Karl MacMillan wrote: > On Fri, 2007-03-23 at 12:28 -0400, Stephen Smalley wrote: >> On Fri, 2007-03-23 at 11:51 -0400, Karl MacMillan wrote: >>> On Fri, 2007-03-23 at 08:34 -0400, Stephen Smalley wrote: >>>> On Fri, 2007-03-23 at 14:33 +0800, Nerazzurri.YANG wrote: >>>>> type self; >>>> Remove the 'type self;' line. Did you add that manually or was it >>>> generated by the new audit2allow? If the latter, that is a bug. >>>> >>> That is a strange bug (if it is - I can't reproduce locally): >>> >>> * The way audit2allow works is that self is never stored in the rules, >>> it is only converted at the point it is output. I did that specifically >>> to avoid having to special case for self. So it should never add self as >>> a require. >>> > > Oops - this is what I wanted to do, but it is not actually possible. > With multiple source types you can't detect self at output time. > >>> * None of the rules reference self. >>> >>> So, if this was generated by audit2allow could you give me the rpm >>> version for policycoreutils and the log file that generated the policy. >> Reproduced with latest upstream version, via: >> # audit2allow -a -r | grep self >> type self; >> allow netutils_t self:capability sys_module; > > Patch below fixes this. sorry to reply late, you know it's weekend, and we are in different time zone. it seems that the problem has been resolved. i will apply the patch and try again. but i will still give the info you ask, i think it's helpful for you. i am in fc7 rawhide (test3 6.92). the rpm version of policycoreutils is: policycoreutils-2.0.7-4.fc7 now that there is patch for the problem, so i will not attach the log file, it's so big. by the way, the reason i use audit2allow to generate pp, it's to resolve the problem of mono(beagle), i have sent the details to "fedora-selinux-list", and Mr walsh has posted it to the list. anyway, thank you very much > > Signed-off-by: Karl MacMillan > > diff -r 597d85c85841 sepolgen/src/sepolgen/policygen.py > --- a/sepolgen/src/sepolgen/policygen.py Wed Mar 21 16:38:20 2007 -0400 > +++ b/sepolgen/src/sepolgen/policygen.py Fri Mar 23 16:44:05 2007 -0400 > @@ -334,6 +334,8 @@ def gen_requires(module): > # can actually figure those out. > r.types.add(arg) > > + r.types.discard("self") > + > node.children.insert(0, r) > > # FUTURE - this is untested on modules with any sort of > > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.