely fix
it, as there is usage of a "unconfined_runs_test()", which isn't in the
upstream refpolicy nor the fedora policy, as far as I can see. One of
the updates includes use of sysadm_entry_spec_domtrans_to(), which is in
the upstream refpolicy, but doesn't seem to have made its way downstream
to the fedora policy. I have attached my work so someone familiar with
the LTP test cases can use it to complete the fix.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
[-- Attachment #2: ltp-full-20081231-selinux.diff --]
[-- Type: text/x-patch, Size: 32163 bytes --]
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_file.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_file.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_file.te 2007-12-20 04:32:55.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_file.te 2009-01-29 11:45:26.000000000 -0500
@@ -35,7 +35,6 @@
# Allow execution of helper programs.
corecmd_exec_bin(capabledomain)
-corecmd_exec_sbin(capabledomain)
domain_exec_all_entry_files(capabledomain)
files_exec_etc_files(capabledomain)
libs_use_ld_so(capabledomain)
@@ -45,9 +44,9 @@
# Allow test_file_t and bin_t to be entered from sysadm role
miscfiles_domain_entry_test_files(capabledomain)
-userdom_sysadm_entry_spec_domtrans_to(capabledomain)
+sysadm_entry_spec_domtrans_to(capabledomain)
corecmd_bin_entry_type(capabledomain)
-userdom_sysadm_bin_spec_domtrans_to(capabledomain)
+sysadm_bin_spec_domtrans_to(capabledomain)
# Allow these domains to create a temporay file.
allow capabledomain test_file_t:file { setattr rw_file_perms };
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_net.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_net.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_net.te 2007-12-20 04:32:55.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_net.te 2009-01-29 11:23:45.000000000 -0500
@@ -28,7 +28,7 @@
corenet_raw_sendrecv_all_nodes(capabledomain)
corenet_tcp_sendrecv_all_ports(capabledomain)
corenet_udp_sendrecv_all_ports(capabledomain)
-corenet_non_ipsec_sendrecv(capabledomain)
+corenet_all_recvfrom_unlabeled(capabledomain)
corenet_tcp_bind_all_nodes(capabledomain)
corenet_udp_bind_all_nodes(capabledomain)
sysnet_read_config(capabledomain)
@@ -43,9 +43,9 @@
}
allow capabledomain hi_reserved_port_t:tcp_socket name_bind;
-# Allow sbin_t to be entered from admin via certain utils.
-corecmd_sbin_entry_type(capabledomain)
-userdom_sysadm_sbin_spec_domtrans_to(capabledomain)
+# Allow bin_t to be entered from admin via certain utils.
+corecmd_bin_entry_type(capabledomain)
+sysadm_bin_spec_domtrans_to(capabledomain)
require {
type ifconfig_exec_t;
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrace.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrace.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrace.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrace.te 2009-01-29 11:23:45.000000000 -0500
@@ -28,7 +28,7 @@
# Allow test_files_t to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(dyntracedomain)
-userdom_sysadm_entry_spec_domtrans_to(dyntracedomain)
+sysadm_entry_spec_domtrans_to(dyntracedomain)
miscfiles_exec_test_files(dyntracedomain)
# Grant the necessary permissions for the child domain.
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrans.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrans.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrans.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrans.te 2009-01-29 11:23:45.000000000 -0500
@@ -28,5 +28,5 @@
# Allow all of these domains to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(dyntransdomain)
-userdom_sysadm_entry_spec_domtrans_to(dyntransdomain)
+sysadm_entry_spec_domtrans_to(dyntransdomain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_entrypoint.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_entrypoint.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_entrypoint.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_entrypoint.te 2009-01-29 11:23:45.000000000 -0500
@@ -17,5 +17,5 @@
# Allow this domain to be entered via its entrypoint type.
domain_entry_file(test_entrypoint_t, test_entrypoint_execute_t)
-userdom_sysadm_entry_spec_domtrans_to(test_entrypoint_t)
+sysadm_entry_spec_domtrans_to(test_entrypoint_t)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_execshare.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_execshare.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_execshare.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_execshare.te 2009-01-29 11:23:45.000000000 -0500
@@ -25,7 +25,7 @@
# Allow all of these domains to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(execsharedomain)
-userdom_sysadm_entry_spec_domtrans_to(execsharedomain)
+sysadm_entry_spec_domtrans_to(execsharedomain)
# Grant the necessary permissions for the child domain.
domain_entry_file_spec_domtrans(test_execshare_parent_t, test_execshare_child_t)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_exectrace.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_exectrace.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_exectrace.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_exectrace.te 2009-01-29 11:23:45.000000000 -0500
@@ -28,7 +28,7 @@
# Allow all of these domains to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(exectracedomain)
-userdom_sysadm_entry_spec_domtrans_to(exectracedomain)
+sysadm_entry_spec_domtrans_to(exectracedomain)
# Grant the necessary permissions for the child domain.
domain_entry_file_spec_domtrans(test_exectrace_parent_t, test_exectrace_child_t)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_execute_no_trans.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_execute_no_trans.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_execute_no_trans.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_execute_no_trans.te 2009-01-29 11:23:45.000000000 -0500
@@ -19,8 +19,8 @@
# Allow this domain to be entered via the shell.
corecmd_shell_entry_type(test_execute_notrans_t)
-userdom_sysadm_entry_spec_domtrans_to(test_execute_notrans_t)
+sysadm_entry_spec_domtrans_to(test_execute_notrans_t)
#Allow test_execute_notrans permissions to the allowed type
can_exec(test_execute_notrans_t,test_execute_notrans_allowed_t)
-allow test_execute_notrans_t test_execute_notrans_denied_t:file rx_file_perms;
+allow test_execute_notrans_t test_execute_notrans_denied_t:file { mmap_file_perms lock ioctl };
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_fdreceive.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_fdreceive.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_fdreceive.te 2008-06-11 04:11:31.000000000 -0400
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_fdreceive.te 2009-01-29 11:23:45.000000000 -0500
@@ -35,7 +35,7 @@
# Allow all of these domains to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(fdreceivedomain)
-userdom_sysadm_entry_spec_domtrans_to(fdreceivedomain)
+sysadm_entry_spec_domtrans_to(fdreceivedomain)
# Grant the necessary permissions for the server domain.
## Create the Unix domain socket file.
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_file.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_file.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_file.te 2007-12-20 04:32:56.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_file.te 2009-01-29 11:23:45.000000000 -0500
@@ -43,7 +43,6 @@
# Allow execution of helper programs.
corecmd_exec_bin(fileopdomain)
-corecmd_exec_sbin(fileopdomain)
domain_exec_all_entry_files(fileopdomain)
libs_use_ld_so(fileopdomain)
libs_use_shared_libs(fileopdomain)
@@ -52,13 +51,10 @@
# Allow all of these domains to be entered from sysadm domain
miscfiles_domain_entry_test_files(fileopdomain)
-userdom_sysadm_entry_spec_domtrans_to(fileopdomain)
+sysadm_entry_spec_domtrans_to(fileopdomain)
corecmd_bin_entry_type(fileopdomain)
-userdom_sysadm_bin_spec_domtrans_to(fileopdomain)
-
-corecmd_sbin_entry_type(fileopdomain)
-userdom_sysadm_sbin_spec_domtrans_to(fileopdomain)
+sysadm_bin_spec_domtrans_to(fileopdomain)
allow fileop_t fileop_exec_t:file entrypoint;
domain_auto_trans(test_fileop_t, fileop_exec_t, fileop_t)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te 2008-04-06 06:39:19.000000000 -0400
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te 2009-01-29 11:23:45.000000000 -0500
@@ -13,7 +13,7 @@
# Allow the test domains to access the sysadm terminal.
# This allows read and write sysadm ttys and ptys.
-userdom_use_sysadm_terms(testdomain)
+userdom_use_user_terminals(testdomain)
