Hi SELinux exports,
When I am trying to build the lspp_test.pp provided by audit-test-2090/utils/selinux-policy/lspp_test.* along with the refpolicy-20091117 source code, I copied lspp_test.* files to policy/modules/apps/ and then modified policy/modules.conf to declare "lspp_test = module", but I run into below error message:
support/segenxml.py: warning: orphan XML comments at bottom of file policy/modules/apps/lspp_test.te
Which will wipe out the line of declaration of "lspp_test = module" in modules.conf! How could I tackle such kind of error message? what's wrong in lspp_test.te?(attached for your reference)
BTW, if I compile the lspp_test.pp within the audit-test-2090 package itself, everything is fine except some warning about "role dominance rule is deprecated", but I failed to insert it on my target with refpolicy-2.20091117 policy image taken place:
[root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp
libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
[root/secadm_r/s0 at qemu-host selinux-policy]#
So far I am clueless about this problem, how should I deal with it?
Any comment is greatly appreciated!
Thank you very much!
Harry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/452a30d8/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lspp_test.te
Type: application/octet-stream
Size: 8614 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/452a30d8/attachment.obj
On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote:
> Hi SELinux exports,
>
> When I am trying to build the lspp_test.pp provided by
> audit-test-2090/utils/selinux-policy/lspp_test.* along with the
> refpolicy-20091117 source code, I copied lspp_test.* files to
> policy/modules/apps/ and then modified policy/modules.conf to declare
> "lspp_test = module", but I run into below error message ...
Is there any reason why you copied the lspp_test policy files to the
refpolicy sources and tried to build it there? I'm not completely sure
that this is the cause of your problem but I can say for certain that
this is not a tested procedure for building the lspp_test module.
The normal procedure is to build the lspp_test policy module separately
from the system's main SELinux policy, e.g. build and install the normal
system's SELinux policy (refpolicy-20091117 in your case) and after you
have verified that everything is working correctly you can change to the
directory audit-test-*/utils/selinux-policy directory and use the
Makefile located their to build the lspp_test module.
--
paul moore
linux @ hp
Hi Paul,
> Subject: Re: Problem about audit-test-2090 + refpolicy-2.20091117
> From: paul.moore at hp.com
> To: harrytaurus2002 at hotmail.com
> CC: selinux at tycho.nsa.gov; refpolicy at oss1.tresys.com
> Date: Wed, 18 Aug 2010 07:52:47 -0400
>
> On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote:
> > Hi SELinux exports,
> >
> > When I am trying to build the lspp_test.pp provided by
> > audit-test-2090/utils/selinux-policy/lspp_test.* along with the
> > refpolicy-20091117 source code, I copied lspp_test.* files to
> > policy/modules/apps/ and then modified policy/modules.conf to declare
> > "lspp_test = module", but I run into below error message ...
>
> Is there any reason why you copied the lspp_test policy files to the
> refpolicy sources and tried to build it there? I'm not completely sure
> that this is the cause of your problem but I can say for certain that
> this is not a tested procedure for building the lspp_test module.
>
> The normal procedure is to build the lspp_test policy module separately
> from the system's main SELinux policy, e.g. build and install the normal
> system's SELinux policy (refpolicy-20091117 in your case) and after you
> have verified that everything is working correctly you can change to the
> directory audit-test-*/utils/selinux-policy directory and use the
> Makefile located their to build the lspp_test module.
>
Many many thanks for your response!
Well, after I installed SELinux header properly then I did could enter audit-test/utils/selinux-policy/ successfully built lspp_test.pp there, however, I run into below error messages when trying to insert it:
[root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp
libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
[root/secadm_r/s0 at qemu-host selinux-policy]#
Very honestly speaking I am clueless about such error message, so I tried to compile lspp_test.pp along with refpolicy source code just to see if such problem could simply disappear. Do you have some comments or suggestions about it?
Moreover, the audit-test-2090 seems to be a little "old" than the refpolicy-2.20091117, for example, the lspp_test.te calls mls_file_read_up() rather than the expected mls_file_read_all_levels(), do you know if I could find some latest version of audit-test package or some latest version of the lspp_test.* files?
Thank you very much!
Best regards,
Harry
> --
> paul moore
> linux @ hp
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/59ea3c12/attachment-0001.html
On 08/18/2010 03:24 PM, TaurusHarry wrote:
>
> Hi Paul,
>
>> Subject: Re: Problem about audit-test-2090 + refpolicy-2.20091117
>> From: paul.moore at hp.com
>> To: harrytaurus2002 at hotmail.com
>> CC: selinux at tycho.nsa.gov; refpolicy at oss1.tresys.com
>> Date: Wed, 18 Aug 2010 07:52:47 -0400
>>
>> On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote:
>>> Hi SELinux exports,
>>>
>>> When I am trying to build the lspp_test.pp provided by
>>> audit-test-2090/utils/selinux-policy/lspp_test.* along with the
>>> refpolicy-20091117 source code, I copied lspp_test.* files to
>>> policy/modules/apps/ and then modified policy/modules.conf to declare
>>> "lspp_test = module", but I run into below error message ...
