From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id o7IAQP4e024435 for ; Wed, 18 Aug 2010 06:26:25 -0400 Received: from snt0-omc3-s23.snt0.hotmail.com (localhost [127.0.0.1]) by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with ESMTP id o7IAQkX9028387 for ; Wed, 18 Aug 2010 10:26:47 GMT Message-ID: Content-Type: multipart/mixed; boundary="_e0ad5d79-2242-416e-9922-9025538093ab_" From: TaurusHarry To: selinux-mailing-list , refpolicy-mailing-list Subject: Problem about audit-test-2090 + refpolicy-2.20091117 Date: Wed, 18 Aug 2010 10:26:23 +0000 MIME-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --_e0ad5d79-2242-416e-9922-9025538093ab_ Content-Type: multipart/alternative; boundary="_263aafae-d1f7-47f0-9b56-b68594a20238_" --_263aafae-d1f7-47f0-9b56-b68594a20238_ Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: 8bit Hi SELinux exports, When I am trying to build the lspp_test.pp provided by audit-test-2090/utils/selinux-policy/lspp_test.* along with the refpolicy-20091117 source code, I copied lspp_test.* files to policy/modules/apps/ and then modified policy/modules.conf to declare "lspp_test = module", but I run into below error message: support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/apps/lspp_test.te Which will wipe out the line of declaration of "lspp_test = module" in modules.conf! How could I tackle such kind of error message? what's wrong in lspp_test.te?(attached for your reference) BTW, if I compile the lspp_test.pp within the audit-test-2090 package itself, everything is fine except some warning about "role dominance rule is deprecated", but I failed to insert it on my target with refpolicy-2.20091117 policy image taken place: [root/secadm_r/s0@qemu-host selinux-policy]# semodule -i lspp_test.pp libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t libsepol.expand_module: Error during expand libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! [root/secadm_r/s0@qemu-host selinux-policy]# So far I am clueless about this problem, how should I deal with it? Any comment is greatly appreciated! Thank you very much! Harry --_263aafae-d1f7-47f0-9b56-b68594a20238_ Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: 8bit Hi SELinux exports,

When I am trying to build the lspp_test.pp provided by audit-test-2090/utils/selinux-policy/lspp_test.* along with the refpolicy-20091117 source code, I copied lspp_test.* files to policy/modules/apps/ and then modified policy/modules.conf to declare "lspp_test = module", but I run into below error message:

support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/apps/lspp_test.te

Which will wipe out the line of declaration of "lspp_test = module" in modules.conf! How could I tackle such kind of error message? what's wrong in lspp_test.te?(attached for your reference)

BTW, if I compile the lspp_test.pp within the audit-test-2090 package itself, everything is fine except some warning about "role dominance rule is deprecated", but I failed to insert it on my target with refpolicy-2.20091117 policy image taken place:

[root/secadm_r/s0@qemu-host selinux-policy]# semodule -i lspp_test.pp
libsepol.! expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
[root/secadm_r/s0@qemu-host selinux-policy]#

So far I am clueless about this problem, how should I deal with it?

Any comment is greatly appreciated!

