Re: [PATCH] python/sepolicy: Fix template for confined user policy modules

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Petr Lautrbach <lautrbach@redhat.com>
To: Vit Mojzis <vmojzis@redhat.com>, selinux@vger.kernel.org
Subject: Re: [PATCH] python/sepolicy: Fix template for confined user policy modules
Date: Mon, 05 Jun 2023 11:12:56 +0200	[thread overview]
Message-ID: <871qiqjmqv.fsf@redhat.com> (raw)
In-Reply-To: <20230601163430.2062951-1-vmojzis@redhat.com>

Vit Mojzis <vmojzis@redhat.com> writes:

> The following commit
> https://github.com/SELinuxProject/refpolicy/commit/330b0fc3331d3b836691464734c96f3da3044490
> changed the userdom_base_user_template, which now requires a role
> corresponding to the user being created to be defined outside of the
> template.
> Similar change was also done to fedora-selinux/selinux-policy
> https://github.com/fedora-selinux/selinux-policy/commit/e1e216b25df1bdb4eb7dbb8f73f32927ad6f3d1f
>
> Although I believe the template should define the role (just as it
> defines the new user), that will require extensive changes to refpolicy.
> In the meantime the role needs to be defined separately.
>
> Fixes:
> \# sepolicy generate --term_user -n newuser
> Created the following files:
> /root/a/test/newuser.te # Type Enforcement file
> /root/a/test/newuser.if # Interface file
> /root/a/test/newuser.fc # File Contexts file
> /root/a/test/newuser_selinux.spec # Spec file
> /root/a/test/newuser.sh # Setup Script

If you don't mind, I'd push it with indented text, i.e.

Fixes:
    # sepolicy generate --term_user -n newuser
    Created the following files:
    /root/a/test/newuser.te # Type Enforcement file
    /root/a/test/newuser.if # Interface file
    /root/a/test/newuser.fc # File Contexts file
    /root/a/test/newuser_selinux.spec # Spec file
    /root/a/test/newuser.sh # Setup Script



> \# ./newuser.sh
> Building and Loading Policy
> + make -f /usr/share/selinux/devel/Makefile newuser.pp
> Compiling targeted newuser module
> Creating targeted newuser.pp policy package
> rm tmp/newuser.mod tmp/newuser.mod.fc
> + /usr/sbin/semodule -i newuser.pp
> Failed to resolve roleattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/newuser/cil:8
> Failed to resolve AST
> /usr/sbin/semodule:  Failed!
>
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>

Acked-by: Petr Lautrbach <lautrbach@redhat.com>


> ---
>  python/sepolicy/sepolicy/templates/user.py | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/python/sepolicy/sepolicy/templates/user.py b/python/sepolicy/sepolicy/templates/user.py
> index 1ff9d2ce..7081fbae 100644
> --- a/python/sepolicy/sepolicy/templates/user.py
> +++ b/python/sepolicy/sepolicy/templates/user.py
> @@ -28,6 +28,8 @@ policy_module(TEMPLATETYPE, 1.0.0)
>  #
>  # Declarations
>  #
> +role TEMPLATETYPE_r;
> +
>  userdom_unpriv_user_template(TEMPLATETYPE)
>  """
>  
> @@ -38,6 +40,8 @@ policy_module(TEMPLATETYPE, 1.0.0)
>  #
>  # Declarations
>  #
> +role TEMPLATETYPE_r;
> +
>  userdom_admin_user_template(TEMPLATETYPE)
>  """
>  
> @@ -48,6 +52,7 @@ policy_module(TEMPLATETYPE, 1.0.0)
>  #
>  # Declarations
>  #
> +role TEMPLATETYPE_r;
>  
>  userdom_restricted_user_template(TEMPLATETYPE)
>  """
> @@ -59,6 +64,7 @@ policy_module(TEMPLATETYPE, 1.0.0)
>  #
>  # Declarations
>  #
> +role TEMPLATETYPE_r;
>  
>  userdom_restricted_xwindows_user_template(TEMPLATETYPE)
>  """
> @@ -89,6 +95,7 @@ gen_tunable(TEMPLATETYPE_manage_user_files, false)
>  #
>  # Declarations
>  #
> +role TEMPLATETYPE_r;
>  
>  userdom_base_user_template(TEMPLATETYPE)
>  """
> -- 
> 2.40.0

next prev parent reply	other threads:[~2023-06-05  9:13 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-01 16:34 [PATCH] python/sepolicy: Fix template for confined user policy modules Vit Mojzis
2023-06-05  9:12 ` Petr Lautrbach [this message]
2023-06-12 17:47   ` Petr Lautrbach

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=871qiqjmqv.fsf@redhat.com \
    --to=lautrbach@redhat.com \
    --cc=selinux@vger.kernel.org \
    --cc=vmojzis@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.