# Allow the test domains to access the test directory and files
# even if they are not root owned.
@@ -64,9 +64,10 @@
type null_device_t;
type zero_device_t;
}
-allow testdomain { root_t etc_t bin_t sbin_t lib_t usr_t devpts_t }:dir r_dir_perms;
-allow testdomain lib_t:{ file lnk_file } r_file_perms;
-allow testdomain etc_t:file r_file_perms;
+allow testdomain { root_t etc_t bin_t sbin_t lib_t usr_t devpts_t }:dir list_dir_perms;
+allow testdomain lib_t:file read_file_perms;
+allow testdomain lib_t:lnk_file read_lnk_file_perms;
+allow testdomain etc_t:file read_file_perms;
allow testdomain { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
miscfiles_read_localization(testdomain)
domain_use_interactive_fds(testdomain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_inherit.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_inherit.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_inherit.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_inherit.te 2009-01-29 11:23:45.000000000 -0500
@@ -37,7 +37,7 @@
# Allow all of these domains to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(inheritdomain)
-userdom_sysadm_entry_spec_domtrans_to(inheritdomain)
+sysadm_entry_spec_domtrans_to(inheritdomain)
# Grant the necessary permissions for the parent domain.
allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms;
@@ -61,4 +61,4 @@
allow test_inherit_nowrite_t test_inherit_parent_t:fd use;
allow test_inherit_nowrite_t test_inherit_parent_t:fifo_file rw_file_perms;
allow test_inherit_nowrite_t test_inherit_parent_t:process sigchld;
-allow test_inherit_nowrite_t test_inherit_file_t:file r_file_perms;
+allow test_inherit_nowrite_t test_inherit_file_t:file read_file_perms;
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_ioctl.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_ioctl.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_ioctl.te 2007-12-20 04:32:56.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_ioctl.te 2009-01-29 11:46:39.000000000 -0500
@@ -23,7 +23,6 @@
# Allow execution of helper programs.
corecmd_exec_bin(ioctldomain)
-corecmd_exec_sbin(ioctldomain)
domain_exec_all_entry_files(ioctldomain)
files_exec_etc_files(ioctldomain)
libs_use_ld_so(ioctldomain)
@@ -34,9 +33,9 @@
# Allow all of these domains to be entered from sysadm domain
# via a shell script in the test directory or by....
miscfiles_domain_entry_test_files(ioctldomain)
-userdom_sysadm_entry_spec_domtrans_to(ioctldomain)
+sysadm_entry_spec_domtrans_to(ioctldomain)
corecmd_bin_entry_type(ioctldomain)
-userdom_sysadm_bin_spec_domtrans_to(ioctldomain)
+sysadm_bin_spec_domtrans_to(ioctldomain)
# Allow the test domains some access to the temp file
allow test_ioctl_t test_ioctl_file_t:file { read getattr setattr ioctl };
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_ipc.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_ipc.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_ipc.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_ipc.te 2009-01-29 11:23:45.000000000 -0500
@@ -72,12 +72,12 @@
# Allow all of these domains to be entered from user domains.
# via a shell script in the test directory or by another program.
miscfiles_domain_entry_test_files(ipcdomain)
-userdom_sysadm_entry_spec_domtrans_to(ipcdomain)
+sysadm_entry_spec_domtrans_to(ipcdomain)
corecmd_bin_entry_type(ipcdomain)
-userdom_sysadm_bin_spec_domtrans_to(ipcdomain)
+sysadm_bin_spec_domtrans_to(ipcdomain)
allow test_ipc_base_t self:sem create_sem_perms;
allow test_ipc_base_t self:shm create_sem_perms;
allow test_ipc_base_t self:shm lock;
# ipcrm needs this...
-userdom_search_generic_user_home_dirs(test_ipc_base_t)
+userdom_search_user_home_dirs(test_ipc_base_t)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_link.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_link.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_link.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_link.te 2009-01-29 11:23:45.000000000 -0500
@@ -69,5 +69,5 @@
# Allow all of these domains to be entered from sysadm domain
corecmd_bin_entry_type(test_link_domain)
-userdom_sysadm_bin_spec_domtrans_to(test_link_domain)
+sysadm_bin_spec_domtrans_to(test_link_domain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_mkdir.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_mkdir.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_mkdir.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_mkdir.te 2009-01-29 11:23:45.000000000 -0500
@@ -56,4 +56,4 @@
# Allow all of these domains to be entered from sysadm domain
corecmd_bin_entry_type(test_mkdir_domain)
-userdom_sysadm_bin_spec_domtrans_to(test_mkdir_domain)
+sysadm_bin_spec_domtrans_to(test_mkdir_domain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_open.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_open.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_open.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_open.te 2009-01-29 11:23:45.000000000 -0500
@@ -32,4 +32,4 @@
# Allow all of these domains to be entered from sysadm domain
miscfiles_domain_entry_test_files(test_open_domain)
-userdom_sysadm_entry_spec_domtrans_to(test_open_domain)
+sysadm_entry_spec_domtrans_to(test_open_domain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_ptrace.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_ptrace.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_ptrace.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_ptrace.te 2009-01-29 11:23:45.000000000 -0500
@@ -27,7 +27,7 @@
# Allow the tracer domain to trace the traced domain.
allow test_ptrace_tracer_t test_ptrace_traced_t:process ptrace;
-userdom_search_generic_user_home_dirs(test_ptrace_traced_t)
+userdom_search_user_home_dirs(test_ptrace_traced_t)
# Let the tracer wait on the traced domain.
allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;
@@ -35,4 +35,4 @@
# Allow all of these domains to be entered from the sysadm domains.
# via a program in the test directory.
miscfiles_domain_entry_test_files(ptracedomain)
-userdom_sysadm_entry_spec_domtrans_to(ptracedomain)
+sysadm_entry_spec_domtrans_to(ptracedomain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_relabel.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_relabel.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_relabel.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_relabel.te 2009-01-29 11:23:45.000000000 -0500
@@ -40,5 +40,5 @@
# Allow all of these domains to be entered from sysadm domain
corecmd_bin_entry_type(test_relabel_domain)
-userdom_sysadm_bin_spec_domtrans_to(test_relabel_domain)
+sysadm_bin_spec_domtrans_to(test_relabel_domain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_rename.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_rename.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_rename.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_rename.te 2009-01-29 11:23:45.000000000 -0500
@@ -103,5 +103,5 @@
# Allow all of these domains to be entered from sysadm domain
corecmd_bin_entry_type(test_rename_domain)
-userdom_sysadm_bin_spec_domtrans_to(test_rename_domain)
+sysadm_bin_spec_domtrans_to(test_rename_domain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_setattr.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_setattr.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_setattr.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_setattr.te 2009-01-29 11:23:45.000000000 -0500
@@ -27,5 +27,5 @@
# Allow all of these domains to be entered from sysadm domain
corecmd_bin_entry_type(test_setattr_domain)
-userdom_sysadm_bin_spec_domtrans_to(test_setattr_domain)
+sysadm_bin_spec_domtrans_to(test_setattr_domain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_setnice.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_setnice.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_setnice.te 2007-12-20 04:32:56.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_setnice.te 2009-01-29 11:46:48.000000000 -0500
@@ -25,7 +25,6 @@
# Allow execution of helper programs.
corecmd_exec_bin(setnicedomain)
-corecmd_exec_sbin(setnicedomain)
domain_exec_all_entry_files(setnicedomain)
files_exec_etc_files(setnicedomain)
libs_use_ld_so(setnicedomain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_sigkill.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_sigkill.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_sigkill.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_sigkill.te 2009-01-29 11:23:45.000000000 -0500
@@ -43,7 +43,7 @@
# Allow all of these domains to be entered from the sysadm domains,
# via kill or a program in the test directory.
miscfiles_domain_entry_test_files(killdomain)
-userdom_sysadm_entry_spec_domtrans_to(killdomain)
+sysadm_entry_spec_domtrans_to(killdomain)
corecmd_bin_entry_type(killdomain)
-userdom_sysadm_bin_spec_domtrans_to(killdomain)
+sysadm_bin_spec_domtrans_to(killdomain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_sysctl.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_sysctl.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_sysctl.te 2007-12-20 04:32:56.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_sysctl.te 2009-01-29 11:23:45.000000000 -0500