Thank you very much!
Harry --_263aafae-d1f7-47f0-9b56-b68594a20238_-- --_e0ad5d79-2242-416e-9922-9025538093ab_ Content-Type: application/octet-stream Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="lspp_test.te" IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIwojIChjKSBDb3B5cmlnaHQgSGV3bGV0dC1QYWNrYXJkIERl dmVsb3BtZW50IENvbXBhbnksIEwuUC4sIDIwMDcKIwojICAgVGhpcyBwcm9ncmFtIGlzIGZyZWUg c29mdHdhcmU6IHlvdSBjYW4gcmVkaXN0cmlidXRlIGl0IGFuZC9vciBtb2RpZnkKIyAgIGl0IHVu ZGVyIHRoZSB0ZXJtcyBvZiB2ZXJzaW9uIDIgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNl IGFzCiMgICBwdWJsaXNoZWQgYnkgdGhlIEZyZWUgU29mdHdhcmUgRm91bmRhdGlvbi4KIwojICAg VGhpcyBwcm9ncmFtIGlzIGRpc3RyaWJ1dGVkIGluIHRoZSBob3BlIHRoYXQgaXQgd2lsbCBiZSB1 c2VmdWwsCiMgICBidXQgV0lUSE9VVCBBTlkgV0FSUkFOVFk7IHdpdGhvdXQgZXZlbiB0aGUgaW1w bGllZCB3YXJyYW50eSBvZgojICAgTUVSQ0hBTlRBQklMSVRZIG9yIEZJVE5FU1MgRk9SIEEgUEFS VElDVUxBUiBQVVJQT1NFLiAgU2VlIHRoZQojICAgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2Ug Zm9yIG1vcmUgZGV0YWlscy4KIwojICAgWW91IHNob3VsZCBoYXZlIHJlY2VpdmVkIGEgY29weSBv ZiB0aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UKIyAgIGFsb25nIHdpdGggdGhpcyBwcm9n cmFtLiAgSWYgbm90LCBzZWUgPGh0dHA6Ly93d3cuZ251Lm9yZy9saWNlbnNlcy8+LgojIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjCgojIyMjIyMjCiMKIyBMU1BQIHRlc3QgU0VMaW51eCBwb2xpY3kgbW9k dWxlCiMKIwoKZGVmaW5lKGBST0xFU19BTEwnLGBzeXNhZG1fciBzZWNhZG1fciBhdWRpdGFkbV9y IHN0YWZmX3InKQoKIyMjCiMKIyBtb2R1bGUgaW5mb3JtYXRpb24KIwoKIwojIEluIHRoaXMgc2Vj dGlvbiBpbmNsdWRlIHRoZSBnZW5lcmFsIFNFTGludXggcmVmZXJlbmNlIHBvbGljeSBiaXRzLCBz dWNoIGFzCiMgdGhlIHBvbGljeV9tb2R1bGUoKSBhbmQgZ2VuX3JlcXVpcmUoKSBzdGF0ZW1lbnRz LgojCgpwb2xpY3lfbW9kdWxlKGxzcHBfdGVzdCwwLjUuNykKCiMgd2UgcmVhbGx5IHNob3VsZG4n dCBiZSBhY2Nlc3NpbmcgdGhlc2UgcG9saWN5IGNvbnN0cnVjdHMgZGlyZWN0bHkgYnV0IHRoZXJl CiMgaXNuJ3QgYWx3YXlzIGEgcG9saWN5IGludGVyZmFjZSBhdmFpbGFibGUgZm9yIHdoYXQgd2Ug d2FudCB0byBkbywgc28ganVzdAojIGluY2x1ZGUgdGhlbSBpbiB0aGUgZ2VuX3JlcXVpcmUoKSBz dGF0ZW1lbnQgYW5kIG1vdmUgb24KZ2VuX3JlcXVpcmUoYAogICAgICAgICMgcm9sZXMKICAgICAg ICByb2xlIHN5c2FkbV9yLCBzZWNhZG1fciwgYXVkaXRhZG1fciwgc3RhZmZfcjsKICAgICAgICAj IGF0dHJpYnV0ZXMKICAgICAgICBhdHRyaWJ1dGUgZG9tYWluOwogICAgICAgICMgZG9tYWlucwog ICAgICAgIHR5cGUgYXVkaXRkX3QsIGluZXRkX3QsIGluaXRyY190LCBwYXNzd2RfdDsKICAgICAg ICAjIG9iamVjdHMKICAgICAgICB0eXBlIGF1ZGl0ZF9sb2dfdCwgc3lzYWRtX2xwcl90LCBpcHNl Y19zcGRfdDsKJykKCiMjIwojCiMgdHlwZXMgYW5kIGF0dHJpYnV0ZXMKIwoKIwojIEluIHRoaXMg c2VjdGlvbiBpbmNsdWRlIGFueSBuZXdzIGRvbWFpbnMvdHlwZXMgdXNlZCBieSB0aGlzIHBvbGlj eSBtb2R1bGUKIyBhcyB3ZWxsIGFzIGFueSByZWZlcmVuY2UgcG9saWN5IGludGVyZmFjZSBjYWxs cyB1c2VkIHRvIGFzc2lnbiBiYXNpYwojIHF1YWxpdGllcywgc3VjaCBhcyB0eXBlIGF0dHJpYnV0 ZXMsIHRvIHRoZXNlIG5ldyBkb21haW5zL3R5cGVzLgojCgojIGFsbCBkb21haW5zCmF0dHJpYnV0 ZSBsc3BwX2RvbWFpbnM7CiMgYWxsIHRlc3QgZG9tYWlucywgaS5lLiBsc3BwX3Rlc3RfKl90CmF0 dHJpYnV0ZSBsc3BwX3Rlc3RfZG9tYWluczsKCiMgaGFybmVzcyAoTUxTIG92ZXJyaWRlcykKdXNl cmRvbV9hZG1pbl91c2VyX3RlbXBsYXRlKGxzcHBfaGFybmVzcykKdHlwZWF0dHJpYnV0ZSBsc3Bw X2hhcm5lc3NfdCBsc3BwX2RvbWFpbnM7CnR5cGUgbHNwcF9oYXJuZXNzX2V4ZWNfdDsKY29yZWNt ZF9leGVjdXRhYmxlX2ZpbGUobHNwcF9oYXJuZXNzX2V4ZWNfdCkKZG9tYWluX2VudHJ5X2ZpbGUo bHNwcF9oYXJuZXNzX3QsbHNwcF9oYXJuZXNzX2V4ZWNfdCkKCiMgZ2VuZXJpYyB0ZXN0IGRvbWFp biAobm8gTUxTIG92ZXJyaWRlcykKdXNlcmRvbV91bnByaXZfdXNlcl90ZW1wbGF0ZShsc3BwX3Rl c3RfZ2VuZXJpYykKdHlwZWF0dHJpYnV0ZSBsc3BwX3Rlc3RfZ2VuZXJpY190IGxzcHBfdGVzdF9k b21haW5zLCBsc3BwX2RvbWFpbnM7CnR5cGUgbHNwcF90ZXN0X2dlbmVyaWNfZXhlY190Owpjb3Jl Y21kX2V4ZWN1dGFibGVfZmlsZShsc3BwX3Rlc3RfZ2VuZXJpY19leGVjX3QpCmRvbWFpbl9lbnRy eV9maWxlKGxzcHBfdGVzdF9nZW5lcmljX3QsbHNwcF90ZXN0X2dlbmVyaWNfZXhlY190KQoKIyBu ZXRsYWJlbCB0ZXN0IChubyBNTFMgb3ZlcnJpZGVzKQp1c2VyZG9tX3VucHJpdl91c2VyX3RlbXBs YXRlKGxzcHBfdGVzdF9uZXRsYWJlbCkKdHlwZWF0dHJpYnV0ZSBsc3BwX3Rlc3RfbmV0bGFiZWxf dCBsc3BwX3Rlc3RfZG9tYWlucywgbHNwcF9kb21haW5zOwoKIyBpcHNlYyB0ZXN0IChubyBNTFMg b3ZlcnJpZGVzKQp1c2VyZG9tX3VucHJpdl91c2VyX3RlbXBsYXRlKGxzcHBfdGVzdF9pcHNlYykK dHlwZWF0dHJpYnV0ZSBsc3BwX3Rlc3RfaXBzZWNfdCBsc3BwX3Rlc3RfZG9tYWlucywgbHNwcF9k b21haW5zOwoKIyBhbGwgZGlyZWN0b3JpZXMKYXR0cmlidXRlIGxzcHBfZGlyZWN0b3JpZXM7Cgoj IGRpcmVjdG9yeSB0eXBlcwp0eXBlIGxzcHBfdGVzdF9oYXJuZXNzX2Rpcl90LCBsc3BwX2RpcmVj dG9yaWVzOwpmaWxlc190eXBlKGxzcHBfdGVzdF9oYXJuZXNzX2Rpcl90KQp0eXBlIGxzcHBfdGVz dF9kaXJfdCwgbHNwcF9kaXJlY3RvcmllczsKZmlsZXNfdHlwZShsc3BwX3Rlc3RfZGlyX3QpCnR5 