From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: SELinux Mail List <selinux@tycho.nsa.gov>
Cc: <qingtao.cao@windriver.com>, <harrytaurus2002@hotmail.com>
Subject: Error in monolithic role attribute
Date: Mon, 1 Aug 2011 09:00:32 -0400 [thread overview]
Message-ID: <4E36A370.40001@tresys.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1039 bytes --]
I started the Refpolicy implementation for the new role attribute
support. Unfortunately, I get the following error for monolithic policies:
/usr/bin/checkpolicy policy.conf -o policy.26
/usr/bin/checkpolicy: loading policy configuration from policy.conf
checkpolicy: expand.c:721: role_fix_callback: Assertion `regular_role !=
((void *)0) && regular_role->flavor == 0' failed.
make: *** [policy.26] Aborted
With the same policy I get a similar error when running 'make validate'
in a modular build:
/usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin
semodule_expand: expand.c:721: role_fix_callback: Assertion
`regular_role != ((void *)0) && regular_role->flavor == 0' failed.
make: *** [validate] Aborted
This is with last week's release of the toolchain.
You should be able to reproduce this by checking out current Refpolicy
and applying the attached patch.
For monolithic:
$ make conf
$ make MONOLITHIC=y.
For modular:
$ make conf
$ make validate
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
[-- Attachment #2: refpolicy-roleattr.diff --]
[-- Type: text/plain, Size: 9451 bytes --]
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 08b361b..f927f17 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -44,11 +44,11 @@ interface(`portage_domtrans',`
#
interface(`portage_run',`
gen_require(`
- type portage_t, portage_fetch_t, portage_sandbox_t;
+ attribute_role portage_roles;
')
portage_domtrans($1)
- role $2 types { portage_t portage_fetch_t portage_sandbox_t };
+ roleattribute $2 portage_roles;
')
########################################
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 563c598..b5ceb47 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -12,6 +12,7 @@ policy_module(portage, 1.11.0)
## </desc>
gen_tunable(portage_use_nfs, false)
+attribute_role portage_roles;
type gcc_config_t;
type gcc_config_exec_t;
@@ -24,6 +25,7 @@ application_domain(portage_t, portage_exec_t)
domain_obj_id_change_exemption(portage_t)
rsync_entry_type(portage_t)
corecmd_shell_entry_type(portage_t)
+role portage_roles types portage_t;
# portage compile sandbox domain
type portage_sandbox_t;
@@ -31,12 +33,14 @@ application_domain(portage_sandbox_t, portage_exec_t)
# the shell is the entrypoint if regular sandbox is disabled
# portage_exec_t is the entrypoint if regular sandbox is enabled
corecmd_shell_entry_type(portage_sandbox_t)
+role portage_roles types portage_sandbox_t;
# portage package fetching domain
type portage_fetch_t;
application_type(portage_fetch_t)
corecmd_shell_entry_type(portage_fetch_t)
rsync_entry_type(portage_fetch_t)
+role portage_roles types portage_fetch_t;
type portage_devpts_t;
term_pty(portage_devpts_t)
@@ -107,7 +111,7 @@ files_list_all(gcc_config_t)
init_dontaudit_read_script_status_files(gcc_config_t)
libs_read_lib_files(gcc_config_t)
-libs_domtrans_ldconfig(gcc_config_t)
+libs_run_ldconfig(gcc_config_t, portage_roles)
libs_manage_shared_libs(gcc_config_t)
# gcc-config creates a temp dir for the libs
libs_manage_lib_dirs(gcc_config_t)
@@ -177,27 +181,27 @@ auth_manage_shadow(portage_t)
init_exec(portage_t)
# run setfiles -r
-seutil_domtrans_setfiles(portage_t)
+seutil_run_setfiles(portage_t, portage_roles)
# run semodule
-seutil_domtrans_semanage(portage_t)
+seutil_run_semanage(portage_t, portage_roles)
-portage_domtrans_gcc_config(portage_t)
+portage_run_gcc_config(portage_t, portage_roles)
# if sesandbox is disabled, compiling is performed in this domain
portage_compile_domain(portage_t)
optional_policy(`
- bootloader_domtrans(portage_t)
+ bootloader_run(portage_t, portage_roles)
')
optional_policy(`
- modutils_domtrans_depmod(portage_t)
- modutils_domtrans_update_mods(portage_t)
+ modutils_run_depmod(portage_t, portage_roles)
+ modutils_run_update_mods(portage_t, portage_roles)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')
optional_policy(`
- usermanage_domtrans_groupadd(portage_t)
- usermanage_domtrans_useradd(portage_t)
+ usermanage_run_groupadd(portage_t, portage_roles)
+ usermanage_run_useradd(portage_t, portage_roles)
')
ifdef(`TODO',`
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index d33daa8..951d8f6 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -78,14 +78,11 @@ interface(`rpm_domtrans_script',`
#
interface(`rpm_run',`
gen_require(`
- type rpm_t, rpm_script_t;
+ attribute_role rpm_roles;
')
rpm_domtrans($1)
- role $2 types { rpm_t rpm_script_t };
- seutil_run_loadpolicy(rpm_script_t, $2)
- seutil_run_semanage(rpm_script_t, $2)
- seutil_run_setfiles(rpm_script_t, $2)
+ roleattribute $2 rpm_roles;
')
########################################
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 7d964bf..ad01a33 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -5,6 +5,8 @@ policy_module(rpm, 1.13.0)
# Declarations
#
+attribute_role rpm_roles;
+
type debuginfo_exec_t;