@@ -19,8 +19,8 @@
# Allow all of these domains to be entered from sysadm domain
# via /sbin/sysctl.
-corecmd_sbin_entry_type(sysctldomain)
-userdom_sysadm_sbin_spec_domtrans_to(sysctldomain)
+corecmd_bin_entry_type(sysctldomain)
+sysadm_bin_spec_domtrans_to(sysctldomain)
# Allow the first domain to perform sysctl operations.
kernel_rw_all_sysctls(test_sysctl_t)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_create.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_create.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_create.te 2007-12-20 04:32:56.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_create.te 2009-01-29 11:23:45.000000000 -0500
@@ -24,10 +24,14 @@
typeattribute test_create_no_t test_create_d;
allow test_create_no_t self:process ~fork;
-allow test_create_no_t proc_t:dir r_dir_perms;
+allow test_create_no_t proc_t:dir list_dir_perms;
allow test_create_no_t proc_t:lnk_file read;
-allow test_create_no_t self:dir r_dir_perms;
-allow test_create_no_t self:notdevfile_class_set r_file_perms;
+allow test_create_no_t self:dir list_dir_perms;
+allow test_create_no_t self:dir list_dir_perms;
+allow test_create_no_t self:file read_file_perms;
+allow test_create_no_t self:lnk_file read_lnk_file_perms;
+allow test_create_no_t self:fifo_file read_fifo_file_perms;
+allow test_create_no_t self:sock_file read_sock_file_perms;
libs_use_ld_so(test_create_no_t)
libs_use_shared_libs(test_create_no_t)
@@ -35,14 +39,14 @@
allow test_create_no_t self:process setexec;
selinux_get_fs_mount(test_create_no_t)
-allow test_create_no_t { root_t bin_t sbin_t lib_t locale_t usr_t devpts_t home_root_t }:dir r_dir_perms;
-allow test_create_no_t lib_t:lnk_file r_file_perms;
+allow test_create_no_t { root_t bin_t sbin_t lib_t locale_t usr_t devpts_t home_root_t }:dir list_dir_perms;
+allow test_create_no_t lib_t:lnk_file read_lnk_file_perms;
allow test_create_no_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
-allow test_create_no_t locale_t:dir r_dir_perms;
-allow test_create_no_t locale_t:{ file lnk_file } r_file_perms;
+allow test_create_no_t locale_t:dir list_dir_perms;
+allow test_create_no_t locale_t:file read_file_perms;
+allow test_create_no_t locale_t:lnk_file read_lnk_file_perms;
allow test_create_no_t privfd:fd use;
-userdom_use_sysadm_ptys(test_create_no_t)
-userdom_use_sysadm_ttys(test_create_no_t)
+userdom_use_user_terminals(test_create_no_t)
# General rules for the test_create_d
@@ -50,4 +54,4 @@
role sysadm_r types test_create_d;
role system_r types test_create_d;
miscfiles_domain_entry_test_files(test_create_d)
-userdom_sysadm_entry_spec_domtrans_to(test_create_d)
+sysadm_entry_spec_domtrans_to(test_create_d)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getpgid.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getpgid.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getpgid.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getpgid.te 2009-01-29 11:23:45.000000000 -0500
@@ -25,7 +25,7 @@
# Allow domain to be entered from the sysadm domain
miscfiles_domain_entry_test_files(test_getpgid_d)
-userdom_sysadm_entry_spec_domtrans_to(test_getpgid_d)
+sysadm_entry_spec_domtrans_to(test_getpgid_d)
# Give test_getpgid_yes_t the permission needed.
allow test_getpgid_yes_t test_getpgid_target_t:process getpgid;
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsched.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsched.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsched.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsched.te 2009-01-29 11:23:45.000000000 -0500
@@ -25,7 +25,7 @@
# Allow domain to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(test_getsched_d)
-userdom_sysadm_entry_spec_domtrans_to(test_getsched_d)
+sysadm_entry_spec_domtrans_to(test_getsched_d)
# Give test_getsched_yes_t the permission needed.
allow test_getsched_yes_t test_getsched_target_t:process getsched;
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsid.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsid.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsid.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsid.te 2009-01-29 11:23:45.000000000 -0500
@@ -25,7 +25,7 @@
# Allow domain to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(test_getsid_d)
-userdom_sysadm_entry_spec_domtrans_to(test_getsid_d)
+sysadm_entry_spec_domtrans_to(test_getsid_d)
# Give test_getsid_yes_t the permission needed.
allow test_getsid_yes_t test_getsid_target_t:process getsession;
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setpgid.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setpgid.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setpgid.te 2007-12-20 04:32:56.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setpgid.te 2009-01-29 11:23:45.000000000 -0500
@@ -18,27 +18,30 @@
typeattribute test_setpgid_no_t test_setpgid_d;
allow test_setpgid_no_t self:process ~{ setpgid setcurrent };
-allow test_setpgid_no_t proc_t:dir r_dir_perms;
+allow test_setpgid_no_t proc_t:dir list_dir_perms;
allow test_setpgid_no_t proc_t:lnk_file read;
-allow test_setpgid_no_t self:dir r_dir_perms;
-allow test_setpgid_no_t self:notdevfile_class_set r_file_perms;
+allow test_setpgid_no_t self:dir list_dir_perms;
+allow test_setpgid_no_t self:file read_file_perms;
+allow test_setpgid_no_t self:lnk_file read_lnk_file_perms;
+allow test_setpgid_no_t self:fifo_file read_fifo_file_perms;
+allow test_setpgid_no_t self:sock_file read_sock_file_perms;
libs_use_ld_so(test_setpgid_no_t)
libs_use_shared_libs(test_setpgid_no_t)
allow test_setpgid_no_t self:process setexec;
selinux_get_fs_mount(test_setpgid_no_t)
-allow test_setpgid_no_t { root_t bin_t sbin_t lib_t locale_t usr_t devpts_t home_root_t }:dir r_dir_perms;
-allow test_setpgid_no_t lib_t:lnk_file r_file_perms;
+allow test_setpgid_no_t { root_t bin_t sbin_t lib_t locale_t usr_t devpts_t home_root_t }:dir list_dir_perms;
+allow test_setpgid_no_t lib_t:lnk_file read_lnk_file_perms;
allow test_setpgid_no_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
-allow test_setpgid_no_t locale_t:dir r_dir_perms;
-allow test_setpgid_no_t locale_t:{ file lnk_file } r_file_perms;
+allow test_setpgid_no_t locale_t:dir list_dir_perms;
+allow test_setpgid_no_t locale_t:file read_file_perms;
+allow test_setpgid_no_t locale_t:lnk_file read_lnk_file_perms;
allow test_setpgid_no_t privfd:fd use;
-userdom_use_sysadm_ptys(test_setpgid_no_t)
-userdom_use_sysadm_ttys(test_setpgid_no_t)
+userdom_use_user_terminals(test_setpgid_no_t)
# Allow domain to be entered from the sysadm domain.
role sysadm_r types test_setpgid_d;
role system_r types test_setpgid_d;
miscfiles_domain_entry_test_files(test_setpgid_d)
-userdom_sysadm_entry_spec_domtrans_to(test_setpgid_d)
+sysadm_entry_spec_domtrans_to(test_setpgid_d)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setsched.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setsched.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setsched.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setsched.te 2009-01-29 11:23:45.000000000 -0500
@@ -26,7 +26,7 @@
# Allow domain to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(test_setsched_d)
-userdom_sysadm_entry_spec_domtrans_to(test_setsched_d)
+sysadm_entry_spec_domtrans_to(test_setsched_d)
# Allow these domains to execute renice.
corecmd_bin_entry_type(test_setsched_d)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_transition.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_transition.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_transition.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_transition.te 2009-01-29 11:23:45.000000000 -0500
@@ -30,4 +30,4 @@
allow test_transition_todomain_t test_transition_fromdomain_t:fd use;
