Problem about audit-test-2090 + refpolicy-2.20091117

Problem about audit-test-2090 + refpolicy-2.20091117

[TaurusHarry]

[-- Attachment #1.1: Type: text/plain, Size: 1412 bytes --]


Hi SELinux exports,

When I am trying to build the lspp_test.pp provided by audit-test-2090/utils/selinux-policy/lspp_test.* along with the refpolicy-20091117 source code, I copied lspp_test.* files to policy/modules/apps/ and then modified policy/modules.conf to declare "lspp_test = module", but I run into below error message:

support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/apps/lspp_test.te

Which will wipe out the line of declaration of "lspp_test = module" in modules.conf! How could I tackle such kind of error message? what's wrong in lspp_test.te?(attached for your reference)

BTW, if I compile the lspp_test.pp within the audit-test-2090 package itself, everything is fine except some warning about "role dominance rule is deprecated", but I failed to insert it on my target with refpolicy-2.20091117 policy image taken place:

[root/secadm_r/s0@qemu-host selinux-policy]# semodule -i lspp_test.pp
libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
[root/secadm_r/s0@qemu-host selinux-policy]#

So far I am clueless about this problem, how should I deal with it?

Any comment is greatly appreciated!

Thank you very much!
Harry 		 	   		  

[-- Attachment #1.2: Type: text/html, Size: 1664 bytes --]

[-- Attachment #2: lspp_test.te --]
[-- Type: application/octet-stream, Size: 8614 bytes --]

###############################################################################
# (c) Copyright Hewlett-Packard Development Company, L.P., 2007
#
#   This program is free software: you can redistribute it and/or modify
#   it under the terms of version 2 the GNU General Public License as
#   published by the Free Software Foundation.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program.  If not, see <http://www.gnu.org/licenses/>.
###############################################################################

#######
#
# LSPP test SELinux policy module
#
#

define(`ROLES_ALL',`sysadm_r secadm_r auditadm_r staff_r')

###
#
# module information
#

#
# In this section include the general SELinux reference policy bits, such as
# the policy_module() and gen_require() statements.
#

policy_module(lspp_test,0.5.7)

# we really shouldn't be accessing these policy constructs directly but there
# isn't always a policy interface available for what we want to do, so just
# include them in the gen_require() statement and move on
gen_require(`
        # roles
        role sysadm_r, secadm_r, auditadm_r, staff_r;
        # attributes
        attribute domain;
        # domains
        type auditd_t, inetd_t, initrc_t, passwd_t;
        # objects
        type auditd_log_t, sysadm_lpr_t, ipsec_spd_t;
')

###
#
# types and attributes
#

#
# In this section include any news domains/types used by this policy module
# as well as any reference policy interface calls used to assign basic
# qualities, such as type attributes, to these new domains/types.
#

# all domains
attribute lspp_domains;
# all test domains, i.e. lspp_test_*_t
attribute lspp_test_domains;

# harness (MLS overrides)
userdom_admin_user_template(lspp_harness)
typeattribute lspp_harness_t lspp_domains;
type lspp_harness_exec_t;
corecmd_executable_file(lspp_harness_exec_t)
domain_entry_file(lspp_harness_t,lspp_harness_exec_t)

# generic test domain (no MLS overrides)
userdom_unpriv_user_template(lspp_test_generic)
typeattribute lspp_test_generic_t lspp_test_domains, lspp_domains;
type lspp_test_generic_exec_t;
corecmd_executable_file(lspp_test_generic_exec_t)
domain_entry_file(lspp_test_generic_t,lspp_test_generic_exec_t)

# netlabel test (no MLS overrides)
userdom_unpriv_user_template(lspp_test_netlabel)
typeattribute lspp_test_netlabel_t lspp_test_domains, lspp_domains;

# ipsec test (no MLS overrides)
userdom_unpriv_user_template(lspp_test_ipsec)
typeattribute lspp_test_ipsec_t lspp_test_domains, lspp_domains;