>>
>> Is there any reason why you copied the lspp_test policy files to the
>> refpolicy sources and tried to build it there? I'm not completely sure
>> that this is the cause of your problem but I can say for certain that
>> this is not a tested procedure for building the lspp_test module.
>>
>> The normal procedure is to build the lspp_test policy module separately
>> from the system's main SELinux policy, e.g. build and install the normal
>> system's SELinux policy (refpolicy-20091117 in your case) and after you
>> have verified that everything is working correctly you can change to the
>> directory audit-test-*/utils/selinux-policy directory and use the
>> Makefile located their to build the lspp_test module.
>>
>
> Many many thanks for your response!
>
> Well, after I installed SELinux header properly then I did could enter audit-test/utils/selinux-policy/ successfully built lspp_test.pp there, however, I run into below error messages when trying to insert it:
>
> [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp
> libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t
> libsepol.expand_module: Error during expand
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
> [root/secadm_r/s0 at qemu-host selinux-policy]#
Its a bug in policy somehwere i believe. Where exactly is kind of hard
to determine. Do you have any custom modules loaded? In particular
custom modules that call either: userdom_unpriv_user_template or
postgresql_role.
The issue is that theres a conflict. some module uses (old)
sepgsql_table_t, whilst another uses (new) user_sepgsql_table_t
So my guess is that you have a custom user domain policy loaded that was
not updated when you updatet refpolicy. Maybe even lspp_test.pp is it.
if that is true , then you would need to build a new lspp_test.pp from
lspp_test.te.
> Very honestly speaking I am clueless about such error message, so I tried to compile lspp_test.pp along with refpolicy source code just to see if such problem could simply disappear. Do you have some comments or suggestions about it?
>
>
>
> Moreover, the audit-test-2090 seems to be a little "old" than the refpolicy-2.20091117, for example, the lspp_test.te calls mls_file_read_up() rather than the expected mls_file_read_all_levels(), do you know if I could find some latest version of audit-test package or some latest version of the lspp_test.* files?
>
>
>
> Thank you very much!
>
>
>
> Best regards,
>
> Harry
>
>> --
>> paul moore
>> linux @ hp
>>
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>
>
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/5adda1f4/attachment.bin
On 08/18/2010 03:24 PM, TaurusHarry wrote:
>
> Hi Paul,
>
>> Subject: Re: Problem about audit-test-2090 + refpolicy-2.20091117
>> From: paul.moore at hp.com
>> To: harrytaurus2002 at hotmail.com
>> CC: selinux at tycho.nsa.gov; refpolicy at oss1.tresys.com
>> Date: Wed, 18 Aug 2010 07:52:47 -0400
>>
>> On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote:
>>> Hi SELinux exports,
>>>
>>> When I am trying to build the lspp_test.pp provided by
>>> audit-test-2090/utils/selinux-policy/lspp_test.* along with the
>>> refpolicy-20091117 source code, I copied lspp_test.* files to
>>> policy/modules/apps/ and then modified policy/modules.conf to declare
>>> "lspp_test = module", but I run into below error message ...
>>
>> Is there any reason why you copied the lspp_test policy files to the
>> refpolicy sources and tried to build it there? I'm not completely sure
>> that this is the cause of your problem but I can say for certain that
>> this is not a tested procedure for building the lspp_test module.
>>
>> The normal procedure is to build the lspp_test policy module separately
>> from the system's main SELinux policy, e.g. build and install the normal
>> system's SELinux policy (refpolicy-20091117 in your case) and after you
>> have verified that everything is working correctly you can change to the
>> directory audit-test-*/utils/selinux-policy directory and use the
>> Makefile located their to build the lspp_test module.
>>
>
> Many many thanks for your response!
>
> Well, after I installed SELinux header properly then I did could enter audit-test/utils/selinux-policy/ successfully built lspp_test.pp there, however, I run into below error messages when trying to insert it:
>
> [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp
> libsepol.expand_terule_helper: conflicting TE rule for (lspp_test_generic_t, sepgsql_db_t:db_table): old was user_sepgsql_table_t, new is sepgsql_table_t
> libsepol.expand_module: Error during expand
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
> [root/secadm_r/s0 at qemu-host selinux-policy]#
>
> Very honestly speaking I am clueless about such error message, so I tried to compile lspp_test.pp along with refpolicy source code just to see if such problem could simply disappear. Do you have some comments or suggestions about it?