cGUgbHNwcF90ZXN0X2V4ZWNfZGlyX3QsIGxzcHBfZGlyZWN0b3JpZXM7CmZpbGVzX3R5cGUobHNw cF90ZXN0X2V4ZWNfZGlyX3QpCgojIGZpbGUgdHlwZXMKdHlwZSBsc3BwX3Rlc3RfZmlsZV90Owpm aWxlc190eXBlKGxzcHBfdGVzdF9maWxlX3QpCnR5cGUgbHNwcF90ZXN0X2NvbmZfdDsKZmlsZXNf dHlwZShsc3BwX3Rlc3RfY29uZl90KQp0eXBlIGxzcHBfdGVzdF9vdXRwdXRfdDsKZmlsZXNfdHlw ZShsc3BwX3Rlc3Rfb3V0cHV0X3QpCgojIyMKIwojIHJvbGUgcG9saWN5CiMKCiMKIyBJbiB0aGlz IHNlY3Rpb24gaW5jbHVkZSBhbnkgbmV3IHJvbGVzIHVzZWQgYnkgdGhpcyBwb2xpY3kgbW9kdWxl IGFzIHdlbGwgYXMKIyBhbnkgcm9sZSBhbGxvdyBydWxlcyB0byBkZWZpbmUgdGhlIHRyYW5zaXRp b24gYmV0d2VlbiB0aGVzZSByb2xlcyBhbmQKIyBleGlzdGluZyByb2xlcy4KIwoKcm9sZSBsc3Bw X3Rlc3RfciB0eXBlcyBkb21haW47CmRvbWluYW5jZSB7Cglyb2xlIGxzcHBfdGVzdF9yIHsKCQly b2xlIHN5c2FkbV9yOwoJCXJvbGUgc2VjYWRtX3I7CgkJcm9sZSBhdWRpdGFkbV9yOwoJCXJvbGUg c3RhZmZfcjsKCX0KfQoKIyBhZGQgdGhlIGxzcHAgdGVzdCB0eXBlcyB0byB0aGUgZ2VuZXJpYyBv YmplY3Qgcm9sZQpyb2xlIHN5c3RlbV9yIHR5cGVzIGxzcHBfZG9tYWluczsKCiMgYWxsb3cgcm9s ZSB0cmFuc2l0aW9ucyBiZXR3ZWVuIHRoZSB0ZXN0IHJvbGUgYW5kIGFsbCBvdGhlciByb2xlcwph bGxvdyBsc3BwX3Rlc3RfciB7IFJPTEVTX0FMTCB9OwphbGxvdyB7IFJPTEVTX0FMTCB9IGxzcHBf dGVzdF9yOwoKIyMjCiMKIyBvYmplY3QgcG9saWN5CiMKCiMKIyBJbiB0aGlzIHNlY3Rpb24gaW5j bHVkZSBhbnkgYWxsb3cgcnVsZXMgb3IgcmVmZXJlbmNlIHBvbGljeSBpbnRlcmZhY2UgY2FsbHMK IyB0aGF0IGFmZmVjdCB0aGUgdHlwZXMvb2JqZWN0cyBkZWZpbmVkIGluIHRoaXMgcG9saWN5IG1v ZHVsZS4KIwoKIyBhbGxvdyBldmVyeSBkb21haW4gdG8gcmVhZCB0aGUgdGVzdCBkaXJlY3RvcnkK YWxsb3cgZG9tYWluIGxzcHBfZGlyZWN0b3JpZXM6ZGlyIGxpc3RfZGlyX3Blcm1zOwoKIyBtYWtl IHRoZSBsb2cgZmlsZXMgdHJ1c3RlZCBvYmplY3RzCm1sc190cnVzdGVkX29iamVjdChsc3BwX3Rl c3Rfb3V0cHV0X3QpCgojIG1ha2UgdGVzdCBoYXJuZXNzIGNyZWF0ZWQgb2JqZWN0cyAoaS5lLiBz dGR7aW4sb3V0LGVycn0gZmRzLCB0ZW1wIGZpbGVzLCBldGMpCiMgdHJ1c3RlZCBvYmplY3RzCm1s c190cnVzdGVkX29iamVjdChsc3BwX2hhcm5lc3NfdCkKI21sc190cnVzdGVkX29iamVjdChsc3Bw X2hhcm5lc3NfdG1wX3QpCgojIGRlZmF1bHQgZmlsZSB0eXBlcwp0eXBlX3RyYW5zaXRpb24gbHNw cF9kb21haW5zIGxzcHBfdGVzdF9oYXJuZXNzX2Rpcl90OmZpbGUgbHNwcF9oYXJuZXNzX2V4ZWNf dDsKdHlwZV90cmFuc2l0aW9uIGxzcHBfZG9tYWlucyBsc3BwX3Rlc3RfZGlyX3Q6ZmlsZSBsc3Bw X3Rlc3Rfb3V0cHV0X3Q7CnR5cGVfdHJhbnNpdGlvbiBsc3BwX2RvbWFpbnMgbHNwcF90ZXN0X2V4 ZWNfZGlyX3Q6ZmlsZSBsc3BwX3Rlc3RfZ2VuZXJpY19leGVjX3Q7CnR5cGVfdHJhbnNpdGlvbiBs c3BwX2RvbWFpbnMgbHNwcF90ZXN0X2Rpcl90OmZpZm9fZmlsZSBsc3BwX3Rlc3RfZmlsZV90OwoK IyMjCiMKIyBkb21haW4gcG9saWN5CiMKCiMKIyBJbiB0aGlzIHNlY3Rpb24sIHdoaWNoIHNwYW5z IHRvIHRoZSBlbmQgb2YgdGhlIHBvbGljeSBtb2R1bGUsIGluY2x1ZGUgYW55CiMgYWxsb3cgcnVs ZXMgb3IgcmVmZXJlbmNlIHBvbGljeSBpbnRlcmZhY2UgY2FsbHMgdGhhdCBhZmZlY3QgdGhlIGRv bWFpbnMKIyBkZWZpbmVkIGluIHRoaXMgcG9saWN5IG1vZHVsZS4gIEZvciBleGFtcGxlLCBhbnkg YWxsb3cgcnVsZSB3aXRoIGEgc3ViamVjdAojIGRlZmluZWQgd2l0aGluIHRoaXMgcG9saWN5IG1v ZHVsZSBzaG91bGQgbW9zdCBsaWtlbHkgYmUgaW4gdGhpcyBzZWN0aW9uCiMgYXNzdW1pbmcgaXQg ZG9lc24ndCBmaXQgd2l0aGluIGFueSBvZiB0aGUgb3RoZXIgc2VjdGlvbnMgZWxzZXdoZXJlIGlu IHRoaXMKIyBtb2R1bGUuCiMKCiMjCiMgcmVndWxhciBwb2xpY3kgYWRkaXRpb25zCiMKCiMKIyBU aGVzZSBhcmUgcG9saWN5IGNoYW5nZXMgd2hpY2ggb25seSBhZmZlY3QgdGhlIGJhc2UgcG9saWN5 IGRvbWFpbnMvdHlwZXMKIyBidXQgYXJlIG5lZWRlZCBmb3IgdGhlIExTUFAgdGVzdCBzdWl0ZS4g IEFkZGl0aW9ucyBoZXJlIHNob3VsZCBiZSBoZWF2aWx5CiMgc2NydXRpbml6ZWQgYW5kIGtlcHQg dG8gYSBiYXJlIG1pbmltdW0uCiMKCiMgYWxsb3cgdGhlIGluZXRkX3QgZG9tYWluIHRvIGJpbmQg dG8gYW55IHBvcnQsIG5lZWRlZCBmb3IgdGhlIHRlc3QgZGFlbW9uCmNvcmVuZXRfdGNwX2JpbmRf Z2VuZXJpY19wb3J0KGluZXRkX3QpCmNvcmVuZXRfdWRwX2JpbmRfZ2VuZXJpY19wb3J0KGluZXRk X3QpCgojIGFsbG93IHRoZSBsb2NhbCBsb2dpbiBkb21haW4gdG8gc2VhcmNoIGRldnB0c190CmFs bG93IGxvY2FsX2xvZ2luX3QgZGV2cHRzX3Q6ZGlyIHNlYXJjaDsKCiMgYWxsb3cgYXVkaXRkIHRv IHVzZSB0ZW1wb3JhcnkgZmlsZXN5c3RlbXMgZm9yIGxvZ2dpbmcKZnNfYXNzb2NpYXRlX3RtcGZz KGF1ZGl0ZF9sb2dfdCkKZmlsZXNfc2VhcmNoX3RtcChhdWRpdGRfdCkKCiMjCiMgaGFybmVzcyBk b21haW4KIwoKIyB0cmFuc2l0aW9uIHRvIHRoZSBoYXJuZXNzIGRvbWFpbiBhdXRvbWF0aWNhbGx5 IHdoZW4gcnVubmluZyBoYXJuZXNzIGFwcHMKZG9tYWluX2F1dG9fdHJhbnMoZG9tYWluLGxzcHBf aGFybmVzc19leGVjX3QsbHNwcF9oYXJuZXNzX3QpCgojIGFsbG93IG1hbnVhbCB0cmFuc2l0aW9u cyB0byBhbnkgb3RoZXIgZG9tYWluIG9uIHRoZSBzeXN0ZW0KYWxsb3cgbHNwcF9oYXJuZXNzX3Qg ZG9tYWluOnByb2Nlc3MgdHJhbnNpdGlvbjsKCiMgZ2l2ZSB0aGUgaGFybmVzcyBkb21haW4gbWxz IG92ZXJyaWRlIHByaXZsZWdlcwptbHNfZmlsZV9yZWFkX2FsbF9sZXZlbHMobHNwcF9oYXJuZXNz X3QpCm1sc19maWxlX3dyaXRlX2FsbF9sZXZlbHMobHNwcF9oYXJuZXNzX3QpCm1sc19maWxlX3Vw Z3JhZGUobHNwcF9oYXJuZXNzX3QpCm1sc19maWxlX2Rvd25ncmFkZShsc3BwX2hhcm5lc3NfdCkK