# all directories
attribute lspp_directories;

# directory types
type lspp_test_harness_dir_t, lspp_directories;
files_type(lspp_test_harness_dir_t)
type lspp_test_dir_t, lspp_directories;
files_type(lspp_test_dir_t)
type lspp_test_exec_dir_t, lspp_directories;
files_type(lspp_test_exec_dir_t)

# file types
type lspp_test_file_t;
files_type(lspp_test_file_t)
type lspp_test_conf_t;
files_type(lspp_test_conf_t)
type lspp_test_output_t;
files_type(lspp_test_output_t)

###
#
# role policy
#

#
# In this section include any new roles used by this policy module as well as
# any role allow rules to define the transition between these roles and
# existing roles.
#

role lspp_test_r types domain;
dominance {
	role lspp_test_r {
		role sysadm_r;
		role secadm_r;
		role auditadm_r;
		role staff_r;
	}
}

# add the lspp test types to the generic object role
role system_r types lspp_domains;

# allow role transitions between the test role and all other roles
allow lspp_test_r { ROLES_ALL };
allow { ROLES_ALL } lspp_test_r;

###
#
# object policy
#

#
# In this section include any allow rules or reference policy interface calls
# that affect the types/objects defined in this policy module.
#

# allow every domain to read the test directory
allow domain lspp_directories:dir list_dir_perms;

# make the log files trusted objects
mls_trusted_object(lspp_test_output_t)

# make test harness created objects (i.e. std{in,out,err} fds, temp files, etc)
# trusted objects
mls_trusted_object(lspp_harness_t)
#mls_trusted_object(lspp_harness_tmp_t)

# default file types
type_transition lspp_domains lspp_test_harness_dir_t:file lspp_harness_exec_t;
type_transition lspp_domains lspp_test_dir_t:file lspp_test_output_t;
type_transition lspp_domains lspp_test_exec_dir_t:file lspp_test_generic_exec_t;
type_transition lspp_domains lspp_test_dir_t:fifo_file lspp_test_file_t;

###
#
# domain policy
#

#
# In this section, which spans to the end of the policy module, include any
# allow rules or reference policy interface calls that affect the domains
# defined in this policy module.  For example, any allow rule with a subject
# defined within this policy module should most likely be in this section
# assuming it doesn't fit within any of the other sections elsewhere in this
# module.
#

##
# regular policy additions
#

#
# These are policy changes which only affect the base policy domains/types
# but are needed for the LSPP test suite.  Additions here should be heavily
# scrutinized and kept to a bare minimum.
#

# allow the inetd_t domain to bind to any port, needed for the test daemon
corenet_tcp_bind_generic_port(inetd_t)
corenet_udp_bind_generic_port(inetd_t)

# allow the local login domain to search devpts_t
allow local_login_t devpts_t:dir search;

# allow auditd to use temporary filesystems for logging
fs_associate_tmpfs(auditd_log_t)
files_search_tmp(auditd_t)

##
# harness domain
#

# transition to the harness domain automatically when running harness apps
domain_auto_trans(domain,lspp_harness_exec_t,lspp_harness_t)

# allow manual transitions to any other domain on the system
allow lspp_harness_t domain:process transition;

# give the harness domain mls override privleges
mls_file_read_all_levels(lspp_harness_t)
mls_file_write_all_levels(lspp_harness_t)
mls_file_upgrade(lspp_harness_t)
mls_file_downgrade(lspp_harness_t)
mls_fd_use_all_levels(lspp_harness_t)
mls_fd_share_all_levels(lspp_harness_t)
mls_socket_read_all_levels(lspp_harness_t);
mls_socket_write_all_levels(lspp_harness_t);
mls_net_receive_all_levels(lspp_harness_t);
mls_sysvipc_read_all_levels(lspp_harness_t)
mls_sysvipc_write_all_levels(lspp_harness_t)
mls_rangetrans_source(lspp_harness_t)
mls_process_read_up(lspp_harness_t)
mls_process_write_down(lspp_harness_t)
mls_process_set_level(lspp_harness_t)
mls_rangetrans_source(lspp_harness_t)
mls_context_translate_all_levels(lspp_harness_t)