# Allow all of these domains to be entered from the sysadm domain.
-userdom_sysadm_entry_spec_domtrans_to(transitiondomain)
+sysadm_entry_spec_domtrans_to(transitiondomain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_wait.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_wait.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_wait.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_wait.te 2009-01-29 11:23:45.000000000 -0500
@@ -25,7 +25,7 @@
# Allow all of these domains to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(waitdomain)
-userdom_sysadm_entry_spec_domtrans_to(waitdomain)
+sysadm_entry_spec_domtrans_to(waitdomain)
# Grant permissions for a domain transition from parent to child,
# including the ability to wait on the child.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: LTP SELinux policy error
2009-01-29 16:51 ` Christopher J. PeBenito
@ 2009-01-29 18:09 ` Stephen Smalley
2009-01-30 17:14 ` Serge E. Hallyn
2009-02-02 13:39 ` [LTP] " Subrata Modak
1 sibling, 1 reply; 15+ messages in thread
From: Stephen Smalley @ 2009-01-29 18:09 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: James Morris, ltp-list, selinux, Serge E. Hallyn
On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote:
> On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote:
> > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote:
> > > I'm trying to run the LTP SELinux tests using the latest CVS version of
> > > LTP and current Fedora development, and get the following policy
> > > compilation error:
> > >
> > > ----
> > > Compiling targeted test_policy module
> > >
> > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
> > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
> > > [lots of warnings similar to the above]
> > >
> > > /usr/bin/checkmodule: loading policy configuration from
> > > tmp/test_policy.tmp
> > > test_policy.te":16:ERROR 'syntax error' at token
> > > 'userdom_use_sysadm_terms' on line 3198:
> > > userdom_use_sysadm_terms(testdomain)
> > > # This allows read and write sysadm ttys and ptys.
> > > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > > make[1]: *** [tmp/test_policy.mod] Error 1
> > > make[1]: Leaving directory `/usr/share/selinux/devel'
> > > make: *** [load] Error 2
> > > Failed to build and load test_policy module, aborting test run.
> > > ----
> > >
> > > Is this likely to be fixed soon, and/or any suggestions for a workaround?
> >
> > It won't compile with the current trunk refpolicy, since the current
> > release was a major, API breaking change. I'll try to get a patch out
> > shortly.
>
> I updated the policy since its fairly old, though I didn't convert its
> raw rules over to use interfaces. However this didn't completely fix
> it, as there is usage of a "unconfined_runs_test()", which isn't in the
> upstream refpolicy nor the fedora policy, as far as I can see. One of
> the updates includes use of sysadm_entry_spec_domtrans_to(), which is in
> the upstream refpolicy, but doesn't seem to have made its way downstream
> to the fedora policy. I have attached my work so someone familiar with
> the LTP test cases can use it to complete the fix.
Serge put together a patch and script under selinux-testsuite/misc that
defines unconfined_runs_test() as well as converting some of the
interfaces. That was done so that the ltp testsuite could still be run
on older distributions (w/ the older policy) and on newer distributions
(w/ the patch applied to perform conversion). It was originally done
based on the deprecation of the sbin interfaces, which is why it is
named that way even though it now includes more than just conversion of
those interfaces.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: LTP SELinux policy error
2009-01-29 18:09 ` Stephen Smalley
@ 2009-01-30 17:14 ` Serge E. Hallyn
2009-01-30 17:37 ` [LTP] " Serge E. Hallyn
` (2 more replies)
0 siblings, 3 replies; 15+ messages in thread
From: Serge E. Hallyn @ 2009-01-30 17:14 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Christopher J. PeBenito, James Morris, ltp-list, selinux
Quoting Stephen Smalley (sds@tycho.nsa.gov):
> On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote:
> > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote:
> > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote:
> > > > I'm trying to run the LTP SELinux tests using the latest CVS version of
> > > > LTP and current Fedora development, and get the following policy
> > > > compilation error:
> > > >
> > > > ----
> > > > Compiling targeted test_policy module
> > > >
> > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
> > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
> > > > [lots of warnings similar to the above]
> > > >
> > > > /usr/bin/checkmodule: loading policy configuration from
> > > > tmp/test_policy.tmp
> > > > test_policy.te":16:ERROR 'syntax error' at token
> > > > 'userdom_use_sysadm_terms' on line 3198:
> > > > userdom_use_sysadm_terms(testdomain)
> > > > # This allows read and write sysadm ttys and ptys.
> > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > > > make[1]: *** [tmp/test_policy.mod] Error 1
> > > > make[1]: Leaving directory `/usr/share/selinux/devel'
> > > > make: *** [load] Error 2
> > > > Failed to build and load test_policy module, aborting test run.
> > > > ----
> > > >
> > > > Is this likely to be fixed soon, and/or any suggestions for a workaround?
> > >
> > > It won't compile with the current trunk refpolicy, since the current
> > > release was a major, API breaking change. I'll try to get a patch out
> > > shortly.
> >
> > I updated the policy since its fairly old, though I didn't convert its
> > raw rules over to use interfaces. However this didn't completely fix
> > it, as there is usage of a "unconfined_runs_test()", which isn't in the
> > upstream refpolicy nor the fedora policy, as far as I can see. One of
> > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in
> > the upstream refpolicy, but doesn't seem to have made its way downstream
> > to the fedora policy. I have attached my work so someone familiar with
> > the LTP test cases can use it to complete the fix.
>
> Serge put together a patch and script under selinux-testsuite/misc that
> defines unconfined_runs_test() as well as converting some of the
> interfaces. That was done so that the ltp testsuite could still be run
> on older distributions (w/ the older policy) and on newer distributions
> (w/ the patch applied to perform conversion). It was originally done
> based on the deprecation of the sbin interfaces, which is why it is
> named that way even though it now includes more than just conversion of
> those interfaces.
(Sorry, this thread is rolling into my inbox delayed and out-of-order)
So the unconfined_runs_test() shouldn't actually be a problem (right,
Chris? pls let me know if you actually get compile failures as then
something went wrong with the build scripts).
But what could have happened with sysadm_entry_spec_domtrans_to()? It
must have been in fedora's policy before, since it definately worked on
fedora 7 and 8. Has it been removed? (I'll fire up a f10 partition and
look through the policy sources...)
As for the list_dir_perms and read_file_perms, have those always macros
in the refpolicy? If so, then a straight search-and-replace is fine.
If not, then we'll have to do another hook at the policy build to make
the substitutions only when the policy is new enough. :(
thanks,
-serge
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [LTP] LTP SELinux policy error
2009-01-30 17:14 ` Serge E. Hallyn
@ 2009-01-30 17:37 ` Serge E. Hallyn
2009-01-30 20:46 ` Chris PeBenito
[not found] ` <1233345509.6143.43.camel@defiant.pebenito.net>
2009-01-30 20:46 ` Chris PeBenito
[not found] ` <1233345437.6143.42.camel@defiant.pebenito.net>
2 siblings, 2 replies; 15+ messages in thread
From: Serge E. Hallyn @ 2009-01-30 17:37 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Christopher J. PeBenito, ltp-list, selinux
Quoting Serge E. Hallyn (serue@us.ibm.com):
> Quoting Stephen Smalley (sds@tycho.nsa.gov):
> > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote:
> > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote:
> > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote:
> > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of
> > > > > LTP and current Fedora development, and get the following policy
> > > > > compilation error:
> > > > >
> > > > > ----
> > > > > Compiling targeted test_policy module
> > > > >
> > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
> > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
> > > > > [lots of warnings similar to the above]
> > > > >
> > > > > /usr/bin/checkmodule: loading policy configuration from
> > > > > tmp/test_policy.tmp
> > > > > test_policy.te":16:ERROR 'syntax error' at token
> > > > > 'userdom_use_sysadm_terms' on line 3198:
> > > > > userdom_use_sysadm_terms(testdomain)
> > > > > # This allows read and write sysadm ttys and ptys.
> > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > > > > make[1]: *** [tmp/test_policy.mod] Error 1
> > > > > make[1]: Leaving directory `/usr/share/selinux/devel'
> > > > > make: *** [load] Error 2
> > > > > Failed to build and load test_policy module, aborting test run.
> > > > > ----
> > > > >
> > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround?