bWxzX2ZkX3VzZV9hbGxfbGV2ZWxzKGxzcHBfaGFybmVzc190KQptbHNfZmRfc2hhcmVfYWxsX2xl dmVscyhsc3BwX2hhcm5lc3NfdCkKbWxzX3NvY2tldF9yZWFkX2FsbF9sZXZlbHMobHNwcF9oYXJu ZXNzX3QpOwptbHNfc29ja2V0X3dyaXRlX2FsbF9sZXZlbHMobHNwcF9oYXJuZXNzX3QpOwptbHNf bmV0X3JlY2VpdmVfYWxsX2xldmVscyhsc3BwX2hhcm5lc3NfdCk7Cm1sc19zeXN2aXBjX3JlYWRf YWxsX2xldmVscyhsc3BwX2hhcm5lc3NfdCkKbWxzX3N5c3ZpcGNfd3JpdGVfYWxsX2xldmVscyhs c3BwX2hhcm5lc3NfdCkKbWxzX3JhbmdldHJhbnNfc291cmNlKGxzcHBfaGFybmVzc190KQptbHNf cHJvY2Vzc19yZWFkX3VwKGxzcHBfaGFybmVzc190KQptbHNfcHJvY2Vzc193cml0ZV9kb3duKGxz cHBfaGFybmVzc190KQptbHNfcHJvY2Vzc19zZXRfbGV2ZWwobHNwcF9oYXJuZXNzX3QpCm1sc19y YW5nZXRyYW5zX3NvdXJjZShsc3BwX2hhcm5lc3NfdCkKbWxzX2NvbnRleHRfdHJhbnNsYXRlX2Fs bF9sZXZlbHMobHNwcF9oYXJuZXNzX3QpCgojIGdpdmUgdGhlIGhhcm5lc3MgZG9tYWluICJ1bmNv bmZpbmVkIiBhY2Nlc3MKdW5jb25maW5lZF9kb21haW5fbm9hdWRpdChsc3BwX2hhcm5lc3NfdCkK CiMgZ2l2ZSB0aGUgaGFybmVzcyBkb21haW4gbmV3cm9sZSBhY2Nlc3MKc2V1dGlsX3J1bl9uZXdy b2xlKGxzcHBfaGFybmVzc190LGxzcHBfdGVzdF9yLHsgdHR5bm9kZSBwdHlub2RlIH0pCgojYXV0 aGxvZ2luX3Blcl9yb2xlX3RlbXBsYXRlKGxzcHBfaGFybmVzcyxsc3BwX2hhcm5lc3NfdCxsc3Bw X3Rlc3RfcikKCiMgZ2l2ZSB0aGUgaGFybmVzcyBkb21haW4gYXVkaXRjdGwgYWNjZXNzCmxvZ2dp bmdfcnVuX2F1ZGl0Y3RsKGxzcHBfaGFybmVzc190LGxzcHBfdGVzdF9yLHsgdHR5bm9kZSBwdHlu b2RlIH0pCgojIGdpdmUgdGhlIGhhcm5lc3MgZG9tYWluIGFjY2VzcyB0byBydW5faW5pdApzZXV0 aWxfcnVuX3J1bmluaXQobHNwcF9oYXJuZXNzX3QsbHNwcF90ZXN0X3IseyB0dHlub2RlIHB0eW5v ZGUgfSkKYWxsb3cgaW5pdHJjX3QgbHNwcF9oYXJuZXNzX3Q6ZmQgdXNlOwoKIyBnaXZlIHRoZSBo YXJuZXNzIGRvbWFpbiBhY2Nlc3MgdG8gdGhlIGxvY2FsIGxvZ2luIGRvbWFpbgpsb2NhbGxvZ2lu X2RvbXRyYW5zKGxzcHBfaGFybmVzc190KQojYWxsb3cgbG9jYWxfbG9naW5fdCBsc3BwX2hhcm5l c3NfZGV2cHRzX3Q6Y2hyX2ZpbGUgeyByZWFkIHdyaXRlIGlvY3RsIHJlbGFiZWxmcm9tIHJlbGFi ZWx0byBzZXRhdHRyIGdldGF0dHIgfTsKCiMgZ2l2ZSB0aGUgaGFybmVzcyBkb21haW4gYWNjZXNz IHRvIHRoZSBzeXNhZG0gbHByIGRvbWFpbgojYWxsb3cgc3lzYWRtX2xwcl90IGxzcHBfaGFybmVz c19kZXZwdHNfdDpjaHJfZmlsZSB7IHJlYWQgd3JpdGUgfTsKCiMgZ2l2ZSB0aGUgaGFybmVzcyBk b21haW4gYWNjZXNzIHRvIGFsbCB0aGUgb3RoZXIgdGVzdCBkb21haW4ncyBhc3NvY2lhdGlvbnMK YWxsb3cgbHNwcF9oYXJuZXNzX3QgbHNwcF9kb21haW5zOmFzc29jaWF0aW9uIHsgc2V0Y29udGV4 dCByZWN2ZnJvbSB9OwoKIyBnaXZlIHRoZSBoYXJuZXNzIGRvbWFpbiBhY2Nlc3MgdG8gdGhlIHBh c3N3ZCB0eXBlCnJvbGUgbHNwcF90ZXN0X3IgdHlwZXMgcGFzc3dkX3Q7CgojIwojIGdlbmVyaWMg dGVzdCBkb21haW4KIwoKIyB0cmFuc2l0aW9uIHRvIHRoZSBnZW5lcmljIHRlc3QgZG9tYWluIGJ5 IGRlZmF1bHQgd2hlbiBydW5uaW5nIHRlc3RzCmRvbWFpbl9hdXRvX3RyYW5zKGxzcHBfaGFybmVz c190LGxzcHBfdGVzdF9nZW5lcmljX2V4ZWNfdCxsc3BwX3Rlc3RfZ2VuZXJpY190KQoKIyBnaXZl IHRoZSB0ZXN0IGRvbWFpbiAidW5jb25maW5lZCIgYWNjZXNzCnVuY29uZmluZWRfZG9tYWluX25v YXVkaXQobHNwcF90ZXN0X2dlbmVyaWNfdCkKCiMjCiMgbmV0bGFiZWwgdGVzdCBkb21haW4KIwoK IyBnaXZlIHRoZSB0ZXN0IGRvbWFpbiAidW5jb25maW5lZCIgYWNjZXNzCnVuY29uZmluZWRfZG9t YWluX25vYXVkaXQobHNwcF90ZXN0X25ldGxhYmVsX3QpCgojIGFsbG93IG1scyBvdmVycmlkZXMg Zm9yIGZpbGUgIndyaXRlIiBhY2Nlc3MKbWxzX2ZpbGVfd3JpdGVfYWxsX2xldmVscyhsc3BwX3Rl c3RfbmV0bGFiZWxfdCkKCiMjCiMgaXBzZWMgdGVzdCBkb21haW4KIwoKIyBnaXZlIHRoZSB0ZXN0 IGRvbWFpbiAidW5jb25maW5lZCIgYWNjZXNzCnVuY29uZmluZWRfZG9tYWluX25vYXVkaXQobHNw cF90ZXN0X2lwc2VjX3QpCgojIGFsbG93IG1scyBvdmVycmlkZXMgZm9yIGZpbGUgIndyaXRlIiBh Y2Nlc3MKbWxzX2ZpbGVfd3JpdGVfYWxsX2xldmVscyhsc3BwX3Rlc3RfaXBzZWNfdCkKCiMgZ2l2 ZSB0aGUgdGVzdCBkb21haW4gdGhlIGFiaWxpdHkgdG8gbWF0Y2ggYWdhaW5zdCB0aGUgU1BEIGVu dHJpZXMKYWxsb3cgbHNwcF90ZXN0X2lwc2VjX3QgaXBzZWNfc3BkX3Q6YXNzb2NpYXRpb24gcG9s bWF0Y2g7Cg== --_e0ad5d79-2242-416e-9922-9025538093ab_-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id o7IBqo19029799 for ; Wed, 18 Aug 2010 07:52:50 -0400 Received: from g4t0015.houston.hp.com (localhost [127.0.0.1]) by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with ESMTP id o7IBrCX9017361 for ; Wed, 18 Aug 2010 11:53:12 GMT Subject: Re: Problem about audit-test-2090 + refpolicy-2.20091117 From: Paul Moore To: TaurusHarry Cc: selinux-mailing-list , refpolicy-mailing-list In-Reply-To: References: Content-Type: text/plain; charset="us-ascii" Date: Wed, 18 Aug 2010 07:52:47 -0400 Message-ID: <1282132367.4122.8.camel@flek> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote: > Hi SELinux exports, > > When I am trying to build the lspp_test.pp provided by > audit-test-2090/utils/selinux-policy/lspp_test.* along with the > refpolicy-20091117 source code, I copied lspp_test.