# give the harness domain "unconfined" access
unconfined_domain_noaudit(lspp_harness_t)

# give the harness domain newrole access
seutil_run_newrole(lspp_harness_t,lspp_test_r,{ ttynode ptynode })

#authlogin_per_role_template(lspp_harness,lspp_harness_t,lspp_test_r)

# give the harness domain auditctl access
logging_run_auditctl(lspp_harness_t,lspp_test_r,{ ttynode ptynode })

# give the harness domain access to run_init
seutil_run_runinit(lspp_harness_t,lspp_test_r,{ ttynode ptynode })
allow initrc_t lspp_harness_t:fd use;

# give the harness domain access to the local login domain
locallogin_domtrans(lspp_harness_t)
#allow local_login_t lspp_harness_devpts_t:chr_file { read write ioctl relabelfrom relabelto setattr getattr };

# give the harness domain access to the sysadm lpr domain
#allow sysadm_lpr_t lspp_harness_devpts_t:chr_file { read write };

# give the harness domain access to all the other test domain's associations
allow lspp_harness_t lspp_domains:association { setcontext recvfrom };

# give the harness domain access to the passwd type
role lspp_test_r types passwd_t;

##
# generic test domain
#

# transition to the generic test domain by default when running tests
domain_auto_trans(lspp_harness_t,lspp_test_generic_exec_t,lspp_test_generic_t)

# give the test domain "unconfined" access
unconfined_domain_noaudit(lspp_test_generic_t)

##
# netlabel test domain
#

# give the test domain "unconfined" access
unconfined_domain_noaudit(lspp_test_netlabel_t)

# allow mls overrides for file "write" access
mls_file_write_all_levels(lspp_test_netlabel_t)

##
# ipsec test domain
#

# give the test domain "unconfined" access
unconfined_domain_noaudit(lspp_test_ipsec_t)

# allow mls overrides for file "write" access
mls_file_write_all_levels(lspp_test_ipsec_t)

# give the test domain the ability to match against the SPD entries
allow lspp_test_ipsec_t ipsec_spd_t:association polmatch;

[refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117

[TaurusHarry]

Hi SELinux exports,

When I am trying to build the lspp_test.pp provided by audit-test-2090/utils/selinux-policy/lspp_test.* along with the refpolicy-20091117 source code, I copied lspp_test.* files to policy/modules/apps/ and then modified policy/modules.conf to declare "lspp_test = module", but I run into below error message:

support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/apps/lspp_test.te

Which will wipe out the line of declaration of "lspp_test = module" in modules.conf! How could I tackle such kind of error message? what's wrong in lspp_test.te?(attached for your reference)

BTW, if I compile the lspp_test.pp within the audit-test-2090 package itself, everything is fine except some warning about "role dominance rule is deprecated", but I failed to insert it on my target with refpolicy-2.20091117 policy image taken place:

[root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp
libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
[root/secadm_r/s0 at qemu-host selinux-policy]#

So far I am clueless about this problem, how should I deal with it?

Any comment is greatly appreciated!

Thank you very much!
Harry 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/452a30d8/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lspp_test.te
Type: application/octet-stream
Size: 8614 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/452a30d8/attachment.obj 

Re: Problem about audit-test-2090 + refpolicy-2.20091117

[Paul Moore]

On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote:
> Hi SELinux exports,
> 
> When I am trying to build the lspp_test.pp provided by
> audit-test-2090/utils/selinux-policy/lspp_test.* along with the
> refpolicy-20091117 source code, I copied lspp_test.* files to
> policy/modules/apps/ and then modified policy/modules.conf to declare
> "lspp_test = module", but I run into below error message ...

Is there any reason why you copied the lspp_test policy files to the
refpolicy sources and tried to build it there?  I'm not completely sure
that this is the cause of your problem but I can say for certain that
this is not a tested procedure for building the lspp_test module.

The normal procedure is to build the lspp_test policy module separately
from the system's main SELinux policy, e.g. build and install the normal
system's SELinux policy (refpolicy-20091117 in your case) and after you
have verified that everything is working correctly you can change to the
directory audit-test-*/utils/selinux-policy directory and use the
Makefile located their to build the lspp_test module.