> > > >
> > > > It won't compile with the current trunk refpolicy, since the current
> > > > release was a major, API breaking change. I'll try to get a patch out
> > > > shortly.
> > >
> > > I updated the policy since its fairly old, though I didn't convert its
> > > raw rules over to use interfaces. However this didn't completely fix
> > > it, as there is usage of a "unconfined_runs_test()", which isn't in the
> > > upstream refpolicy nor the fedora policy, as far as I can see. One of
> > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in
> > > the upstream refpolicy, but doesn't seem to have made its way downstream
> > > to the fedora policy. I have attached my work so someone familiar with
sysadm_entry_spec_domtrans is in fedora 10's policy sources, at least,
in modules/roles/sysadm.if. (I don't have a fedora devel system
installed).
thanks,
-serge
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: LTP SELinux policy error
2009-01-30 17:14 ` Serge E. Hallyn
2009-01-30 17:37 ` [LTP] " Serge E. Hallyn
@ 2009-01-30 20:46 ` Chris PeBenito
[not found] ` <1233345437.6143.42.camel@defiant.pebenito.net>
2 siblings, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2009-01-30 20:46 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 4512 bytes --]
Resending on the SELinux list as I accidentally sent it with my personal
addr, so it got dropped.
On Fri, 2009-01-30 at 11:14 -0600, Serge E. Hallyn wrote:
> Quoting Stephen Smalley (sds@tycho.nsa.gov):
> > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote:
> > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote:
> > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote:
> > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of
> > > > > LTP and current Fedora development, and get the following policy
> > > > > compilation error:
> > > > >
> > > > > ----
> > > > > Compiling targeted test_policy module
> > > > >
> > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
> > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
> > > > > [lots of warnings similar to the above]
> > > > >
> > > > > /usr/bin/checkmodule: loading policy configuration from
> > > > > tmp/test_policy.tmp
> > > > > test_policy.te":16:ERROR 'syntax error' at token
> > > > > 'userdom_use_sysadm_terms' on line 3198:
> > > > > userdom_use_sysadm_terms(testdomain)
> > > > > # This allows read and write sysadm ttys and ptys.
> > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > > > > make[1]: *** [tmp/test_policy.mod] Error 1
> > > > > make[1]: Leaving directory `/usr/share/selinux/devel'
> > > > > make: *** [load] Error 2
> > > > > Failed to build and load test_policy module, aborting test run.
> > > > > ----
> > > > >
> > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround?
> > > >
> > > > It won't compile with the current trunk refpolicy, since the current
> > > > release was a major, API breaking change. I'll try to get a patch out
> > > > shortly.
> > >
> > > I updated the policy since its fairly old, though I didn't convert its
> > > raw rules over to use interfaces. However this didn't completely fix
> > > it, as there is usage of a "unconfined_runs_test()", which isn't in the
> > > upstream refpolicy nor the fedora policy, as far as I can see. One of
> > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in
> > > the upstream refpolicy, but doesn't seem to have made its way downstream
> > > to the fedora policy. I have attached my work so someone familiar with
> > > the LTP test cases can use it to complete the fix.
> >
> > Serge put together a patch and script under selinux-testsuite/misc that
> > defines unconfined_runs_test() as well as converting some of the
> > interfaces. That was done so that the ltp testsuite could still be run
> > on older distributions (w/ the older policy) and on newer distributions
> > (w/ the patch applied to perform conversion). It was originally done
> > based on the deprecation of the sbin interfaces, which is why it is
> > named that way even though it now includes more than just conversion of
> > those interfaces.
>
> (Sorry, this thread is rolling into my inbox delayed and out-of-order)
>
> So the unconfined_runs_test() shouldn't actually be a problem (right,
> Chris? pls let me know if you actually get compile failures as then
> something went wrong with the build scripts).
I just went to the directory and ran make. Sounds like I might have
done something wrong.
> But what could have happened with sysadm_entry_spec_domtrans_to()? It
> must have been in fedora's policy before, since it definately worked on
> fedora 7 and 8. Has it been removed? (I'll fire up a f10 partition and
> look through the policy sources...)
Well it used to be userdom_sysadm_entry_spec_domtrans_to().
> As for the list_dir_perms and read_file_perms, have those always macros
> in the refpolicy? If so, then a straight search-and-replace is fine.
> If not, then we'll have to do another hook at the policy build to make
> the substitutions only when the policy is new enough. :(
Those have been around for a while. While the old r_dir_perms and
r_file_perms macros aren't going anywhere for the forseeable future,
their use is problematic as those may not get updated for new perms,
such as open.
--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [LTP] LTP SELinux policy error
2009-01-30 17:37 ` [LTP] " Serge E. Hallyn
@ 2009-01-30 20:46 ` Chris PeBenito
[not found] ` <1233345509.6143.43.camel@defiant.pebenito.net>
1 sibling, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2009-01-30 20:46 UTC (permalink / raw)
To: SELinux Mail List
[-- Attachment #1: Type: text/plain, Size: 3071 bytes --]
Resending on the SELinux list as I accidentally sent it with my personal
addr, so it got dropped.
On Fri, 2009-01-30 at 11:37 -0600, Serge E. Hallyn wrote:
> Quoting Serge E. Hallyn (serue@us.ibm.com):
> > Quoting Stephen Smalley (sds@tycho.nsa.gov):
> > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote:
> > > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote:
> > > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote:
> > > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of
> > > > > > LTP and current Fedora development, and get the following policy
> > > > > > compilation error:
> > > > > >
> > > > > > ----
> > > > > > Compiling targeted test_policy module
> > > > > >
> > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
> > > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
> > > > > > [lots of warnings similar to the above]
> > > > > >
> > > > > > /usr/bin/checkmodule: loading policy configuration from
> > > > > > tmp/test_policy.tmp
> > > > > > test_policy.te":16:ERROR 'syntax error' at token
> > > > > > 'userdom_use_sysadm_terms' on line 3198:
> > > > > > userdom_use_sysadm_terms(testdomain)
> > > > > > # This allows read and write sysadm ttys and ptys.
> > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > > > > > make[1]: *** [tmp/test_policy.mod] Error 1
> > > > > > make[1]: Leaving directory `/usr/share/selinux/devel'
> > > > > > make: *** [load] Error 2
> > > > > > Failed to build and load test_policy module, aborting test run.
> > > > > > ----
> > > > > >
> > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround?
> > > > >
> > > > > It won't compile with the current trunk refpolicy, since the current
> > > > > release was a major, API breaking change. I'll try to get a patch out
> > > > > shortly.
> > > >
> > > > I updated the policy since its fairly old, though I didn't convert its
> > > > raw rules over to use interfaces. However this didn't completely fix
> > > > it, as there is usage of a "unconfined_runs_test()", which isn't in the
> > > > upstream refpolicy nor the fedora policy, as far as I can see. One of
> > > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in
> > > > the upstream refpolicy, but doesn't seem to have made its way downstream
> > > > to the fedora policy. I have attached my work so someone familiar with
>
> sysadm_entry_spec_domtrans is in fedora 10's policy sources, at least,
> in modules/roles/sysadm.if. (I don't have a fedora devel system
> installed).
That has the opposite transition direction (the specified domain
transitions to sysadm).
--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: LTP SELinux policy error
[not found] ` <1233345437.6143.42.camel@defiant.pebenito.net>
@ 2009-02-01 22:51 ` Serge E. Hallyn
2009-02-03 13:51 ` Chris PeBenito
0 siblings, 1 reply; 15+ messages in thread
From: Serge E. Hallyn @ 2009-02-01 22:51 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: Stephen Smalley, James Morris, ltp-list, selinux
Quoting Christopher J. PeBenito (pebenito@ieee.org):
> On Fri, 2009-01-30 at 11:14 -0600, Serge E. Hallyn wrote:
> > Quoting Stephen Smalley (sds@tycho.nsa.gov):
> > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote:
> > > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote:
> > > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote:
> > > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of
> > > > > > LTP and current Fedora development, and get the following policy
> > > > > > compilation error:
> > > > > >
> > > > > > ----
> > > > > > Compiling targeted test_policy module
> > > > > >
> > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
> > > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
> > > > > > [lots of warnings similar to the above]
> > > > > >
> > > > > > /usr/bin/checkmodule: loading policy configuration from
> > > > > > tmp/test_policy.tmp
> > > > > > test_policy.te":16:ERROR 'syntax error' at token
> > > > > > 'userdom_use_sysadm_terms' on line 3198:
> > > > > > userdom_use_sysadm_terms(testdomain)
> > > > > > # This allows read and write sysadm ttys and ptys.
> > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > > > > > make[1]: *** [tmp/test_policy.mod] Error 1
> > > > > > make[1]: Leaving directory `/usr/share/selinux/devel'
> > > > > > make: *** [load] Error 2
> > > > > > Failed to build and load test_policy module, aborting test run.
> > > > > > ----
> > > > > >
> > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround?
> > > > >
> > > > > It won't compile with the current trunk refpolicy, since the current
> > > > > release was a major, API breaking change. I'll try to get a patch out
> > > > > shortly.
> > > >
> > > > I updated the policy since its fairly old, though I didn't convert its
> > > > raw rules over to use interfaces. However this didn't completely fix
> > > > it, as there is usage of a "unconfined_runs_test()", which isn't in the
> > > > upstream refpolicy nor the fedora policy, as far as I can see. One of
> > > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in
> > > > the upstream refpolicy, but doesn't seem to have made its way downstream
> > > > to the fedora policy. I have attached my work so someone familiar with
> > > > the LTP test cases can use it to complete the fix.
> > >
> > > Serge put together a patch and script under selinux-testsuite/misc that
> > > defines unconfined_runs_test() as well as converting some of the
> > > interfaces. That was done so that the ltp testsuite could still be run
> > > on older distributions (w/ the older policy) and on newer distributions
> > > (w/ the patch applied to perform conversion). It was originally done
> > > based on the deprecation of the sbin interfaces, which is why it is
> > > named that way even though it now includes more than just conversion of
> > > those interfaces.
> >
> > (Sorry, this thread is rolling into my inbox delayed and out-of-order)
> >
> > So the unconfined_runs_test() shouldn't actually be a problem (right,
> > Chris? pls let me know if you actually get compile failures as then
> > something went wrong with the build scripts).
>
> I just went to the directory and ran make. Sounds like I might have
> done something wrong.
>
> > But what could have happened with sysadm_entry_spec_domtrans_to()? It
> > must have been in fedora's policy before, since it definately worked on
> > fedora 7 and 8. Has it been removed? (I'll fire up a f10 partition and
> > look through the policy sources...)
>
> Well it used to be userdom_sysadm_entry_spec_domtrans_to().
>
> > As for the list_dir_perms and read_file_perms, have those always macros
> > in the refpolicy? If so, then a straight search-and-replace is fine.
> > If not, then we'll have to do another hook at the policy build to make
> > the substitutions only when the policy is new enough. :(
>
> Those have been around for a while. While the old r_dir_perms and
> r_file_perms macros aren't going anywhere for the forseeable future,
> their use is problematic as those may not get updated for new perms,
> such as open.
So I guess we should switch all the instances over, and have
misc/update_refpolicy.sh switch them back if list_dir_perms
doesn't exist.
What would be a good way to determine whether we're in a kernel
version too old to use those? Can we just check whether
sestatus | grep version | awk -F: '{ print $2 '} is less than,
say, 22?
thanks,
-serge
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [LTP] LTP SELinux policy error
[not found] ` <1233345509.6143.43.camel@defiant.pebenito.net>
@ 2009-02-01 22:54 ` Serge E. Hallyn
2009-02-03 13:55 ` Chris PeBenito
0 siblings, 1 reply; 15+ messages in thread
From: Serge E. Hallyn @ 2009-02-01 22:54 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: Stephen Smalley, ltp-list, selinux
Quoting Christopher J. PeBenito (pebenito@ieee.org):
> On Fri, 2009-01-30 at 11:37 -0600, Serge E. Hallyn wrote:
> > Quoting Serge E. Hallyn (serue@us.ibm.com):
> > > Quoting Stephen Smalley (sds@tycho.nsa.gov):
> > > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote:
> > > > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote:
> > > > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote:
> > > > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of
> > > > > > > LTP and current Fedora development, and get the following policy
> > > > > > > compilation error:
> > > > > > >
> > > > > > > ----
> > > > > > > Compiling targeted test_policy module
> > > > > > >
> > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
> > > > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
> > > > > > > [lots of warnings similar to the above]
> > > > > > >
> > > > > > > /usr/bin/checkmodule: loading policy configuration from
> > > > > > > tmp/test_policy.tmp
> > > > > > > test_policy.te":16:ERROR 'syntax error' at token
> > > > > > > 'userdom_use_sysadm_terms' on line 3198:
> > > > > > > userdom_use_sysadm_terms(testdomain)
> > > > > > > # This allows read and write sysadm ttys and ptys.
> > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > > > > > > make[1]: *** [tmp/test_policy.mod] Error 1
> > > > > > > make[1]: Leaving directory `/usr/share/selinux/devel'
> > > > > > > make: *** [load] Error 2
> > > > > > > Failed to build and load test_policy module, aborting test run.
> > > > > > > ----
> > > > > > >
> > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround?
> > > > > >
> > > > > > It won't compile with the current trunk refpolicy, since the current
> > > > > > release was a major, API breaking change. I'll try to get a patch out
> > > > > > shortly.
> > > > >
> > > > > I updated the policy since its fairly old, though I didn't convert its
> > > > > raw rules over to use interfaces. However this didn't completely fix
> > > > > it, as there is usage of a "unconfined_runs_test()", which isn't in the
> > > > > upstream refpolicy nor the fedora policy, as far as I can see. One of
> > > > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in
> > > > > the upstream refpolicy, but doesn't seem to have made its way downstream
> > > > > to the fedora policy. I have attached my work so someone familiar with
> >
> > sysadm_entry_spec_domtrans is in fedora 10's policy sources, at least,
> > in modules/roles/sysadm.if. (I don't have a fedora devel system
> > installed).
>
> That has the opposite transition direction (the specified domain
> transitions to sysadm).
Just to make sure...
You're saying that in upstream refpolicy sysadm_entry_spec_domtrans(foo)
means foo may transition to sysadm_t, while in fedora 10 policy
sysadm_entry_spec_domtrans(foo) means sysadm_t may transition to
foo?
-serge
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [LTP] LTP SELinux policy error
2009-01-29 16:51 ` Christopher J. PeBenito
2009-01-29 18:09 ` Stephen Smalley
@ 2009-02-02 13:39 ` Subrata Modak
2009-04-29 18:39 ` Stephen Smalley
1 sibling, 1 reply; 15+ messages in thread
From: Subrata Modak @ 2009-02-02 13:39 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: James Morris, ltp-list, selinux
Thanks.
Regards--
Subrata
On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote:
> On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote:
> > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote:
> > > I'm trying to run the LTP SELinux tests using the latest CVS version of
> > > LTP and current Fedora development, and get the following policy
> > > compilation error:
> > >
> > > ----
> > > Compiling targeted test_policy module
> > >
> > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
> > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
> > > [lots of warnings similar to the above]
> > >
> > > /usr/bin/checkmodule: loading policy configuration from
> > > tmp/test_policy.tmp
> > > test_policy.te":16:ERROR 'syntax error' at token
> > > 'userdom_use_sysadm_terms' on line 3198:
> > > userdom_use_sysadm_terms(testdomain)
> > > # This allows read and write sysadm ttys and ptys.
> > > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > > make[1]: *** [tmp/test_policy.mod] Error 1
> > > make[1]: Leaving directory `/usr/share/selinux/devel'
> > > make: *** [load] Error 2
> > > Failed to build and load test_policy module, aborting test run.
> > > ----
> > >
> > > Is this likely to be fixed soon, and/or any suggestions for a workaround?
