got some problems with the type_transition rules

got some problems with the type_transition rules

[kuangjiou]

[-- Attachment #1: Type: text/plain, Size: 1215 bytes --]

Hello,everyone!

I am trying to use the optional file name feature in type_transition rules , And I test it in my OS (with kernel 3.0.76 and selinux userspace 2.1.0 ),


1.       I add the type_tansition rule in my policy like this : filetrans_pattern(unconfined_t,tpm_dentry_t,stmfile_lst_t,file,"123"), It can be compiled and installed successfully



But , every files that I creat in the tpm_dentry_t dentry , I will get the stmfile_lst_t type, not just the file named 123



2.       I add two type_tansition rules in my policy like this :
filetrans_pattern(unconfined_t,tpm_dentry_t,stmfile_lst_t,file,"123")

filetrans_pattern(unconfined_t,tpm_dentry_t,trust_log_t,file,"456")



It can be conpiled successfully, But got some error when install




libsepol.expand_terule_helper: conflicting TE rule for (unconfined_t, tpm_dentry_t:file):  old was stmfile_lst_t, new is trust_log_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed

semodule:  Failed!




Can anyone help me with this problem, Thank you!


pS: I got the selinux userspace 2.1.0 from here

https://github.com/SELinuxProject/selinux/wiki/Releases



[-- Attachment #2: Type: text/html, Size: 6719 bytes --]

Re: got some problems with the type_transition rules

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 1937 bytes --]

On Mon, Sep 07, 2015 at 11:22:26AM +0000, kuangjiou wrote:
> Hello,everyone!
> 
> I am trying to use the optional file name feature in type_transition rules , And I test it in my OS (with kernel 3.0.76 and selinux userspace 2.1.0 ),
> 
> 
> 1.       I add the type_tansition rule in my policy like this : filetrans_pattern(unconfined_t,tpm_dentry_t,stmfile_lst_t,file,"123"), It can be compiled and installed successfully
> 
> 
> 
> But , every files that I creat in the tpm_dentry_t dentry , I will get the stmfile_lst_t type, not just the file named 123
> 
> 
> 
> 2.       I add two type_tansition rules in my policy like this :
> filetrans_pattern(unconfined_t,tpm_dentry_t,stmfile_lst_t,file,"123")
> 
> filetrans_pattern(unconfined_t,tpm_dentry_t,trust_log_t,file,"456")
> 
> 
> 
> It can be conpiled successfully, But got some error when install
> 

I would have a look at applicable type_transition rules with sesearch to
see what is there.

sesearch -ASCT -s unconfined_t | grep type_transition | grep tpm_dentry_t

> 
> 
> 
> libsepol.expand_terule_helper: conflicting TE rule for (unconfined_t, tpm_dentry_t:file):  old was stmfile_lst_t, new is trust_log_t
> libsepol.expand_module: Error during expand
> libsemanage.semanage_expand_sandbox: Expand module failed
> 
> semodule:  Failed!
> 
> 
> 
> 
> Can anyone help me with this problem, Thank you!
> 
> 
> pS: I got the selinux userspace 2.1.0 from here
> 
> https://github.com/SELinuxProject/selinux/wiki/Releases
> 
> 

> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]

Re: got some problems with the type_transition rules

[kuangjiou]

I got this message when I input "sesearch -ASCT -s unconfined_t | grep type_transition | grep tpm_dentry_t"
 type_transition unconfined_t tpm_dentry_t : file stmfile_lst_t;

does it mean the kernel 3.0.76 don't support for optional file name in type_transition rules?

-----邮件原件-----
发件人: Dominick Grift [mailto:dac.override@gmail.com] 
发送时间: 2015年9月8日 0:15
收件人: kuangjiou
抄送: 'selinux@tycho.nsa.gov'
主题: Re: got some problems with the type_transition rules

On Mon, Sep 07, 2015 at 11:22:26AM +0000, kuangjiou wrote:
> Hello,everyone!
> 
> I am trying to use the optional file name feature in type_transition 
> rules , And I test it in my OS (with kernel 3.0.76 and selinux 
> userspace 2.1.0 ),
> 
> 
> 1.       I add the type_tansition rule in my policy like this : filetrans_pattern(unconfined_t,tpm_dentry_t,stmfile_lst_t,file,"123"), It can be compiled and installed successfully
> 
> 
> 
> But , every files that I creat in the tpm_dentry_t dentry , I will get 
> the stmfile_lst_t type, not just the file named 123
> 
> 
> 
> 2.       I add two type_tansition rules in my policy like this :
> filetrans_pattern(unconfined_t,tpm_dentry_t,stmfile_lst_t,file,"123")
> 
> filetrans_pattern(unconfined_t,tpm_dentry_t,trust_log_t,file,"456")
> 
> 
> 
> It can be conpiled successfully, But got some error when install
> 

I would have a look at applicable type_transition rules with sesearch to see what is there.