-- 
paul moore
linux @ hp



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117

[Paul Moore]

On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote:
> Hi SELinux exports,
> 
> When I am trying to build the lspp_test.pp provided by
> audit-test-2090/utils/selinux-policy/lspp_test.* along with the
> refpolicy-20091117 source code, I copied lspp_test.* files to
> policy/modules/apps/ and then modified policy/modules.conf to declare
> "lspp_test = module", but I run into below error message ...

Is there any reason why you copied the lspp_test policy files to the
refpolicy sources and tried to build it there?  I'm not completely sure
that this is the cause of your problem but I can say for certain that
this is not a tested procedure for building the lspp_test module.

The normal procedure is to build the lspp_test policy module separately
from the system's main SELinux policy, e.g. build and install the normal
system's SELinux policy (refpolicy-20091117 in your case) and after you
have verified that everything is working correctly you can change to the
directory audit-test-*/utils/selinux-policy directory and use the
Makefile located their to build the lspp_test module.

-- 
paul moore
linux @ hp

RE: Problem about audit-test-2090 + refpolicy-2.20091117

[TaurusHarry]

[-- Attachment #1: Type: text/plain, Size: 2898 bytes --]


Hi Paul,
 
> Subject: Re: Problem about audit-test-2090 + refpolicy-2.20091117
> From: paul.moore@hp.com
> To: harrytaurus2002@hotmail.com
> CC: selinux@tycho.nsa.gov; refpolicy@oss1.tresys.com
> Date: Wed, 18 Aug 2010 07:52:47 -0400
> 
> On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote:
> > Hi SELinux exports,
> > 
> > When I am trying to build the lspp_test.pp provided by
> > audit-test-2090/utils/selinux-policy/lspp_test.* along with the
> > refpolicy-20091117 source code, I copied lspp_test.* files to
> > policy/modules/apps/ and then modified policy/modules.conf to declare
> > "lspp_test = module", but I run into below error message ...
> 
> Is there any reason why you copied the lspp_test policy files to the
> refpolicy sources and tried to build it there? I'm not completely sure
> that this is the cause of your problem but I can say for certain that
> this is not a tested procedure for building the lspp_test module.
> 
> The normal procedure is to build the lspp_test policy module separately
> from the system's main SELinux policy, e.g. build and install the normal
> system's SELinux policy (refpolicy-20091117 in your case) and after you
> have verified that everything is working correctly you can change to the
> directory audit-test-*/utils/selinux-policy directory and use the
> Makefile located their to build the lspp_test module.
> 
 
Many many thanks for your response!
 
Well, after I installed SELinux header properly then I did could enter audit-test/utils/selinux-policy/ successfully built lspp_test.pp there, however, I run into below error messages when trying to insert it:
 
[root/secadm_r/s0@qemu-host selinux-policy]# semodule -i lspp_test.pp
libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
[root/secadm_r/s0@qemu-host selinux-policy]#
 
Very honestly speaking I am clueless about such error message, so I tried to compile lspp_test.pp along with refpolicy source code just to see if such problem could simply disappear. Do you have some comments or suggestions about it? 

 

Moreover, the audit-test-2090 seems to be a little "old" than the refpolicy-2.20091117, for example, the lspp_test.te calls mls_file_read_up() rather than the expected mls_file_read_all_levels(), do you know if I could find some latest version of audit-test package or some latest version of the lspp_test.* files?

 

Thank you very much!

 

Best regards,

Harry

> -- 
> paul moore
> linux @ hp
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


 		 	   		  

[-- Attachment #2: Type: text/html, Size: 3451 bytes --]

[refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117

[TaurusHarry]