> >
> > It won't compile with the current trunk refpolicy, since the current
> > release was a major, API breaking change. I'll try to get a patch out
> > shortly.
>
> I updated the policy since its fairly old, though I didn't convert its
> raw rules over to use interfaces. However this didn't completely fix
> it, as there is usage of a "unconfined_runs_test()", which isn't in the
> upstream refpolicy nor the fedora policy, as far as I can see. One of
> the updates includes use of sysadm_entry_spec_domtrans_to(), which is in
> the upstream refpolicy, but doesn't seem to have made its way downstream
> to the fedora policy. I have attached my work so someone familiar with
> the LTP test cases can use it to complete the fix.
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: LTP SELinux policy error
2009-02-01 22:51 ` Serge E. Hallyn
@ 2009-02-03 13:51 ` Chris PeBenito
0 siblings, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2009-02-03 13:51 UTC (permalink / raw)
To: Serge E. Hallyn; +Cc: Stephen Smalley, James Morris, ltp-list, selinux
[-- Attachment #1: Type: text/plain, Size: 5473 bytes --]
On Sun, 2009-02-01 at 16:51 -0600, Serge E. Hallyn wrote:
> Quoting Christopher J. PeBenito (pebenito@ieee.org):
> > On Fri, 2009-01-30 at 11:14 -0600, Serge E. Hallyn wrote:
> > > Quoting Stephen Smalley (sds@tycho.nsa.gov):
> > > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote:
> > > > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote:
> > > > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote:
> > > > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of
> > > > > > > LTP and current Fedora development, and get the following policy
> > > > > > > compilation error:
> > > > > > >
> > > > > > > ----
> > > > > > > Compiling targeted test_policy module
> > > > > > >
> > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
> > > > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
> > > > > > > [lots of warnings similar to the above]
> > > > > > >
> > > > > > > /usr/bin/checkmodule: loading policy configuration from
> > > > > > > tmp/test_policy.tmp
> > > > > > > test_policy.te":16:ERROR 'syntax error' at token
> > > > > > > 'userdom_use_sysadm_terms' on line 3198:
> > > > > > > userdom_use_sysadm_terms(testdomain)
> > > > > > > # This allows read and write sysadm ttys and ptys.
> > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > > > > > > make[1]: *** [tmp/test_policy.mod] Error 1
> > > > > > > make[1]: Leaving directory `/usr/share/selinux/devel'
> > > > > > > make: *** [load] Error 2
> > > > > > > Failed to build and load test_policy module, aborting test run.
> > > > > > > ----
> > > > > > >
> > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround?
> > > > > >
> > > > > > It won't compile with the current trunk refpolicy, since the current
> > > > > > release was a major, API breaking change. I'll try to get a patch out
> > > > > > shortly.
> > > > >
> > > > > I updated the policy since its fairly old, though I didn't convert its
> > > > > raw rules over to use interfaces. However this didn't completely fix
> > > > > it, as there is usage of a "unconfined_runs_test()", which isn't in the
> > > > > upstream refpolicy nor the fedora policy, as far as I can see. One of
> > > > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in
> > > > > the upstream refpolicy, but doesn't seem to have made its way downstream
> > > > > to the fedora policy. I have attached my work so someone familiar with
> > > > > the LTP test cases can use it to complete the fix.
> > > >
> > > > Serge put together a patch and script under selinux-testsuite/misc that
> > > > defines unconfined_runs_test() as well as converting some of the
> > > > interfaces. That was done so that the ltp testsuite could still be run
> > > > on older distributions (w/ the older policy) and on newer distributions
> > > > (w/ the patch applied to perform conversion). It was originally done
> > > > based on the deprecation of the sbin interfaces, which is why it is
> > > > named that way even though it now includes more than just conversion of
> > > > those interfaces.
> > >
> > > (Sorry, this thread is rolling into my inbox delayed and out-of-order)
> > >
> > > So the unconfined_runs_test() shouldn't actually be a problem (right,
> > > Chris? pls let me know if you actually get compile failures as then
> > > something went wrong with the build scripts).
> >
> > I just went to the directory and ran make. Sounds like I might have
> > done something wrong.
> >
> > > But what could have happened with sysadm_entry_spec_domtrans_to()? It
> > > must have been in fedora's policy before, since it definately worked on
> > > fedora 7 and 8. Has it been removed? (I'll fire up a f10 partition and
> > > look through the policy sources...)
> >
> > Well it used to be userdom_sysadm_entry_spec_domtrans_to().
> >
> > > As for the list_dir_perms and read_file_perms, have those always macros
> > > in the refpolicy? If so, then a straight search-and-replace is fine.
> > > If not, then we'll have to do another hook at the policy build to make
> > > the substitutions only when the policy is new enough. :(
> >
> > Those have been around for a while. While the old r_dir_perms and
> > r_file_perms macros aren't going anywhere for the forseeable future,
> > their use is problematic as those may not get updated for new perms,
> > such as open.
>
> So I guess we should switch all the instances over, and have
> misc/update_refpolicy.sh switch them back if list_dir_perms
> doesn't exist.
>
> What would be a good way to determine whether we're in a kernel
> version too old to use those? Can we just check whether
> sestatus | grep version | awk -F: '{ print $2 '} is less than,
> say, 22?
Well the new permission sets have been around since the end of 2006.
But a kernel with v22 policy would probably be a good way to determine
if it should be switched. Those kernels wouldn't have new permissions
like open, so it would be safe to use the old permission sets.
--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [LTP] LTP SELinux policy error
2009-02-01 22:54 ` Serge E. Hallyn
@ 2009-02-03 13:55 ` Chris PeBenito
0 siblings, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2009-02-03 13:55 UTC (permalink / raw)
To: Serge E. Hallyn; +Cc: Stephen Smalley, ltp-list, selinux
[-- Attachment #1: Type: text/plain, Size: 3966 bytes --]
On Sun, 2009-02-01 at 16:54 -0600, Serge E. Hallyn wrote:
> Quoting Christopher J. PeBenito (pebenito@ieee.org):
> > On Fri, 2009-01-30 at 11:37 -0600, Serge E. Hallyn wrote:
> > > Quoting Serge E. Hallyn (serue@us.ibm.com):
> > > > Quoting Stephen Smalley (sds@tycho.nsa.gov):
> > > > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote:
> > > > > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote:
> > > > > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote:
> > > > > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of
> > > > > > > > LTP and current Fedora development, and get the following policy
> > > > > > > > compilation error:
> > > > > > > >
> > > > > > > > ----
> > > > > > > > Compiling targeted test_policy module
> > > > > > > >
> > > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
> > > > > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
> > > > > > > > [lots of warnings similar to the above]
> > > > > > > >
> > > > > > > > /usr/bin/checkmodule: loading policy configuration from
> > > > > > > > tmp/test_policy.tmp
> > > > > > > > test_policy.te":16:ERROR 'syntax error' at token
> > > > > > > > 'userdom_use_sysadm_terms' on line 3198:
> > > > > > > > userdom_use_sysadm_terms(testdomain)
> > > > > > > > # This allows read and write sysadm ttys and ptys.
> > > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > > > > > > > make[1]: *** [tmp/test_policy.mod] Error 1
> > > > > > > > make[1]: Leaving directory `/usr/share/selinux/devel'
> > > > > > > > make: *** [load] Error 2
> > > > > > > > Failed to build and load test_policy module, aborting test run.
> > > > > > > > ----
> > > > > > > >
> > > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround?
> > > > > > >
> > > > > > > It won't compile with the current trunk refpolicy, since the current
> > > > > > > release was a major, API breaking change. I'll try to get a patch out
> > > > > > > shortly.
> > > > > >
> > > > > > I updated the policy since its fairly old, though I didn't convert its
> > > > > > raw rules over to use interfaces. However this didn't completely fix
> > > > > > it, as there is usage of a "unconfined_runs_test()", which isn't in the
> > > > > > upstream refpolicy nor the fedora policy, as far as I can see. One of
> > > > > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in
> > > > > > the upstream refpolicy, but doesn't seem to have made its way downstream
> > > > > > to the fedora policy. I have attached my work so someone familiar with
> > >
> > > sysadm_entry_spec_domtrans is in fedora 10's policy sources, at least,
> > > in modules/roles/sysadm.if. (I don't have a fedora devel system
> > > installed).