sesearch -ASCT -s unconfined_t | grep type_transition | grep tpm_dentry_t

> 
> 
> 
> libsepol.expand_terule_helper: conflicting TE rule for (unconfined_t, 
> tpm_dentry_t:file):  old was stmfile_lst_t, new is trust_log_t
> libsepol.expand_module: Error during expand
> libsemanage.semanage_expand_sandbox: Expand module failed
> 
> semodule:  Failed!
> 
> 
> 
> 
> Can anyone help me with this problem, Thank you!
> 
> 
> pS: I got the selinux userspace 2.1.0 from here
> 
> https://github.com/SELinuxProject/selinux/wiki/Releases
> 
> 

> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


--
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift

Re: got some problems with the type_transition rules

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Tue, Sep 08, 2015 at 02:07:26AM +0000, kuangjiou wrote:
> I got this message when I input "sesearch -ASCT -s unconfined_t | grep type_transition | grep tpm_dentry_t"
>  type_transition unconfined_t tpm_dentry_t : file stmfile_lst_t;
> 
> does it mean the kernel 3.0.76 don't support for optional file name in type_transition rules?

Not necessarely but in your case i think it does, yes.

> 
> -----邮件原件-----
> 发件人: Dominick Grift [mailto:dac.override@gmail.com] 
> 发送时间: 2015年9月8日 0:15
> 收件人: kuangjiou
> 抄送: 'selinux@tycho.nsa.gov'
> 主题: Re: got some problems with the type_transition rules
> 
> On Mon, Sep 07, 2015 at 11:22:26AM +0000, kuangjiou wrote:
> > Hello,everyone!
> > 
> > I am trying to use the optional file name feature in type_transition 
> > rules , And I test it in my OS (with kernel 3.0.76 and selinux 
> > userspace 2.1.0 ),
> > 
> > 
> > 1.       I add the type_tansition rule in my policy like this : filetrans_pattern(unconfined_t,tpm_dentry_t,stmfile_lst_t,file,"123"), It can be compiled and installed successfully
> > 
> > 
> > 
> > But , every files that I creat in the tpm_dentry_t dentry , I will get 
> > the stmfile_lst_t type, not just the file named 123
> > 
> > 
> > 
> > 2.       I add two type_tansition rules in my policy like this :
> > filetrans_pattern(unconfined_t,tpm_dentry_t,stmfile_lst_t,file,"123")
> > 
> > filetrans_pattern(unconfined_t,tpm_dentry_t,trust_log_t,file,"456")
> > 
> > 
> > 
> > It can be conpiled successfully, But got some error when install
> > 
> 
> I would have a look at applicable type_transition rules with sesearch to see what is there.
> 
> sesearch -ASCT -s unconfined_t | grep type_transition | grep tpm_dentry_t
> 
> > 
> > 
> > 
> > libsepol.expand_terule_helper: conflicting TE rule for (unconfined_t, 
> > tpm_dentry_t:file):  old was stmfile_lst_t, new is trust_log_t
> > libsepol.expand_module: Error during expand
> > libsemanage.semanage_expand_sandbox: Expand module failed
> > 
> > semodule:  Failed!
> > 
> > 
> > 
> > 
> > Can anyone help me with this problem, Thank you!
> > 
> > 
> > pS: I got the selinux userspace 2.1.0 from here
> > 
> > https://github.com/SELinuxProject/selinux/wiki/Releases
> > 
> > 
> 
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 
> 
> --
> 02DFF788
> 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
> Dominick Grift

- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJV7orfAAoJENAR6kfG5xmc6OMMAMGKfsN1i92ElfceThau8MUe
XzyH0tt1RDaM5Mb3US26sy8PkCqU8MWHI4ISMFtij9eMKO2oy0lsK1naqdZb6wSt
DmJkFfa9RTlP9DQaTDZs6A6qHoTbffnGqFL6/WasphfDbeoSrmNePQ6ldhyX4xB7
Pz0UkJLYWoUOaV0gip9mFPQl/Mv5WNY9aiS1jeWuD68vcEdXFjR5uCB9PbMpmneu
PCn0sT9UG6SHE36Y20iqazQfLjzwXtiJ9DqTgzOvl3zaZImRe4i2eLvJYIImzn7X
0uLNuBcoe9eb97r9eSHTEIjabq/TYn78EalVCQq6cNaGHQqYy3sgpogbIlhXkUQZ
pL5CuDFiuLfOwUt1Rno6Cn3SHFeFJ5LbA4K+2ryQ7wh6hLei80UHlnkmKMZEK63T
tIiCn5/5/wB457mtifiHHZ4WaumOuRcnb6gTcTPF2JIIw22b+kd+IjBZtri7nJaX
AhAey2K9jVSTA499VKGVVQQhuhXDtUooIDRP8wZsNA==
=EvU7
-----END PGP SIGNATURE-----

答复: got some problems with the type_transition rules

[kuangjiou]

According to this webpage，
http://selinuxproject.org/page/TypeRules

Policy versions 25 and above also support a 'name transition' rule

But the policy versions of my os is 26，I don't know why the type_trasition rule didn't work

-----邮件原件-----
发件人: Dominick Grift [mailto:dac.override@gmail.com] 
发送时间: 2015年9月8日 15:15
收件人: kuangjiou
抄送: 'selinux@tycho.nsa.gov'
主题: Re: got some problems with the type_transition rules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Tue, Sep 08, 2015 at 02:07:26AM +0000, kuangjiou wrote:
> I got this message when I input "sesearch -ASCT -s unconfined_t | grep type_transition | grep tpm_dentry_t"
>  type_transition unconfined_t tpm_dentry_t : file stmfile_lst_t;
> 
> does it mean the kernel 3.0.76 don't support for optional file name in type_transition rules?