Hi Paul,
 
> Subject: Re: Problem about audit-test-2090 + refpolicy-2.20091117
> From: paul.moore at hp.com
> To: harrytaurus2002 at hotmail.com
> CC: selinux at tycho.nsa.gov; refpolicy at oss1.tresys.com
> Date: Wed, 18 Aug 2010 07:52:47 -0400
> 
> On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote:
> > Hi SELinux exports,
> > 
> > When I am trying to build the lspp_test.pp provided by
> > audit-test-2090/utils/selinux-policy/lspp_test.* along with the
> > refpolicy-20091117 source code, I copied lspp_test.* files to
> > policy/modules/apps/ and then modified policy/modules.conf to declare
> > "lspp_test = module", but I run into below error message ...
> 
> Is there any reason why you copied the lspp_test policy files to the
> refpolicy sources and tried to build it there? I'm not completely sure
> that this is the cause of your problem but I can say for certain that
> this is not a tested procedure for building the lspp_test module.
> 
> The normal procedure is to build the lspp_test policy module separately
> from the system's main SELinux policy, e.g. build and install the normal
> system's SELinux policy (refpolicy-20091117 in your case) and after you
> have verified that everything is working correctly you can change to the
> directory audit-test-*/utils/selinux-policy directory and use the
> Makefile located their to build the lspp_test module.
> 
 
Many many thanks for your response!
 
Well, after I installed SELinux header properly then I did could enter audit-test/utils/selinux-policy/ successfully built lspp_test.pp there, however, I run into below error messages when trying to insert it:
 
[root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp
libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
[root/secadm_r/s0 at qemu-host selinux-policy]#
 
Very honestly speaking I am clueless about such error message, so I tried to compile lspp_test.pp along with refpolicy source code just to see if such problem could simply disappear. Do you have some comments or suggestions about it? 

 

Moreover, the audit-test-2090 seems to be a little "old" than the refpolicy-2.20091117, for example, the lspp_test.te calls mls_file_read_up() rather than the expected mls_file_read_all_levels(), do you know if I could find some latest version of audit-test package or some latest version of the lspp_test.* files?

 

Thank you very much!

 

Best regards,

Harry

> -- 
> paul moore
> linux @ hp
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/59ea3c12/attachment-0001.html 

[refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117

[Dominick Grift]

On 08/18/2010 03:24 PM, TaurusHarry wrote:
> 
> Hi Paul,
>  
>> Subject: Re: Problem about audit-test-2090 + refpolicy-2.20091117
>> From: paul.moore at hp.com
>> To: harrytaurus2002 at hotmail.com
>> CC: selinux at tycho.nsa.gov; refpolicy at oss1.tresys.com
>> Date: Wed, 18 Aug 2010 07:52:47 -0400
>>
>> On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote:
>>> Hi SELinux exports,
>>>
>>> When I am trying to build the lspp_test.pp provided by
>>> audit-test-2090/utils/selinux-policy/lspp_test.* along with the
>>> refpolicy-20091117 source code, I copied lspp_test.* files to
>>> policy/modules/apps/ and then modified policy/modules.conf to declare
>>> "lspp_test = module", but I run into below error message ...
>>
>> Is there any reason why you copied the lspp_test policy files to the
>> refpolicy sources and tried to build it there? I'm not completely sure
>> that this is the cause of your problem but I can say for certain that
>> this is not a tested procedure for building the lspp_test module.
>>
>> The normal procedure is to build the lspp_test policy module separately
>> from the system's main SELinux policy, e.g. build and install the normal
>> system's SELinux policy (refpolicy-20091117 in your case) and after you
>> have verified that everything is working correctly you can change to the
>> directory audit-test-*/utils/selinux-policy directory and use the
>> Makefile located their to build the lspp_test module.
>>
>  
> Many many thanks for your response!
>  
> Well, after I installed SELinux header properly then I did could enter audit-test/utils/selinux-policy/ successfully built lspp_test.pp there, however, I run into below error messages when trying to insert it:
>  
> [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp
> libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t
> libsepol.expand_module: Error during expand
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
> [root/secadm_r/s0 at qemu-host selinux-policy]#

Its a bug in policy somehwere i believe. Where exactly is kind of hard
to determine. Do you have any custom modules loaded? In particular
custom modules that call either: userdom_unpriv_user_template or
postgresql_role.

The issue is that theres a conflict. some module uses  (old)
sepgsql_table_t, whilst another uses (new) user_sepgsql_table_t

So my guess is that you have a custom user domain policy loaded that was
not updated when you updatet refpolicy. Maybe even lspp_test.pp is it.

if that is true , then you would need to build a new lspp_test.pp from
lspp_test.te.



