libsepol.expand_terule_helper: duplicate TE rule

libsepol.expand_terule_helper: duplicate TE rule

[Shintaro Fujiwara]

When I try to install apache.pp,

libsepol.expand_terule_helper: duplicate TE rule for httpd_t
exim_exec_t:process system_mail_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

I can't find any lines concerning exim_exec_t anywhere...
Please help.


-- 
Shintaro Fujiwara
segatex project (SELinux policy tool)
http://sourceforge.net/projects/segatex/
Home page
http://intrajp.no-ip.com/
Blog
http://intrajp.no-ip.com/nucleus/
CMS
http://intrajp.no-ip.com/xoops/
Wiki
http://intrajp.no-ip.com/pukiwiki/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsepol.expand_terule_helper: duplicate TE rule

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 679 bytes --]

On Sat, 2007-12-01 at 17:15 +0900, Shintaro Fujiwara wrote:
> When I try to install apache.pp,
> 
> libsepol.expand_terule_helper: duplicate TE rule for httpd_t
> exim_exec_t:process system_mail_t
> libsepol.expand_module: Error during expand
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule:  Failed!
> 
> I can't find any lines concerning exim_exec_t anywhere...
> Please help.

Which distro policy are you using?

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: libsepol.expand_terule_helper: duplicate TE rule

[Shintaro Fujiwara]

Well, as a matter of fact, I installed apache from source.
So, I installed apche into /usr/local/apache2.

I set /etc/selinux/config permissive and found that apache
runs in initrc_t.
But, of course I want to make it run httpd_t.

So, I tried to edit your refpolicy downloading from repository,
newest version.
I commented every

type ...
bool ...
atribute...

including .if of templates.

and set them require {}.

I succeeded make apache.pp all-right, but when I tried to install by
semodule -i apache.pp,
expand_terule_helper says it has an error.

I found exim module in services directory but could not found
anything like process system_mail_t
I could not found those in tmp/apache.mod either.

It's first time I see this error and don't know what it is.

I messed up policy apache or some kind of bug ?

I succeeded install postgresql and mysql by this method all-right.

Thanks for your quick response.


2007/12/2, Chris PeBenito <pebenito@gentoo.org>:
> On Sat, 2007-12-01 at 17:15 +0900, Shintaro Fujiwara wrote:
> > When I try to install apache.pp,
> >
> > libsepol.expand_terule_helper: duplicate TE rule for httpd_t
> > exim_exec_t:process system_mail_t
> > libsepol.expand_module: Error during expand
> > libsemanage.semanage_expand_sandbox: Expand module failed
> > semodule:  Failed!
> >
> > I can't find any lines concerning exim_exec_t anywhere...
> > Please help.
>
> Which distro policy are you using?
>
> --
> Chris PeBenito
> <pebenito@gentoo.org>
> Developer,
> Hardened Gentoo Linux
>
> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
> Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243
>
>


-- 
Shintaro Fujiwara
segatex project (SELinux policy tool)
http://sourceforge.net/projects/segatex/
Home page
http://intrajp.no-ip.com/
Blog
http://intrajp.no-ip.com/nucleus/
CMS
http://intrajp.no-ip.com/xoops/
Wiki
http://intrajp.no-ip.com/pukiwiki/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsepol.expand_terule_helper: duplicate TE rule

[Christopher J. PeBenito]

On Sun, 2007-12-02 at 08:18 +0900, Shintaro Fujiwara wrote:
> Well, as a matter of fact, I installed apache from source.
> So, I installed apche into /usr/local/apache2.
> 
> I set /etc/selinux/config permissive and found that apache
> runs in initrc_t.
> But, of course I want to make it run httpd_t.
> 
> So, I tried to edit your refpolicy downloading from repository,
> newest version.

And the remainder of the policy is which fedora policy version?

> I commented every
> 
> type ...
> bool ...
> atribute...
> 
> including .if of templates.
> 
> and set them require {}.
> 
> I succeeded make apache.pp all-right, but when I tried to install by
> semodule -i apache.pp,
> expand_terule_helper says it has an error.
> 
> I found exim module in services directory but could not found
> anything like process system_mail_t
> I could not found those in tmp/apache.mod either.
> 
> It's first time I see this error and don't know what it is.
> 
> I messed up policy apache or some kind of bug ?
> 
> I succeeded install postgresql and mysql by this method all-right.
> 
> Thanks for your quick response.
> 
> 
> 2007/12/2, Chris PeBenito <pebenito@gentoo.org>:
> > On Sat, 2007-12-01 at 17:15 +0900, Shintaro Fujiwara wrote:
> > > When I try to install apache.pp,
> > >
> > > libsepol.expand_terule_helper: duplicate TE rule for httpd_t
> > > exim_exec_t:process system_mail_t
> > > libsepol.expand_module: Error during expand
> > > libsemanage.semanage_expand_sandbox: Expand module failed
> > > semodule:  Failed!
> > >
> > > I can't find any lines concerning exim_exec_t anywhere...
> > > Please help.
> >
> > Which distro policy are you using?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsepol.expand_terule_helper: duplicate TE rule

[Shintaro Fujiwara]

Here's I get.

