semodule fails

semodule fails

[Shintaro Fujiwara]

Hi,

When I try to install .pp file, it fails with messages.

#semodule -i postgresql_by_me.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t memory_device_t:chr_file { write };
libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t memory_device_t:chr_file { read };
libsepol.check_assertions: 2 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!

I saw archives and it says that libsepol-1.11 could solve the problem,
but mine is 1.12.

*******************************************
selinux-policy-strict-2.2.29-3.fc5
libsepol-1.12.4-1.fc5
*******************************************

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semodule fails

[Joshua Brindle]

Shintaro Fujiwara wrote:
> Hi,
>
> When I try to install .pp file, it fails with messages.
>
> #semodule -i postgresql_by_me.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t memory_device_t:chr_file { write };
> libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t memory_device_t:chr_file { read };
> libsepol.check_assertions: 2 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
>
> I saw archives and it says that libsepol-1.11 could solve the problem,
> but mine is 1.12.
>
>   
What is in postgresql_by_me.te? I suspect this isn't a toolchain failure 
but actually real assertion failures due to just dumping rules from 
audit2allow into a te file.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semodule fails

[Shintaro Fujiwara]

Thank you for your advice.

> What is in postgresql_by_me.te? I suspect this isn't a toolchain failure 
> but actually real assertion failures due to just dumping rules from 
> audit2allow into a te file.

I used policygentool to make policy,so I don't think it is assertion failure.
But I can comment out these and make again...

Here's what postgresql_by_me_t has.
*********
type postgresql_by_me_t;
type postgresql_by_me_exec_t;
domain_type(postgresql_by_me_t)
init_daemon_domain(postgresql_by_me_t, postgresql_by_me_exec_t)
********
files_read_etc_files(postgresql_by_me_t)
libs_use_ld_so(postgresql_by_me_t)
libs_use_shared_libs(postgresql_by_me_t)
miscfiles_read_localization(postgresql_by_me_t)
allow postgresql_by_me_t self:fifo_file { read write };
allow postgresql_by_me_t self:unix_stream_socket create_stream_socket_perms;
*********

I commented out all these macro lines,but failed again...
Thanks.

On Mon, 24 Apr 2006 11:12:55 -0400
Joshua Brindle <method@gentoo.org> wrote:

> Shintaro Fujiwara wrote:
> > Hi,
> >
> > When I try to install .pp file, it fails with messages.
> >
> > #semodule -i postgresql_by_me.pp
> > libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t memory_device_t:chr_file { write };
> > libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t memory_device_t:chr_file { read };
> > libsepol.check_assertions: 2 assertion violations occured
> > libsemanage.semanage_expand_sandbox: Expand module failed
> > semodule: Failed!
> >
> > I saw archives and it says that libsepol-1.11 could solve the problem,
> > but mine is 1.12.
> >
> >   
> What is in postgresql_by_me.te? I suspect this isn't a toolchain failure 
> but actually real assertion failures due to just dumping rules from 
> audit2allow into a te file.
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semodule fails(I found it !)

[Shintaro Fujiwara]

Oh, I found another .te file which described
allow staff_t stuff...
which I have written some days ago.
I named it by_me.pp and it is loaded.
I found by semodule -l.

Now,I can't semodule -r by_me.pp,so
I had better clear strict policy altogether,
and do it again...

Thank you for let me know the point.


On Tue, 25 Apr 2006 05:40:07 +0900
Shintaro Fujiwara <shin216@xf7.so-net.ne.jp> wrote:

> 
> Thank you for your advice.
> 
> > What is in postgresql_by_me.te? I suspect this isn't a toolchain failure 
> > but actually real assertion failures due to just dumping rules from 
> > audit2allow into a te file.
> 
> I used policygentool to make policy,so I don't think it is assertion failure.
> But I can comment out these and make again...
> 
> Here's what postgresql_by_me_t has.
> *********
> type postgresql_by_me_t;
> type postgresql_by_me_exec_t;
> domain_type(postgresql_by_me_t)
> init_daemon_domain(postgresql_by_me_t, postgresql_by_me_exec_t)
> ********
> files_read_etc_files(postgresql_by_me_t)
> libs_use_ld_so(postgresql_by_me_t)
> libs_use_shared_libs(postgresql_by_me_t)
> miscfiles_read_localization(postgresql_by_me_t)
> allow postgresql_by_me_t self:fifo_file { read write };
> allow postgresql_by_me_t self:unix_stream_socket create_stream_socket_perms;
> *********
> 
> I commented out all these macro lines,but failed again...
> Thanks.
> 
> On Mon, 24 Apr 2006 11:12:55 -0400
> Joshua Brindle <method@gentoo.org> wrote:
> 
> > Shintaro Fujiwara wrote:
> > > Hi,
> > >
> > > When I try to install .pp file, it fails with messages.
> > >
> > > #semodule -i postgresql_by_me.pp
> > > libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t memory_device_t:chr_file { write };
> > > libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t memory_device_t:chr_file { read };
> > > libsepol.check_assertions: 2 assertion violations occured
> > > libsemanage.semanage_expand_sandbox: Expand module failed
> > > semodule: Failed!
> > >
> > > I saw archives and it says that libsepol-1.11 could solve the problem,
> > > but mine is 1.12.
> > >
> > >   
> > What is in postgresql_by_me.te? I suspect this isn't a toolchain failure 
> > but actually real assertion failures due to just dumping rules from 
> > audit2allow into a te file.
> > 
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.