* files to > policy/modules/apps/ and then modified policy/modules.conf to declare > "lspp_test = module", but I run into below error message ... Is there any reason why you copied the lspp_test policy files to the refpolicy sources and tried to build it there? I'm not completely sure that this is the cause of your problem but I can say for certain that this is not a tested procedure for building the lspp_test module. The normal procedure is to build the lspp_test policy module separately from the system's main SELinux policy, e.g. build and install the normal system's SELinux policy (refpolicy-20091117 in your case) and after you have verified that everything is working correctly you can change to the directory audit-test-*/utils/selinux-policy directory and use the Makefile located their to build the lspp_test module. -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id o7IDOh2m004338 for ; Wed, 18 Aug 2010 09:24:43 -0400 Received: from snt0-omc1-s44.snt0.hotmail.com (localhost [127.0.0.1]) by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with ESMTP id o7IDP3Hj016873 for ; Wed, 18 Aug 2010 13:25:03 GMT Message-ID: Content-Type: multipart/alternative; boundary="_cee376bf-7daf-47e1-9c94-e0601bccda10_" From: TaurusHarry To: CC: selinux-mailing-list , Subject: RE: Problem about audit-test-2090 + refpolicy-2.20091117 Date: Wed, 18 Aug 2010 13:24:41 +0000 In-Reply-To: <1282132367.4122.8.camel@flek> References: ,<1282132367.4122.8.camel@flek> MIME-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --_cee376bf-7daf-47e1-9c94-e0601bccda10_ Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: 8bit Hi Paul, > Subject: Re: Problem about audit-test-2090 + refpolicy-2.20091117 > From: paul.moore@hp.com > To: harrytaurus2002@hotmail.com > CC: selinux@tycho.nsa.gov; refpolicy@oss1.tresys.com > Date: Wed, 18 Aug 2010 07:52:47 -0400 > > On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote: > > Hi SELinux exports, > > > > When I am trying to build the lspp_test.pp provided by > > audit-test-2090/utils/selinux-policy/lspp_test.* along with the > > refpolicy-20091117 source code, I copied lspp_test.* files to > > policy/modules/apps/ and then modified policy/modules.conf to declare > > "lspp_test = module", but I run into below error message ... > > Is there any reason why you copied the lspp_test policy files to the > refpolicy sources and tried to build it there? I'm not completely sure > that this is the cause of your problem but I can say for certain that > this is not a tested procedure for building the lspp_test module. > > The normal procedure is to build the lspp_test policy module separately > from the system's main SELinux policy, e.g. build and install the normal > system's SELinux policy (refpolicy-20091117 in your case) and after you > have verified that everything is working correctly you can change to the > directory audit-test-*/utils/selinux-policy directory and use the > Makefile located their to build the lspp_test module. > Many many thanks for your response! Well, after I installed SELinux header properly then I did could enter audit-test/utils/selinux-policy/ successfully built lspp_test.pp there, however, I run into below error messages when trying to insert it: [root/secadm_r/s0@qemu-host selinux-policy]# semodule -i lspp_test.pp libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t libsepol.expand_module: Error during expand libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! [root/secadm_r/s0@qemu-host selinux-policy]# Very honestly speaking I am clueless about such error message, so I tried to compile lspp_test.pp along with refpolicy source code just to see if such problem could simply disappear. Do you have some comments or suggestions about it? Moreover, the audit-test-2090 seems to be a little "old" than the refpolicy-2.20091117, for example, the lspp_test.te calls mls_file_read_up() rather than the expected mls_file_read_all_levels(), do you know if I could find some latest version of audit-test package or some latest version of the lspp_test.* files? Thank you very much! Best regards, Harry > -- > paul moore > linux @ hp > > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. --_cee376bf-7daf-47e1-9c94-e0601bccda10_ Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: 8bit Hi Paul,
 