> >
> > That has the opposite transition direction (the specified domain
> > transitions to sysadm).
>
> Just to make sure...
>
> You're saying that in upstream refpolicy sysadm_entry_spec_domtrans(foo)
> means foo may transition to sysadm_t, while in fedora 10 policy
> sysadm_entry_spec_domtrans(foo) means sysadm_t may transition to
> foo?
No. They have the same behavior. What happened is that the interface
(the one you need to use, not the above ones) used to be called
userdom_sysadm_entry_spec_domtrans_to(). Then I split all of the roles
into individual policy modules, so that interface got renamed to
sysadm_entry_spec_domtrans_to(), except the new interface was
accidentally dropped. So I added it back in, and it just hasn't gotten
downstream yet.
--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [LTP] LTP SELinux policy error
2009-02-02 13:39 ` [LTP] " Subrata Modak
@ 2009-04-29 18:39 ` Stephen Smalley
2009-04-30 10:26 ` Subrata Modak
0 siblings, 1 reply; 15+ messages in thread
From: Stephen Smalley @ 2009-04-29 18:39 UTC (permalink / raw)
To: subrata; +Cc: Christopher J. PeBenito, ltp-list, selinux, Serge E. Hallyn
On Mon, 2009-02-02 at 19:09 +0530, Subrata Modak wrote:
> Thanks.
>
> Regards--
> Subrata
Subrata - this patch never should have been applied. Chris said that it
was incomplete, and I noted that it conflicted with Serge's
conditionally applied patch. Please revert this, as it breaks the
selinux ltp testsuite and the resulting policy will not build.
>
> On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote:
> > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote:
> > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote:
> > > > I'm trying to run the LTP SELinux tests using the latest CVS version of
> > > > LTP and current Fedora development, and get the following policy
> > > > compilation error:
> > > >
> > > > ----
> > > > Compiling targeted test_policy module
> > > >
> > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
> > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
> > > > [lots of warnings similar to the above]
> > > >
> > > > /usr/bin/checkmodule: loading policy configuration from
> > > > tmp/test_policy.tmp
> > > > test_policy.te":16:ERROR 'syntax error' at token
> > > > 'userdom_use_sysadm_terms' on line 3198:
> > > > userdom_use_sysadm_terms(testdomain)
> > > > # This allows read and write sysadm ttys and ptys.
> > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > > > make[1]: *** [tmp/test_policy.mod] Error 1
> > > > make[1]: Leaving directory `/usr/share/selinux/devel'
> > > > make: *** [load] Error 2
> > > > Failed to build and load test_policy module, aborting test run.
> > > > ----
> > > >
> > > > Is this likely to be fixed soon, and/or any suggestions for a workaround?
> > >
> > > It won't compile with the current trunk refpolicy, since the current
> > > release was a major, API breaking change. I'll try to get a patch out
> > > shortly.
> >
> > I updated the policy since its fairly old, though I didn't convert its
> > raw rules over to use interfaces. However this didn't completely fix
> > it, as there is usage of a "unconfined_runs_test()", which isn't in the
> > upstream refpolicy nor the fedora policy, as far as I can see. One of
> > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in
> > the upstream refpolicy, but doesn't seem to have made its way downstream
> > to the fedora policy. I have attached my work so someone familiar with
> > the LTP test cases can use it to complete the fix.
> >
> > ------------------------------------------------------------------------------
> > This SF.net email is sponsored by:
> > SourcForge Community
> > SourceForge wants to tell your story.
> > http://p.sf.net/sfu/sf-spreadtheword
> > _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Ltp-list mailing list
> Ltp-list@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ltp-list
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [LTP] LTP SELinux policy error
2009-04-29 18:39 ` Stephen Smalley
@ 2009-04-30 10:26 ` Subrata Modak
0 siblings, 0 replies; 15+ messages in thread
From: Subrata Modak @ 2009-04-30 10:26 UTC (permalink / raw)
To: Stephen Smalley
Cc: Christopher J. PeBenito, ltp-list, selinux, Serge E. Hallyn
On Wed, 2009-04-29 at 14:39 -0400, Stephen Smalley wrote:
> On Mon, 2009-02-02 at 19:09 +0530, Subrata Modak wrote:
> > Thanks.
> >
> > Regards--
> > Subrata
>
> Subrata - this patch never should have been applied. Chris said that it
> was incomplete, and I noted that it conflicted with Serge's
> conditionally applied patch. Please revert this, as it breaks the
> selinux ltp testsuite and the resulting policy will not build.
This one too is reverted. Will reflect in today´s release.
Regards--
Subrata
>
> >
> > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote:
> > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote:
> > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote:
> > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of
> > > > > LTP and current Fedora development, and get the following policy
> > > > > compilation error:
> > > > >
> > > > > ----
> > > > > Compiling targeted test_policy module
> > > > >
> > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
> > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
> > > > > [lots of warnings similar to the above]
> > > > >
> > > > > /usr/bin/checkmodule: loading policy configuration from
> > > > > tmp/test_policy.tmp
> > > > > test_policy.te":16:ERROR 'syntax error' at token
> > > > > 'userdom_use_sysadm_terms' on line 3198:
> > > > > userdom_use_sysadm_terms(testdomain)
> > > > > # This allows read and write sysadm ttys and ptys.
> > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > > > > make[1]: *** [tmp/test_policy.mod] Error 1
> > > > > make[1]: Leaving directory `/usr/share/selinux/devel'
> > > > > make: *** [load] Error 2
> > > > > Failed to build and load test_policy module, aborting test run.
> > > > > ----
> > > > >
> > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround?
> > > >
> > > > It won't compile with the current trunk refpolicy, since the current
> > > > release was a major, API breaking change. I'll try to get a patch out
> > > > shortly.
> > >
> > > I updated the policy since its fairly old, though I didn't convert its
> > > raw rules over to use interfaces. However this didn't completely fix
> > > it, as there is usage of a "unconfined_runs_test()", which isn't in the
> > > upstream refpolicy nor the fedora policy, as far as I can see. One of
> > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in
> > > the upstream refpolicy, but doesn't seem to have made its way downstream
> > > to the fedora policy. I have attached my work so someone familiar with
> > > the LTP test cases can use it to complete the fix.
> > >
> > > ------------------------------------------------------------------------------
> > > This SF.net email is sponsored by:
> > > SourcForge Community
> > > SourceForge wants to tell your story.
> > > http://p.sf.net/sfu/sf-spreadtheword
> > > _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
> >
> >
> > ------------------------------------------------------------------------------
> > This SF.net email is sponsored by:
> > SourcForge Community
> > SourceForge wants to tell your story.
> > http://p.sf.net/sfu/sf-spreadtheword
> > _______________________________________________
> > Ltp-list mailing list
> > Ltp-list@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/ltp-list
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2009-04-30 10:26 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-01-29 10:32 LTP SELinux policy error James Morris
2009-01-29 13:42 ` Christopher J. PeBenito
2009-01-29 16:51 ` Christopher J. PeBenito
2009-01-29 18:09 ` Stephen Smalley
2009-01-30 17:14 ` Serge E. Hallyn
2009-01-30 17:37 ` [LTP] " Serge E. Hallyn
2009-01-30 20:46 ` Chris PeBenito
[not found] ` <1233345509.6143.43.camel@defiant.pebenito.net>
2009-02-01 22:54 ` Serge E. Hallyn
2009-02-03 13:55 ` Chris PeBenito
2009-01-30 20:46 ` Chris PeBenito
[not found] ` <1233345437.6143.42.camel@defiant.pebenito.net>
2009-02-01 22:51 ` Serge E. Hallyn
2009-02-03 13:51 ` Chris PeBenito
2009-02-02 13:39 ` [LTP] " Subrata Modak
2009-04-29 18:39 ` Stephen Smalley
2009-04-30 10:26 ` Subrata Modak
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.