> Very honestly speaking I am clueless about such error message, so I tried to compile lspp_test.pp along with refpolicy source code just to see if such problem could simply disappear. Do you have some comments or suggestions about it? 
> 
>  
> 
> Moreover, the audit-test-2090 seems to be a little "old" than the refpolicy-2.20091117, for example, the lspp_test.te calls mls_file_read_up() rather than the expected mls_file_read_all_levels(), do you know if I could find some latest version of audit-test package or some latest version of the lspp_test.* files?
> 
>  
> 
> Thank you very much!
> 
>  
> 
> Best regards,
> 
> Harry
> 
>> -- 
>> paul moore
>> linux @ hp
>>
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
> 
> 
>  		 	   		  
> 
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/5adda1f4/attachment.bin 

[refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117

[Dominick Grift]

On 08/18/2010 03:24 PM, TaurusHarry wrote:
> 
> Hi Paul,
>  
>> Subject: Re: Problem about audit-test-2090 + refpolicy-2.20091117
>> From: paul.moore at hp.com
>> To: harrytaurus2002 at hotmail.com
>> CC: selinux at tycho.nsa.gov; refpolicy at oss1.tresys.com
>> Date: Wed, 18 Aug 2010 07:52:47 -0400
>>
>> On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote:
>>> Hi SELinux exports,
>>>
>>> When I am trying to build the lspp_test.pp provided by
>>> audit-test-2090/utils/selinux-policy/lspp_test.* along with the
>>> refpolicy-20091117 source code, I copied lspp_test.* files to
>>> policy/modules/apps/ and then modified policy/modules.conf to declare
>>> "lspp_test = module", but I run into below error message ...
>>
>> Is there any reason why you copied the lspp_test policy files to the
>> refpolicy sources and tried to build it there? I'm not completely sure
>> that this is the cause of your problem but I can say for certain that
>> this is not a tested procedure for building the lspp_test module.
>>
>> The normal procedure is to build the lspp_test policy module separately
>> from the system's main SELinux policy, e.g. build and install the normal
>> system's SELinux policy (refpolicy-20091117 in your case) and after you
>> have verified that everything is working correctly you can change to the
>> directory audit-test-*/utils/selinux-policy directory and use the
>> Makefile located their to build the lspp_test module.
>>
>  
> Many many thanks for your response!
>  
> Well, after I installed SELinux header properly then I did could enter audit-test/utils/selinux-policy/ successfully built lspp_test.pp there, however, I run into below error messages when trying to insert it:
>  
> [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp
> libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t
> libsepol.expand_module: Error during expand
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
> [root/secadm_r/s0 at qemu-host selinux-policy]#
>  
> Very honestly speaking I am clueless about such error message, so I tried to compile lspp_test.pp along with refpolicy source code just to see if such problem could simply disappear. Do you have some comments or suggestions about it? 
> 

Basically i think your lspp_test.pp is incompatible to your version of
refpolicy. ( the type user_sepgsql_table_t used in refpolicy conflicts
with the type sepgsql_table_t in lspp_test.pp )

Or atleast so i think...

> 
> Moreover, the audit-test-2090 seems to be a little "old" than the refpolicy-2.20091117, for example, the lspp_test.te calls mls_file_read_up() rather than the expected mls_file_read_all_levels(), do you know if I could find some latest version of audit-test package or some latest version of the lspp_test.* files?
> 
>  
> 
> Thank you very much!
> 
>  
> 
> Best regards,
> 
> Harry
> 
>> -- 
>> paul moore
>> linux @ hp
>>
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
> 
> 
>  		 	   		  
> 
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/595c95c2/attachment.bin 

RE: Problem about audit-test-2090 + refpolicy-2.20091117

[Paul Moore]