> Subject: Re: Problem about audit-test-2090 + refpolicy-2.20091117
> From: paul.moore@hp.com
> To: harrytaurus2002@hotmail.com
> CC: selinux@tycho.nsa.gov; refpolicy@oss1.tresys.com
> Date: Wed, 18 Aug 2010 07:52:47 -0400
>
> On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote:
> > Hi SELinux exports,
> >
> > When I am trying to build the lspp_test.pp provided by
> > audit-test-2090/utils/selinux-policy/lspp_test.* along with the
> > refpolicy-20091117 source code, I copied lspp_test.* files to
> > policy/modules/apps/ and then modified policy/modules.conf to declare
> > "lspp_test = module", but I run into below error message ...
>
> Is there any reason why you copied the lspp_test policy files to the
> refpolicy sources and tried to build it there? I'm not completely sure
> that this is the cause of your problem but I can ! say for certain that
> this is not a tested procedure for building the lspp_test module.
>
> The normal procedure is to build the lspp_test policy module separately
> from the system's main SELinux policy, e.g. build and install the normal
> system's SELinux policy (refpolicy-20091117 in your case) and after you
> have verified that everything is working correctly you can change to the
> directory audit-test-*/utils/selinux-policy directory and use the
> Makefile located their to build the lspp_test module.
>
 