# rpm -qa|grep selinux
libselinux-python-2.0.43-1.fc8
selinux-policy-mls-3.0.8-58.fc8
selinux-doc-1.26-1.1
selinux-policy-3.0.8-58.fc8
selinux-policy-targeted-3.0.8-58.fc8
libselinux-devel-2.0.43-1.fc8
libselinux-2.0.43-1.fc8
selinux-policy-devel-3.0.8-58.fc8

I really want to get F8 server run (apache)..

2007/12/3, Christopher J. PeBenito <cpebenito@tresys.com>:
> On Sun, 2007-12-02 at 08:18 +0900, Shintaro Fujiwara wrote:
> > Well, as a matter of fact, I installed apache from source.
> > So, I installed apche into /usr/local/apache2.
> >
> > I set /etc/selinux/config permissive and found that apache
> > runs in initrc_t.
> > But, of course I want to make it run httpd_t.
> >
> > So, I tried to edit your refpolicy downloading from repository,
> > newest version.
>
> And the remainder of the policy is which fedora policy version?
>
> > I commented every
> >
> > type ...
> > bool ...
> > atribute...
> >
> > including .if of templates.
> >
> > and set them require {}.
> >
> > I succeeded make apache.pp all-right, but when I tried to install by
> > semodule -i apache.pp,
> > expand_terule_helper says it has an error.
> >
> > I found exim module in services directory but could not found
> > anything like process system_mail_t
> > I could not found those in tmp/apache.mod either.
> >
> > It's first time I see this error and don't know what it is.
> >
> > I messed up policy apache or some kind of bug ?
> >
> > I succeeded install postgresql and mysql by this method all-right.
> >
> > Thanks for your quick response.
> >
> >
> > 2007/12/2, Chris PeBenito <pebenito@gentoo.org>:
> > > On Sat, 2007-12-01 at 17:15 +0900, Shintaro Fujiwara wrote:
> > > > When I try to install apache.pp,
> > > >
> > > > libsepol.expand_terule_helper: duplicate TE rule for httpd_t
> > > > exim_exec_t:process system_mail_t
> > > > libsepol.expand_module: Error during expand
> > > > libsemanage.semanage_expand_sandbox: Expand module failed
> > > > semodule:  Failed!
> > > >
> > > > I can't find any lines concerning exim_exec_t anywhere...
> > > > Please help.
> > >
> > > Which distro policy are you using?
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>


-- 
Shintaro Fujiwara
segatex project (SELinux policy tool)
http://sourceforge.net/projects/segatex/
Home page
http://intrajp.no-ip.com/
Blog
http://intrajp.no-ip.com/nucleus/
CMS
http://intrajp.no-ip.com/xoops/
Wiki
http://intrajp.no-ip.com/pukiwiki/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsepol.expand_terule_helper: duplicate TE rule

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shintaro Fujiwara wrote:
> When I try to install apache.pp,
> 
> libsepol.expand_terule_helper: duplicate TE rule for httpd_t
> exim_exec_t:process system_mail_t
> libsepol.expand_module: Error during expand
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule:  Failed!
> 
> I can't find any lines concerning exim_exec_t anywhere...
> Please help.
> 
> 
in mta.if,

mta_send_mail has the following


	domtrans_pattern($1, mailclient_exec_type, system_mail_t)
	allow system_mail_t mailclient_exec_type:file entrypoint;


And

interface(`mta_mailclient',`
	gen_require(`
		attribute mailclient_exec_type;
	')

	typeattribute $1 mailclient_exec_type;
')


In exim.te

mta_mailclient(exim_exec_t)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHVWAXrlYvE4MpobMRAsGsAJ9yGCZ4fMMuLn8FIf5V7IdOIjcYVgCeJVwo
45S6MoKx9nAW6430eJiaJNY=
=L/mO
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsepol.expand_terule_helper: duplicate TE rule

[Shintaro Fujiwara]

2007/12/4, Daniel J Walsh <dwalsh@redhat.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Shintaro Fujiwara wrote:
> > When I try to install apache.pp,
> >
> > libsepol.expand_terule_helper: duplicate TE rule for httpd_t
> > exim_exec_t:process system_mail_t
> > libsepol.expand_module: Error during expand
> > libsemanage.semanage_expand_sandbox: Expand module failed
> > semodule:  Failed!
> >
> > I can't find any lines concerning exim_exec_t anywhere...
> > Please help.
> >
> >
> in mta.if,
>
> mta_send_mail has the following
>
>
>         domtrans_pattern($1, mailclient_exec_type, system_mail_t)
>         allow system_mail_t mailclient_exec_type:file entrypoint;
>
>
> And
>
> interface(`mta_mailclient',`
>         gen_require(`
>                 attribute mailclient_exec_type;
>         ')
>
>         typeattribute $1 mailclient_exec_type;
> ')
>
>
> In exim.te
>
> mta_mailclient(exim_exec_t)

Thank you, but, I commented line,

mta_send_mail(httpd_t)

and make apache.pp again but still I have an error.
I'm stuck.


> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFHVWAXrlYvE4MpobMRAsGsAJ9yGCZ4fMMuLn8FIf5V7IdOIjcYVgCeJVwo
> 45S6MoKx9nAW6430eJiaJNY=
> =L/mO
> -----END PGP SIGNATURE-----
>


-- 
Shintaro Fujiwara
segatex project (SELinux policy tool)
http://sourceforge.net/projects/segatex/
Home page
http://intrajp.no-ip.com/
Blog
http://intrajp.no-ip.com/nucleus/
CMS
http://intrajp.no-ip.com/xoops/
Wiki
http://intrajp.no-ip.com/pukiwiki/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsepol.expand_terule_helper: duplicate TE rule

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shintaro Fujiwara wrote:
> 2007/12/4, Daniel J Walsh <dwalsh@redhat.com>:
> Shintaro Fujiwara wrote:
>>>> When I try to install apache.pp,
>>>>
>>>> libsepol.expand_terule_helper: duplicate TE rule for httpd_t
>>>> exim_exec_t:process system_mail_t
>>>> libsepol.expand_module: Error during expand
>>>> libsemanage.semanage_expand_sandbox: Expand module failed
>>>> semodule:  Failed!
>>>>
>>>> I can't find any lines concerning exim_exec_t anywhere...
>>>> Please help.
>>>>
>>>>
> in mta.if,
> 
> mta_send_mail has the following
> 
> 
>         domtrans_pattern($1, mailclient_exec_type, system_mail_t)
>         allow system_mail_t mailclient_exec_type:file entrypoint;
> 
> 
> And
> 
> interface(`mta_mailclient',`
>         gen_require(`
>                 attribute mailclient_exec_type;
>         ')
> 
>         typeattribute $1 mailclient_exec_type;
> ')
>at
> 
> In exim.te
> 
> mta_mailclient(exim_exec_t)
> 
>> Thank you, but, I commented line,
> 
>> mta_send_mail(httpd_t)
> 
>> and make apache.pp again but still I have an error.
>> I'm stuck.
> 
> 
>>
Same error? I would check your source file to make sure mta_send_mail is
not coming from somewhere else.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHVh0CrlYvE4MpobMRAgRiAJ9zuF7+6nNB7JWxd+88aMhl1eHEEQCeLPpo
DY9lWAfx29hWmugTTSrDw+c=
=P9KS
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsepol.expand_terule_helper: duplicate TE rule

[Shintaro Fujiwara]

2007/12/5, Daniel J Walsh <dwalsh@redhat.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Shintaro Fujiwara wrote:
> > 2007/12/4, Daniel J Walsh <dwalsh@redhat.com>:
> > Shintaro Fujiwara wrote:
> >>>> When I try to install apache.pp,
> >>>>
> >>>> libsepol.expand_terule_helper: duplicate TE rule for httpd_t
> >>>> exim_exec_t:process system_mail_t
> >>>> libsepol.expand_module: Error during expand
> >>>> libsemanage.semanage_expand_sandbox: Expand module failed
> >>>> semodule:  Failed!
> >>>>
> >>>> I can't find any lines concerning exim_exec_t anywhere...
> >>>> Please help.
> >>>>
> >>>>
> > in mta.if,
> >
> > mta_send_mail has the following
> >
> >
> >         domtrans_pattern($1, mailclient_exec_type, system_mail_t)
> >         allow system_mail_t mailclient_exec_type:file entrypoint;
> >
> >
> > And
> >
> > interface(`mta_mailclient',`
> >         gen_require(`
> >                 attribute mailclient_exec_type;
> >         ')
> >
> >         typeattribute $1 mailclient_exec_type;
> > ')
> >at
> >
> > In exim.te
> >
> > mta_mailclient(exim_exec_t)
> >
> >> Thank you, but, I commented line,
> >
> >> mta_send_mail(httpd_t)
> >
> >> and make apache.pp again but still I have an error.
> >> I'm stuck.
> >
> >
> >>
> Same error? I would check your source file to make sure mta_send_mail is
> not coming from somewhere else.

In apache.if, apache_content_template has
        #optional_policy(`
        #       mta_send_mail(httpd_$1_script_t)
        #')
So, I commented like above, and made apache.pp again, and
this time I succeeded installing apache.pp.

Thank you very much, Mr. SELinux.



> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFHVh0CrlYvE4MpobMRAgRiAJ9zuF7+6nNB7JWxd+88aMhl1eHEEQCeLPpo
> DY9lWAfx29hWmugTTSrDw+c=
> =P9KS
> -----END PGP SIGNATURE-----
>


-- 
Shintaro Fujiwara
segatex project (SELinux policy tool)
http://sourceforge.net/projects/segatex/
Home page
http://intrajp.no-ip.com/
Blog
http://intrajp.no-ip.com/nucleus/
CMS
http://intrajp.no-ip.com/xoops/
Wiki
http://intrajp.no-ip.com/pukiwiki/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.