>
Basically i think your lspp_test.pp is incompatible to your version of
refpolicy. ( the type user_sepgsql_table_t used in refpolicy conflicts
with the type sepgsql_table_t in lspp_test.pp )
Or atleast so i think...
>
> Moreover, the audit-test-2090 seems to be a little "old" than the refpolicy-2.20091117, for example, the lspp_test.te calls mls_file_read_up() rather than the expected mls_file_read_all_levels(), do you know if I could find some latest version of audit-test package or some latest version of the lspp_test.* files?
>
>
>
> Thank you very much!
>
>
>
> Best regards,
>
> Harry
>
>> --
>> paul moore
>> linux @ hp
>>
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>
>
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/595c95c2/attachment.bin
On Wed, 2010-08-18 at 13:24 +0000, TaurusHarry wrote:
> Many many thanks for your response!
>
> Well, after I installed SELinux header properly then I did could enter
> audit-test/utils/selinux-policy/ successfully built lspp_test.pp
> there, however, I run into below error messages when trying to insert
> it:
>
> [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp
> libsepol.expand_terule_helper: conflicting TE rule for
> ( lspp_test_generic_t, sepgsql_db_t:db_table): old was
> user_sepgsql_table_t, new is sepgsql_table_t
> libsepol.expand_module: Error during expand
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
> [root/secadm_r/s0 at qemu-host selinux-policy]#
>
> Very honestly speaking I am clueless about such error message, so I
> tried to compile lspp_test.pp along with refpolicy source code just to
> see if such problem could simply disappear. Do you have some comments
> or suggestions about it?
Hmm, it looks like perhaps there is a conflict with the sepostgres
policy? I'm not sure, I haven't built this policy on recent versions of
the refpolicy. I've heard rumors that some of the RH guys are running
audit-test on recent versions of Fedora/RHEL6 but I don't know if that
includes all of the LSPP bits, e.g. the lspp_test policy module.
If you want to play with SELinux policy, we're always accepting
patches :)
> Moreover, the audit-test-2090 seems to be a little "old" than the
> refpolicy-2.20091117, for example, the lspp_test.te calls
> mls_file_read_up() rather than the expected
> mls_file_read_all_levels(), do you know if I could find some latest
> version of audit-test package or some latest version of the
> lspp_test.* files?
You can always find the latest bits in the audit-test SVN repo on
sf.net, however, I must admit that currently we've only tested it
against RHEL5.x and some older Fedora releases.
--
paul moore
linux @ hp
On 08/18/10 11:29, Paul Moore wrote:
> On Wed, 2010-08-18 at 13:24 +0000, TaurusHarry wrote:
>> Many many thanks for your response!
>>
>> Well, after I installed SELinux header properly then I did could enter
>> audit-test/utils/selinux-policy/ successfully built lspp_test.pp
>> there, however, I run into below error messages when trying to insert
>> it:
>>
>> [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp
>> libsepol.expand_terule_helper: conflicting TE rule for
>> ( lspp_test_generic_t, sepgsql_db_t:db_table): old was
>> user_sepgsql_table_t, new is sepgsql_table_t
>> libsepol.expand_module: Error during expand
>> libsemanage.semanage_expand_sandbox: Expand module failed
>> semodule: Failed!
>> [root/secadm_r/s0 at qemu-host selinux-policy]#
>>
>> Very honestly speaking I am clueless about such error message, so I
>> tried to compile lspp_test.pp along with refpolicy source code just to
>> see if such problem could simply disappear. Do you have some comments
>> or suggestions about it?
>
> Hmm, it looks like perhaps there is a conflict with the sepostgres
> policy?
Yep, there are conflicting type_transitions. Basically it is
complaining about these two rules:
type_transition lspp_test_generic_t sepgsql_db_t:db_table
user_sepgsql_table_t;
type_transition lspp_test_generic_t sepgsql_db_t:db_table sepgsql_table_t;
so it fails.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 08/18/10 07:52, Paul Moore wrote:
> On Wed, 2010-08-18 at 10:26 +0000, TaurusHarry wrote:
>> Hi SELinux exports,
>>
>> When I am trying to build the lspp_test.pp provided by
>> audit-test-2090/utils/selinux-policy/lspp_test.* along with the
>> refpolicy-20091117 source code, I copied lspp_test.* files to
>> policy/modules/apps/ and then modified policy/modules.conf to declare
>> "lspp_test = module", but I run into below error message ...
>
> Is there any reason why you copied the lspp_test policy files to the
> refpolicy sources and tried to build it there? I'm not completely sure
> that this is the cause of your problem but I can say for certain that
> this is not a tested procedure for building the lspp_test module.
I wouldn't expect this to introduce problems, unless the headers in the
policy source didn't match the target system's base policy.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com