Many many thanks for your response!
 
Well, after I installed SELinux header properly then I did could enter audit-test/utils/selinux-policy/ successfully built lspp_test.pp there, however, I run into below error messages when trying to insert it:
 
[root/secadm_r/s0@qemu-host selinux-policy]# semodule -i lspp_test.pp
libsepol.expand_terule_helper: conflicting TE rule for! (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_ta ble_t, new is sepgsql_table_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
[root/secadm_r/s0@qemu-host selinux-policy]#
 
Very honestly speaking I am clueless about such error message, so I tried to compile lspp_test.pp along with refpolicy source code just to see if such problem could simply disappear. Do you have some comments or suggestions about it?
 
Moreover, the audit-test-2090 seems to be a little "old" than the refpolicy-2.20091117, for example, the lspp_test.te calls mls_file_read_up() rather than the expected mls_file_read_all_levels(), do you know if I could find some latest version of audit-test package or some latest version of the lspp_test.* files?
 
Thank you very much!
 
Best regards,
Harry

> --
> paul moore
> linux @ hp
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--_cee376bf-7daf-47e1-9c94-e0601bccda10_-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id o7IFU7fU015965 for ; Wed, 18 Aug 2010 11:30:07 -0400 Received: from g1t0026.austin.hp.com (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id o7IFTxjC019612 for ; Wed, 18 Aug 2010 15:29:59 GMT Subject: RE: Problem about audit-test-2090 + refpolicy-2.20091117 From: Paul Moore To: TaurusHarry Cc: selinux-mailing-list , refpolicy@oss1.tresys.com In-Reply-To: References: ,<1282132367.4122.8.camel@flek> Content-Type: text/plain; charset="us-ascii" Date: Wed, 18 Aug 2010 11:29:53 -0400 Message-ID: <1282145393.4122.45.camel@flek> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Wed, 2010-08-18 at 13:24 +0000, TaurusHarry wrote: > Many many thanks for your response! > > Well, after I installed SELinux header properly then I did could enter > audit-test/utils/selinux-policy/ successfully built lspp_test.pp > there, however, I run into below error messages when trying to insert > it: > > [root/secadm_r/s0@qemu-host selinux-policy]# semodule -i lspp_test.pp > libsepol.expand_terule_helper: conflicting TE rule for > ( lspp_test_generic_t, sepgsql_db_t:db_table): old was > user_sepgsql_table_t, new is sepgsql_table_t > libsepol.expand_module: Error during expand > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > [root/secadm_r/s0@qemu-host selinux-policy]# > > Very honestly speaking I am clueless about such error message, so I > tried to compile lspp_test.pp along with refpolicy source code just to > see if such problem could simply disappear. Do you have some comments > or suggestions about it? Hmm, it looks like perhaps there is a conflict with the sepostgres policy? I'm not sure, I haven't built this policy on recent versions of the refpolicy. I've heard rumors that some of the RH guys are running audit-test on recent versions of Fedora/RHEL6 but I don't know if that includes all of the LSPP bits, e.g. the lspp_test policy module. If you want to play with SELinux policy, we're always accepting patches :) > Moreover, the audit-test-2090 seems to be a little "old" than the > refpolicy-2.20091117, for example, the lspp_test.te calls > mls_file_read_up() rather than the expected > mls_file_read_all_levels(), do you know if I could find some latest > version of audit-test package or some latest version of the > lspp_test.* files? You can always find the latest bits in the audit-test SVN repo on sf.net, however, I must admit that currently we've only tested it against RHEL5.x and some older Fedora releases. -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id o7JCsk2e014320 for ; Thu, 19 Aug 2010 08:54:46 -0400 Received: from exchange.columbia.tresys.com (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with SMTP id o7JCsbqT001634 for ; Thu, 19 Aug 2010 12:54:37 GMT Message-ID: <4C6D2994.6060109@tresys.com> Date: Thu, 19 Aug 2010 08:54:44 -0400 From: "Christopher J. PeBenito" MIME-Version: 1.0 To: Paul Moore CC: TaurusHarry , refpolicy@oss1.tresys.com, selinux-mailing-list Subject: Re: [refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117 References: ,<1282132367.4122.8.camel@flek> <1282145393.4122.45.camel@flek> In-Reply-To: <1282145393.4122.45.camel@flek> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On 08/18/10 11:29, Paul Moore wrote: > On Wed, 2010-08-18 at 13:24 +0000, TaurusHarry wrote: >> Many many thanks for your response! >> >> Well, after I installed SELinux header properly then I did could enter >> audit-test/utils/selinux-policy/ successfully built lspp_test.pp >> there, however, I run into below error messages when trying to insert >> it: >> >> [root/secadm_r/s0@qemu-host selinux-policy]# semodule -i lspp_test.pp >> libsepol.expand_terule_helper: conflicting TE rule for >> ( lspp_test_generic_t, sepgsql_db_t:db_table): old was >> user_sepgsql_table_t, new is sepgsql_table_t >> libsepol.expand_module: Error during expand >> libsemanage.semanage_expand_sandbox: Expand module failed >> semodule: Failed! >> [root/secadm_r/s0@qemu-host selinux-policy]# >> >> Very honestly speaking I am clueless about such error message, so I >> tried to compile lspp_test.pp along with refpolicy source code just to >> see if such problem could simply disappear. Do you have some comments >> or suggestions about it? > > Hmm, it looks like perhaps there is a conflict with the sepostgres > policy? Yep, there are conflicting type_transitions. Basically it is complaining about these two rules: type_transition lspp_test_generic_t sepgsql_db_t:db_table user_sepgsql_table_t; type_transition lspp_test_generic_t sepgsql_db_t:db_table sepgsql_table_t; so it fails. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id o7JCwZw9014661 for ; Thu, 19 Aug 2010 08:58:38 -0400 Received: from exchange.columbia.tresys.com (localhost [127.0.0.1]) by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with SMTP id o7JCww6r027836 for ; Thu, 19 Aug 2010 12:59:00 GMT Message-ID: <4C6D2A73.6020302@tresys.com> Date: Thu, 19 Aug 2010 08:58:27 -0400 From: "Christopher J. PeBenito" MIME-Version: 1.0 To: Paul Moore CC: TaurusHarry , refpolicy-mailing-list , selinux-mailing-list Subject: Re: [refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117 References: <1282132367.4122.8.camel@flek> In-Reply-To: <1282132367.4122.8.camel@flek> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On 08/18/10 07:52, Paul Moore wrote: > On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote: >> Hi SELinux exports, >> >> When I am trying to build the lspp_test.pp provided by >> audit-test-2090/utils/selinux-policy/lspp_test.* along with the >> refpolicy-20091117 source code, I copied lspp_test.* files to >> policy/modules/apps/ and then modified policy/modules.conf to declare >> "lspp_test = module", but I run into below error message ... > > Is there any reason why you copied the lspp_test policy files to the > refpolicy sources and tried to build it there? I'm not completely sure > that this is the cause of your problem but I can say for certain that > this is not a tested procedure for building the lspp_test module. I wouldn't expect this to introduce problems, unless the headers in the policy source didn't match the target system's base policy. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 From: domg472@gmail.com (Dominick Grift) Date: Wed, 18 Aug 2010 15:38:01 +0200 Subject: [refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117 In-Reply-To: References: , <1282132367.4122.8.camel@flek> Message-ID: <4C6BE239.3010901@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/18/2010 03:24 PM, TaurusHarry wrote: > > Hi Paul, > >> Subject: Re: Problem about audit-test-2090 + refpolicy-2.20091117 >> From: paul.moore at hp.com >> To: harrytaurus2002 at hotmail.com >> CC: selinux at tycho.nsa.gov; refpolicy at oss1.tresys.com >> Date: Wed, 18 Aug 2010 07:52:47 -0400 >> >> On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote: >>> Hi SELinux exports, >>> >>> When I am trying to build the lspp_test.pp provided by >>> audit-test-2090/utils/selinux-policy/lspp_test.* along with the >>> refpolicy-20091117 source code, I copied lspp_test.* files to >>> policy/modules/apps/ and then modified policy/modules.conf to declare >>> "lspp_test = module", but I run into below error message ... >> >> Is there any reason why you copied the lspp_test policy files to the >> refpolicy sources and tried to build it there? I'm not completely sure >> that this is the cause of your problem but I can say for certain that >> this is not a tested procedure for building the lspp_test module. >> >> The normal procedure is to build the lspp_test policy module separately >> from the system's main SELinux policy, e.g. build and install the normal >> system's SELinux policy (refpolicy-20091117 in your case) and after you >> have verified that everything is working correctly you can change to the >> directory audit-test-*/utils/selinux-policy directory and use the >> Makefile located their to build the lspp_test module. >> > > Many many thanks for your response! > > Well, after I installed SELinux header properly then I did could enter audit-test/utils/selinux-policy/ successfully built lspp_test.pp there, however, I run into below error messages when trying to insert it: > > [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp > libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t > libsepol.expand_module: Error during expand > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > [root/secadm_r/s0 at qemu-host selinux-policy]# Its a bug in policy somehwere i believe. Where exactly is kind of hard to determine. Do you have any custom modules loaded? In particular custom modules that call either: userdom_unpriv_user_template or postgresql_role. The issue is that theres a conflict. some module uses (old) sepgsql_table_t, whilst another uses (new) user_sepgsql_table_t So my guess is that you have a custom user domain policy loaded that was not updated when you updatet refpolicy. Maybe even lspp_test.pp is it. if that is true , then you would need to build a new lspp_test.pp from lspp_test.te. > Very honestly speaking I am clueless about such error message, so I tried to compile lspp_test.pp along with refpolicy source code just to see if such problem could simply disappear. Do you have some comments or suggestions about it? > > > > Moreover, the audit-test-2090 seems to be a little "old" than the refpolicy-2.20091117, for example, the lspp_test.te calls mls_file_read_up() rather than the expected mls_file_read_all_levels(), do you know if I could find some latest version of audit-test package or some latest version of the lspp_test.* files? > > > > Thank you very much! > > > > Best regards, > > Harry > >> -- >> paul moore >> linux @ hp >> >> >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with >> the words "unsubscribe selinux" without quotes as the message. > > > > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/5adda1f4/attachment.bin From mboxrd@z Thu Jan 1 00:00:00 1970 From: domg472@gmail.com (Dominick Grift) Date: Wed, 18 Aug 2010 15:43:57 +0200 Subject: [refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117 In-Reply-To: References: , <1282132367.4122.8.camel@flek> Message-ID: <4C6BE39D.3040608@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/18/2010 03:24 PM, TaurusHarry wrote: > > Hi Paul, > >> Subject: Re: Problem about audit-test-2090 + refpolicy-2.20091117 >> From: paul.moore at hp.com >> To: harrytaurus2002 at hotmail.com >> CC: selinux at tycho.nsa.gov; refpolicy at oss1.tresys.com >> Date: Wed, 18 Aug 2010 07:52:47 -0400 >> >> On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote: >>> Hi SELinux exports, >>> >>> When I am trying to build the lspp_test.pp provided by >>> audit-test-2090/utils/selinux-policy/lspp_test.* along with the >>> refpolicy-20091117 source code, I copied lspp_test.