On Wed, 2010-08-18 at 13:24 +0000, TaurusHarry wrote:
> Many many thanks for your response!
>  
> Well, after I installed SELinux header properly then I did could enter
> audit-test/utils/selinux-policy/ successfully built lspp_test.pp
> there, however, I run into below error messages when trying to insert
> it:
>  
> [root/secadm_r/s0@qemu-host selinux-policy]# semodule -i lspp_test.pp
> libsepol.expand_terule_helper: conflicting TE rule for
> ( lspp_test_generic_t, sepgsql_db_t:db_table): old was
> user_sepgsql_table_t, new is sepgsql_table_t
> libsepol.expand_module: Error during expand
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
> [root/secadm_r/s0@qemu-host selinux-policy]#
>  
> Very honestly speaking I am clueless about such error message, so I
> tried to compile lspp_test.pp along with refpolicy source code just to
> see if such problem could simply disappear. Do you have some comments
> or suggestions about it? 

Hmm, it looks like perhaps there is a conflict with the sepostgres
policy?  I'm not sure, I haven't built this policy on recent versions of
the refpolicy.  I've heard rumors that some of the RH guys are running
audit-test on recent versions of Fedora/RHEL6 but I don't know if that
includes all of the LSPP bits, e.g. the lspp_test policy module.
 
If you want to play with SELinux policy, we're always accepting
patches :)

> Moreover, the audit-test-2090 seems to be a little "old" than the
> refpolicy-2.20091117, for example, the lspp_test.te calls
> mls_file_read_up() rather than the expected
> mls_file_read_all_levels(), do you know if I could find some latest
> version of audit-test package or some latest version of the
> lspp_test.* files?

You can always find the latest bits in the audit-test SVN repo on
sf.net, however, I must admit that currently we've only tested it
against RHEL5.x and some older Fedora releases.

-- 
paul moore
linux @ hp




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117

[Paul Moore]

On Wed, 2010-08-18 at 13:24 +0000, TaurusHarry wrote:
> Many many thanks for your response!
>  
> Well, after I installed SELinux header properly then I did could enter
> audit-test/utils/selinux-policy/ successfully built lspp_test.pp
> there, however, I run into below error messages when trying to insert
> it:
>  
> [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp
> libsepol.expand_terule_helper: conflicting TE rule for
> ( lspp_test_generic_t, sepgsql_db_t:db_table): old was
> user_sepgsql_table_t, new is sepgsql_table_t
> libsepol.expand_module: Error during expand
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
> [root/secadm_r/s0 at qemu-host selinux-policy]#
>  
> Very honestly speaking I am clueless about such error message, so I
> tried to compile lspp_test.pp along with refpolicy source code just to
> see if such problem could simply disappear. Do you have some comments
> or suggestions about it? 

Hmm, it looks like perhaps there is a conflict with the sepostgres
policy?  I'm not sure, I haven't built this policy on recent versions of
the refpolicy.  I've heard rumors that some of the RH guys are running
audit-test on recent versions of Fedora/RHEL6 but I don't know if that
includes all of the LSPP bits, e.g. the lspp_test policy module.
 
If you want to play with SELinux policy, we're always accepting
patches :)

> Moreover, the audit-test-2090 seems to be a little "old" than the
> refpolicy-2.20091117, for example, the lspp_test.te calls
> mls_file_read_up() rather than the expected
> mls_file_read_all_levels(), do you know if I could find some latest
> version of audit-test package or some latest version of the
> lspp_test.* files?

You can always find the latest bits in the audit-test SVN repo on
sf.net, however, I must admit that currently we've only tested it
against RHEL5.x and some older Fedora releases.

-- 
paul moore
linux @ hp

Re: [refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117

[Christopher J. PeBenito]