domain_entry_file(rpm_t, debuginfo_exec_t)
@@ -15,6 +17,7 @@ domain_obj_id_change_exemption(rpm_t)
domain_role_change_exemption(rpm_t)
domain_system_change_exemption(rpm_t)
domain_interactive_fd(rpm_t)
+role rpm_roles types rpm_t;
type rpm_file_t;
files_type(rpm_file_t)
@@ -47,6 +50,7 @@ corecmd_bin_entry_type(rpm_script_t)
domain_type(rpm_script_t)
domain_entry_file(rpm_t, rpm_script_exec_t)
domain_interactive_fd(rpm_script_t)
+role rpm_roles types rpm_script_t;
role system_r types rpm_script_t;
type rpm_script_tmp_t;
@@ -181,7 +185,7 @@ init_use_script_ptys(rpm_t)
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-libs_domtrans_ldconfig(rpm_t)
+libs_run_ldconfig(rpm_t, rpm_roles)
logging_send_syslog_msg(rpm_t)
@@ -210,7 +214,7 @@ optional_policy(`
')
optional_policy(`
- prelink_domtrans(rpm_t)
+ prelink_run(rpm_t, rpm_roles)
')
optional_policy(`
@@ -326,18 +330,18 @@ init_telinit(rpm_script_t)
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
-libs_domtrans_ldconfig(rpm_script_t)
+libs_run_ldconfig(rpm_script_t, rpm_roles)
logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
-modutils_domtrans_depmod(rpm_script_t)
-modutils_domtrans_insmod(rpm_script_t)
+modutils_run_depmod(rpm_script_t, rpm_roles)
+modutils_run_insmod(rpm_script_t, rpm_roles)
-seutil_domtrans_loadpolicy(rpm_script_t)
-seutil_domtrans_setfiles(rpm_script_t)
-seutil_domtrans_semanage(rpm_script_t)
+seutil_run_loadpolicy(rpm_script_t, rpm_roles)
+seutil_run_setfiles(rpm_script_t, rpm_roles)
+seutil_run_semanage(rpm_script_t, rpm_roles)
userdom_use_all_users_fds(rpm_script_t)
@@ -352,7 +356,7 @@ tunable_policy(`allow_execmem',`
')
optional_policy(`
- bootloader_domtrans(rpm_script_t)
+ bootloader_run(rpm_script_t, rpm_roles)
')
optional_policy(`
@@ -360,7 +364,7 @@ optional_policy(`
')
optional_policy(`
- lvm_domtrans(rpm_script_t)
+ lvm_run(rpm_script_t, rpm_roles)
')
optional_policy(`
@@ -368,8 +372,8 @@ optional_policy(`
')
optional_policy(`
- tzdata_domtrans(rpm_t)
- tzdata_domtrans(rpm_script_t)
+ tzdata_run(rpm_t, rpm_roles)
+ tzdata_run(rpm_script_t, rpm_roles)
')
optional_policy(`
@@ -390,6 +394,6 @@ optional_policy(`
')
optional_policy(`
- usermanage_domtrans_groupadd(rpm_script_t)
- usermanage_domtrans_useradd(rpm_script_t)
+ usermanage_run_groupadd(rpm_script_t, rpm_roles)
+ usermanage_run_useradd(rpm_script_t, rpm_roles)
')
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 170e2c7..2689213 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1027,13 +1027,11 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
- type semanage_t;
+ attribute_role semanage_roles;
')
seutil_domtrans_semanage($1)
- seutil_run_setfiles(semanage_t, $2)
- seutil_run_loadpolicy(semanage_t, $2)
- role $2 types semanage_t;
+ roleattribute $2 semanage_roles;
')
########################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index e252935..02a5cb8 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -12,6 +12,9 @@ gen_require(`
attribute can_write_binary_policy;
attribute can_relabelto_binary_policy;
+attribute_role semanage_roles;
+roleattribute system_r semanage_roles;
+
#
# selinux_config_t is the type applied to
# /etc/selinux/config
@@ -89,7 +92,7 @@ type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
domain_interactive_fd(semanage_t)
-role system_r types semanage_t;
+role semanage_roles types semanage_t;
type semanage_store_t;
files_type(semanage_store_t)
@@ -468,8 +471,8 @@ miscfiles_read_localization(semanage_t)
seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
-seutil_domtrans_setfiles(semanage_t)
-seutil_domtrans_loadpolicy(semanage_t)
+seutil_run_setfiles(semanage_t, semanage_roles)
+seutil_run_loadpolicy(semanage_t, semanage_roles)
seutil_manage_bin_policy(semanage_t)
seutil_use_newrole_fds(semanage_t)
seutil_manage_module_store(semanage_t)
diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed
index 20ffa6c..601c4f7 100644
--- a/support/comment_move_decl.sed
+++ b/support/comment_move_decl.sed
@@ -5,7 +5,7 @@
/require \{/,/} # end require/b nextline
/optional \{/,/} # end optional/b nextline
-/^[[:blank:]]*(attribute|type(alias)?) /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/
/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/
/^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
/^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
diff --git a/support/get_type_attr_decl.sed b/support/get_type_attr_decl.sed
index a113f21..69c6ccd 100644
--- a/support/get_type_attr_decl.sed
+++ b/support/get_type_attr_decl.sed
@@ -5,7 +5,7 @@
/require \{/,/} # end require/b nextline
/optional \{/,/} # end optional/b nextline
-/^[[:blank:]]*(attribute|type(alias)?|bool) /{
+/^[[:blank:]]*(attribute(_role)?|type(alias)?|bool) /{
s/^[[:blank:]]+//
p
}
next reply other threads:[~2011-08-01 13:00 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-01 13:00 Christopher J. PeBenito [this message]
2011-08-02 9:16 ` Error in monolithic role attribute HarryCiao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E36A370.40001@tresys.com \
--to=cpebenito@tresys.com \
--cc=harrytaurus2002@hotmail.com \
--cc=qingtao.cao@windriver.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.