* files to >>> policy/modules/apps/ and then modified policy/modules.conf to declare >>> "lspp_test = module", but I run into below error message ... >> >> Is there any reason why you copied the lspp_test policy files to the >> refpolicy sources and tried to build it there? I'm not completely sure >> that this is the cause of your problem but I can say for certain that >> this is not a tested procedure for building the lspp_test module. >> >> The normal procedure is to build the lspp_test policy module separately >> from the system's main SELinux policy, e.g. build and install the normal >> system's SELinux policy (refpolicy-20091117 in your case) and after you >> have verified that everything is working correctly you can change to the >> directory audit-test-*/utils/selinux-policy directory and use the >> Makefile located their to build the lspp_test module. >> > > Many many thanks for your response! > > Well, after I installed SELinux header properly then I did could enter audit-test/utils/selinux-policy/ successfully built lspp_test.pp there, however, I run into below error messages when trying to insert it: > > [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp > libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t > libsepol.expand_module: Error during expand > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > [root/secadm_r/s0 at qemu-host selinux-policy]# > > Very honestly speaking I am clueless about such error message, so I tried to compile lspp_test.pp along with refpolicy source code just to see if such problem could simply disappear. Do you have some comments or suggestions about it? > Basically i think your lspp_test.pp is incompatible to your version of refpolicy. ( the type user_sepgsql_table_t used in refpolicy conflicts with the type sepgsql_table_t in lspp_test.pp ) Or atleast so i think... > > Moreover, the audit-test-2090 seems to be a little "old" than the refpolicy-2.20091117, for example, the lspp_test.te calls mls_file_read_up() rather than the expected mls_file_read_all_levels(), do you know if I could find some latest version of audit-test package or some latest version of the lspp_test.* files? > > > > Thank you very much! > > > > Best regards, > > Harry > >> -- >> paul moore >> linux @ hp >> >> >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with >> the words "unsubscribe selinux" without quotes as the message. > > > > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/595c95c2/attachment.bin From mboxrd@z Thu Jan 1 00:00:00 1970 From: harrytaurus2002@hotmail.com (TaurusHarry) Date: Wed, 18 Aug 2010 10:26:23 +0000 Subject: [refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117 Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi SELinux exports, When I am trying to build the lspp_test.pp provided by audit-test-2090/utils/selinux-policy/lspp_test.* along with the refpolicy-20091117 source code, I copied lspp_test.* files to policy/modules/apps/ and then modified policy/modules.conf to declare "lspp_test = module", but I run into below error message: support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/apps/lspp_test.te Which will wipe out the line of declaration of "lspp_test = module" in modules.conf! How could I tackle such kind of error message? what's wrong in lspp_test.te?(attached for your reference) BTW, if I compile the lspp_test.pp within the audit-test-2090 package itself, everything is fine except some warning about "role dominance rule is deprecated", but I failed to insert it on my target with refpolicy-2.20091117 policy image taken place: [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t libsepol.expand_module: Error during expand libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! [root/secadm_r/s0 at qemu-host selinux-policy]# So far I am clueless about this problem, how should I deal with it? Any comment is greatly appreciated! Thank you very much! Harry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/452a30d8/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: lspp_test.te Type: application/octet-stream Size: 8614 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/452a30d8/attachment.obj From mboxrd@z Thu Jan 1 00:00:00 1970 From: paul.moore@hp.com (Paul Moore) Date: Wed, 18 Aug 2010 07:52:47 -0400 Subject: [refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117 In-Reply-To: References: Message-ID: <1282132367.4122.8.camel@flek> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote: > Hi SELinux exports, > > When I am trying to build the lspp_test.pp provided by > audit-test-2090/utils/selinux-policy/lspp_test.* along with the > refpolicy-20091117 source code, I copied lspp_test.* files to > policy/modules/apps/ and then modified policy/modules.conf to declare > "lspp_test = module", but I run into below error message ... Is there any reason why you copied the lspp_test policy files to the refpolicy sources and tried to build it there? I'm not completely sure that this is the cause of your problem but I can say for certain that this is not a tested procedure for building the lspp_test module. The normal procedure is to build the lspp_test policy module separately from the system's main SELinux policy, e.g. build and install the normal system's SELinux policy (refpolicy-20091117 in your case) and after you have verified that everything is working correctly you can change to the directory audit-test-*/utils/selinux-policy directory and use the Makefile located their to build the lspp_test module. -- paul moore linux @ hp From mboxrd@z Thu Jan 1 00:00:00 1970 From: harrytaurus2002@hotmail.com (TaurusHarry) Date: Wed, 18 Aug 2010 13:24:41 +0000 Subject: [refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117 In-Reply-To: <1282132367.4122.8.camel@flek> References: , <1282132367.4122.8.camel@flek> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Paul, > Subject: Re: Problem about audit-test-2090 + refpolicy-2.20091117 > From: paul.moore at hp.com > To: harrytaurus2002 at hotmail.com > CC: selinux at tycho.nsa.gov; refpolicy at oss1.tresys.com > Date: Wed, 18 Aug 2010 07:52:47 -0400 > > On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote: > > Hi SELinux exports, > > > > When I am trying to build the lspp_test.pp provided by > > audit-test-2090/utils/selinux-policy/lspp_test.* along with the > > refpolicy-20091117 source code, I copied lspp_test.* files to > > policy/modules/apps/ and then modified policy/modules.conf to declare > > "lspp_test = module", but I run into below error message ... > > Is there any reason why you copied the lspp_test policy files to the > refpolicy sources and tried to build it there? I'm not completely sure > that this is the cause of your problem but I can say for certain that > this is not a tested procedure for building the lspp_test module. > > The normal procedure is to build the lspp_test policy module separately > from the system's main SELinux policy, e.g. build and install the normal > system's SELinux policy (refpolicy-20091117 in your case) and after you > have verified that everything is working correctly you can change to the > directory audit-test-*/utils/selinux-policy directory and use the > Makefile located their to build the lspp_test module. > Many many thanks for your response! Well, after I installed SELinux header properly then I did could enter audit-test/utils/selinux-policy/ successfully built lspp_test.pp there, however, I run into below error messages when trying to insert it: [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t libsepol.expand_module: Error during expand libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! [root/secadm_r/s0 at qemu-host selinux-policy]# Very honestly speaking I am clueless about such error message, so I tried to compile lspp_test.pp along with refpolicy source code just to see if such problem could simply disappear. Do you have some comments or suggestions about it? Moreover, the audit-test-2090 seems to be a little "old" than the refpolicy-2.20091117, for example, the lspp_test.te calls mls_file_read_up() rather than the expected mls_file_read_all_levels(), do you know if I could find some latest version of audit-test package or some latest version of the lspp_test.* files? Thank you very much! Best regards, Harry > -- > paul moore > linux @ hp > > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/59ea3c12/attachment-0001.html From mboxrd@z Thu Jan 1 00:00:00 1970 From: paul.moore@hp.com (Paul Moore) Date: Wed, 18 Aug 2010 11:29:53 -0400 Subject: [refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117 In-Reply-To: References: ,<1282132367.4122.8.camel@flek> Message-ID: <1282145393.4122.45.camel@flek> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2010-08-18 at 13:24 +0000, TaurusHarry wrote: > Many many thanks for your response! > > Well, after I installed SELinux header properly then I did could enter > audit-test/utils/selinux-policy/ successfully built lspp_test.pp > there, however, I run into below error messages when trying to insert > it: > > [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp > libsepol.expand_terule_helper: conflicting TE rule for > ( lspp_test_generic_t, sepgsql_db_t:db_table): old was > user_sepgsql_table_t, new is sepgsql_table_t > libsepol.expand_module: Error during expand > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > [root/secadm_r/s0 at qemu-host selinux-policy]# > > Very honestly speaking I am clueless about such error message, so I > tried to compile lspp_test.pp along with refpolicy source code just to > see if such problem could simply disappear. Do you have some comments > or suggestions about it? Hmm, it looks like perhaps there is a conflict with the sepostgres policy? I'm not sure, I haven't built this policy on recent versions of the refpolicy. I've heard rumors that some of the RH guys are running audit-test on recent versions of Fedora/RHEL6 but I don't know if that includes all of the LSPP bits, e.g. the lspp_test policy module. If you want to play with SELinux policy, we're always accepting patches :) > Moreover, the audit-test-2090 seems to be a little "old" than the > refpolicy-2.20091117, for example, the lspp_test.te calls > mls_file_read_up() rather than the expected > mls_file_read_all_levels(), do you know if I could find some latest > version of audit-test package or some latest version of the > lspp_test.* files? You can always find the latest bits in the audit-test SVN repo on sf.net, however, I must admit that currently we've only tested it against RHEL5.x and some older Fedora releases. -- paul moore linux @ hp From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 19 Aug 2010 08:54:44 -0400 Subject: [refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117 In-Reply-To: <1282145393.4122.45.camel@flek> References: , <1282132367.4122.8.camel@flek> <1282145393.4122.45.camel@flek> Message-ID: <4C6D2994.6060109@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/18/10 11:29, Paul Moore wrote: > On Wed, 2010-08-18 at 13:24 +0000, TaurusHarry wrote: >> Many many thanks for your response! >> >> Well, after I installed SELinux header properly then I did could enter >> audit-test/utils/selinux-policy/ successfully built lspp_test.pp >> there, however, I run into below error messages when trying to insert >> it: >> >> [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp >> libsepol.expand_terule_helper: conflicting TE rule for >> ( lspp_test_generic_t, sepgsql_db_t:db_table): old was >> user_sepgsql_table_t, new is sepgsql_table_t >> libsepol.expand_module: Error during expand >> libsemanage.semanage_expand_sandbox: Expand module failed >> semodule: Failed! >> [root/secadm_r/s0 at qemu-host selinux-policy]# >> >> Very honestly speaking I am clueless about such error message, so I >> tried to compile lspp_test.pp along with refpolicy source code just to >> see if such problem could simply disappear. Do you have some comments >> or suggestions about it? > > Hmm, it looks like perhaps there is a conflict with the sepostgres > policy? Yep, there are conflicting type_transitions. Basically it is complaining about these two rules: type_transition lspp_test_generic_t sepgsql_db_t:db_table user_sepgsql_table_t; type_transition lspp_test_generic_t sepgsql_db_t:db_table sepgsql_table_t; so it fails. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 19 Aug 2010 08:58:27 -0400 Subject: [refpolicy] Problem about audit-test-2090 + refpolicy-2.20091117 In-Reply-To: <1282132367.4122.8.camel@flek> References: <1282132367.4122.8.camel@flek> Message-ID: <4C6D2A73.6020302@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/18/10 07:52, Paul Moore wrote: > On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote: >> Hi SELinux exports, >> >> When I am trying to build the lspp_test.pp provided by >> audit-test-2090/utils/selinux-policy/lspp_test.* along with the >> refpolicy-20091117 source code, I copied lspp_test.* files to >> policy/modules/apps/ and then modified policy/modules.conf to declare >> "lspp_test = module", but I run into below error message ... > > Is there any reason why you copied the lspp_test policy files to the > refpolicy sources and tried to build it there? I'm not completely sure > that this is the cause of your problem but I can say for certain that > this is not a tested procedure for building the lspp_test module. I wouldn't expect this to introduce problems, unless the headers in the policy source didn't match the target system's base policy. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com