Not necessarely but in your case i think it does, yes.

> 
> -----邮件原件-----
> 发件人: Dominick Grift [mailto:dac.override@gmail.com]
> 发送时间: 2015年9月8日 0:15
> 收件人: kuangjiou
> 抄送: 'selinux@tycho.nsa.gov'
> 主题: Re: got some problems with the type_transition rules
> 
> On Mon, Sep 07, 2015 at 11:22:26AM +0000, kuangjiou wrote:
> > Hello,everyone!
> > 
> > I am trying to use the optional file name feature in type_transition 
> > rules , And I test it in my OS (with kernel 3.0.76 and selinux 
> > userspace 2.1.0 ),
> > 
> > 
> > 1.       I add the type_tansition rule in my policy like this : filetrans_pattern(unconfined_t,tpm_dentry_t,stmfile_lst_t,file,"123"), It can be compiled and installed successfully
> > 
> > 
> > 
> > But , every files that I creat in the tpm_dentry_t dentry , I will 
> > get the stmfile_lst_t type, not just the file named 123
> > 
> > 
> > 
> > 2.       I add two type_tansition rules in my policy like this :
> > filetrans_pattern(unconfined_t,tpm_dentry_t,stmfile_lst_t,file,"123"
> > )
> > 
> > filetrans_pattern(unconfined_t,tpm_dentry_t,trust_log_t,file,"456")
> > 
> > 
> > 
> > It can be conpiled successfully, But got some error when install
> > 
> 
> I would have a look at applicable type_transition rules with sesearch to see what is there.
> 
> sesearch -ASCT -s unconfined_t | grep type_transition | grep 
> tpm_dentry_t
> 
> > 
> > 
> > 
> > libsepol.expand_terule_helper: conflicting TE rule for 
> > (unconfined_t,
> > tpm_dentry_t:file):  old was stmfile_lst_t, new is trust_log_t
> > libsepol.expand_module: Error during expand
> > libsemanage.semanage_expand_sandbox: Expand module failed
> > 
> > semodule:  Failed!
> > 
> > 
> > 
> > 
> > Can anyone help me with this problem, Thank you!
> > 
> > 
> > pS: I got the selinux userspace 2.1.0 from here
> > 
> > https://github.com/SELinuxProject/selinux/wiki/Releases
> > 
> > 
> 
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 
> 
> --
> 02DFF788
> 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
> Dominick Grift

- --
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJV7orfAAoJENAR6kfG5xmc6OMMAMGKfsN1i92ElfceThau8MUe
XzyH0tt1RDaM5Mb3US26sy8PkCqU8MWHI4ISMFtij9eMKO2oy0lsK1naqdZb6wSt
DmJkFfa9RTlP9DQaTDZs6A6qHoTbffnGqFL6/WasphfDbeoSrmNePQ6ldhyX4xB7
Pz0UkJLYWoUOaV0gip9mFPQl/Mv5WNY9aiS1jeWuD68vcEdXFjR5uCB9PbMpmneu
PCn0sT9UG6SHE36Y20iqazQfLjzwXtiJ9DqTgzOvl3zaZImRe4i2eLvJYIImzn7X
0uLNuBcoe9eb97r9eSHTEIjabq/TYn78EalVCQq6cNaGHQqYy3sgpogbIlhXkUQZ
pL5CuDFiuLfOwUt1Rno6Cn3SHFeFJ5LbA4K+2ryQ7wh6hLei80UHlnkmKMZEK63T
tIiCn5/5/wB457mtifiHHZ4WaumOuRcnb6gTcTPF2JIIw22b+kd+IjBZtri7nJaX
AhAey2K9jVSTA499VKGVVQQhuhXDtUooIDRP8wZsNA==
=EvU7
-----END PGP SIGNATURE-----

Re: 答复: got some problems with the type_transition rules

[Stephen Smalley]

On 09/08/2015 05:06 AM, kuangjiou wrote:
> According to this webpage，
> http://selinuxproject.org/page/TypeRules
> 
> Policy versions 25 and above also support a 'name transition' rule
> 
> But the policy versions of my os is 26，I don't know why the type_trasition rule didn't work

To see what version is supported by your kernel:
cat /selinux/policyvers or
cat /sys/fs/selinux/policyvers
(depending on where you have selinuxfs mounted)

Make sure you don't have CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
set in your kernel .config.  That was a legacy option for backward
compatibility with Fedora 3 and 4, and forces the kernel to an old
policy version.  You don't want it.