On 08/18/10 11:29, Paul Moore wrote:
> On Wed, 2010-08-18 at 13:24 +0000, TaurusHarry wrote:
>> Many many thanks for your response!
>>
>> Well, after I installed SELinux header properly then I did could enter
>> audit-test/utils/selinux-policy/ successfully built lspp_test.pp
>> there, however, I run into below error messages when trying to insert
>> it:
>>
>> [root/secadm_r/s0@qemu-host selinux-policy]# semodule -i lspp_test.pp
>> libsepol.expand_terule_helper: conflicting TE rule for
>> ( lspp_test_generic_t, sepgsql_db_t:db_table): old was
>> user_sepgsql_table_t, new is sepgsql_table_t
>> libsepol.expand_module: Error during expand
>> libsemanage.semanage_expand_sandbox: Expand module failed
>> semodule: Failed!
>> [root/secadm_r/s0@qemu-host selinux-policy]#
>>
>> Very honestly speaking I am clueless about such error message, so I
>> tried to compile lspp_test.pp along with refpolicy source code just to
>> see if such problem could simply disappear. Do you have some comments
>> or suggestions about it?
>
> Hmm, it looks like perhaps there is a conflict with the sepostgres
> policy?

Yep, there are conflicting type_transitions.  Basically it is 
complaining about these two rules:

type_transition lspp_test_generic_t sepgsql_db_t:db_table 
user_sepgsql_table_t;

type_transition lspp_test_generic_t sepgsql_db_t:db_table sepgsql_table_t;

so it fails.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117

[Christopher J. PeBenito]

On 08/18/10 11:29, Paul Moore wrote:
> On Wed, 2010-08-18 at 13:24 +0000, TaurusHarry wrote:
>> Many many thanks for your response!
>>
>> Well, after I installed SELinux header properly then I did could enter
>> audit-test/utils/selinux-policy/ successfully built lspp_test.pp
>> there, however, I run into below error messages when trying to insert
>> it:
>>
>> [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp
>> libsepol.expand_terule_helper: conflicting TE rule for
>> ( lspp_test_generic_t, sepgsql_db_t:db_table): old was
>> user_sepgsql_table_t, new is sepgsql_table_t
>> libsepol.expand_module: Error during expand
>> libsemanage.semanage_expand_sandbox: Expand module failed
>> semodule: Failed!
>> [root/secadm_r/s0 at qemu-host selinux-policy]#
>>
>> Very honestly speaking I am clueless about such error message, so I
>> tried to compile lspp_test.pp along with refpolicy source code just to
>> see if such problem could simply disappear. Do you have some comments
>> or suggestions about it?
>
> Hmm, it looks like perhaps there is a conflict with the sepostgres
> policy?

Yep, there are conflicting type_transitions.  Basically it is 
complaining about these two rules:

type_transition lspp_test_generic_t sepgsql_db_t:db_table 
user_sepgsql_table_t;

type_transition lspp_test_generic_t sepgsql_db_t:db_table sepgsql_table_t;

so it fails.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

Re: [refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117

[Christopher J. PeBenito]

On 08/18/10 07:52, Paul Moore wrote:
> On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote:
>> Hi SELinux exports,
>>
>> When I am trying to build the lspp_test.pp provided by
>> audit-test-2090/utils/selinux-policy/lspp_test.* along with the
>> refpolicy-20091117 source code, I copied lspp_test.* files to
>> policy/modules/apps/ and then modified policy/modules.conf to declare
>> "lspp_test = module", but I run into below error message ...
>
> Is there any reason why you copied the lspp_test policy files to the
> refpolicy sources and tried to build it there?  I'm not completely sure
> that this is the cause of your problem but I can say for certain that
> this is not a tested procedure for building the lspp_test module.

I wouldn't expect this to introduce problems, unless the headers in the 
policy source didn't match the target system's base policy.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117

[Christopher J. PeBenito]

On 08/18/10 07:52, Paul Moore wrote:
> On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote:
>> Hi SELinux exports,
>>
>> When I am trying to build the lspp_test.pp provided by
>> audit-test-2090/utils/selinux-policy/lspp_test.* along with the
>> refpolicy-20091117 source code, I copied lspp_test.* files to
>> policy/modules/apps/ and then modified policy/modules.conf to declare
>> "lspp_test = module", but I run into below error message ...
>
> Is there any reason why you copied the lspp_test policy files to the
> refpolicy sources and tried to build it there?  I'm not completely sure
> that this is the cause of your problem but I can say for certain that
> this is not a tested procedure for building the lspp_test module.

I wouldn't expect this to introduce problems, unless the headers in the 
policy source didn't match the target system's base policy.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com