2016-07-28 11:30:26

by walid.fakim

[permalink] [raw]
Subject: [refpolicy] Compile Error when using the userdom_login_user_template() macro...

Hi Dominick,

I am working with Jack on this issue. So we tried your code snippet and that worked. We do have the reference policy downloaded - how do we confirm that we are indeed using it?

Going back to Jack's comment regarding the userdom_unpriv_user_template() macro :

I've switched the order of the code round from :

==== Old Code ====
role cos_r;
gen_user(cos_u, dsp_user, cos_r, s0, s0 - mls_systemhigh, mcs_allcats)

userdom_unpriv_user_template(cos)
================

To

====New Code====
userdom_unpriv_user_template(cos)

role cos_r;
gen_user(cos_u, dsp_user, cos_r, s0, s0 - mls_systemhigh, mcs_allcats) ================

And now the code has compiled with no errors. Is there anything we need to be careful of that the 2 macros are doing that could be interfering with each other?

Thanks & Regards,
Walid

-----Original Message-----
From: Borg-Cardona, Jack
Sent: 28 July 2016 11:06
To: Fakim, Walid
Subject: FW: [refpolicy] Compile Error when using the userdom_login_user_template() macro...



-----Original Message-----
From: [email protected] [mailto:refpolicy-bounces at oss.tresys.com] On Behalf Of Dominick Grift
Sent: 28 July 2016 10:44
To: refpolicy at oss.tresys.com
Subject: Re: [refpolicy] Compile Error when using the userdom_login_user_template() macro...

On 07/28/2016 11:02 AM, Borg-Cardona, Jack wrote:
> Morning,
>
> I've been working on my first custom policies recently and have begun the compile process and am working through the various syntax errors I have made. I have come across one error that I can't decipher, and does not seem to reference the syntax in my own policy but rather the syntax in the tmp/cosapp.tmp folder that is created at compile time.
>

Hi, Is this refpolicy or some fork (redhat maybe?) If this is a redhat fork then you might want to ask on the fedora-selinux maillist or #fedora-selinux or irc.freenode.org for better results

Regardless, I would probably start by narrowing this down.

cat >>mytest.te<<EOF
policy_module(mytest,1.0.0)
userdom_login_user_template(cos)
EOF
make -f /usr/share/selinux/devel/Makefile mytest.pp

Do you see the same error message?


>>From my policy (.te) the offending line is:
> userdom_login_user_template(cos)
>
> The error message is:
> cosapp.te":61:ERROR 'syntax error' at token 'require' on line 4050:
> require {
> #line 61
> /usr/bin/checkmodule: error(s) encountered while parsing
> configuration
> make: *** [tmp/cosapp.mod] Error 1
>
> Looking at the cospp.tmp file more closely I went to line 4050 #line
> 61
> require {
> #line 61
>
> #line 61
> class context contains; #line 61
> attribute login_userdomain; #line 61
>
> #line 61
> } # end require
> As this is not my syntax I am a bit puzzled as to what is actually wrong?
> A couple of thoughts that I had are:
> The macro userdom_login_user_template(cos)references a new custom user 'cos_u' I have not yet added the user file_contexts file to /etc/selinux/targeted/contexts/users so could this be causing the error? If so I am surprised that the gen_user() statement the line before works.
> Are there any dependencies I need to consider for this template to work, that I may not have thought about?
>
> Then finally I jumped on the IRC channel yesterday no one was around, what time to people tend to be on it?
>
> Thanks for the help
> Jack
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift


2016-07-28 11:53:07

by Dac Override

[permalink] [raw]
Subject: [refpolicy] Compile Error when using the userdom_login_user_template() macro...

On 07/28/2016 01:30 PM, Fakim, Walid wrote:
> Hi Dominick,
>
> I am working with Jack on this issue. So we tried your code snippet and that worked. We do have the reference policy downloaded - how do we confirm that we are indeed using it?
>
> Going back to Jack's comment regarding the userdom_unpriv_user_template() macro :
>
> I've switched the order of the code round from :
>
> ==== Old Code ====
> role cos_r;
> gen_user(cos_u, dsp_user, cos_r, s0, s0 - mls_systemhigh, mcs_allcats)
>
> userdom_unpriv_user_template(cos)
> ================
>
> To
>
> ====New Code====
> userdom_unpriv_user_template(cos)
>
> role cos_r;
> gen_user(cos_u, dsp_user, cos_r, s0, s0 - mls_systemhigh, mcs_allcats) ================
>
> And now the code has compiled with no errors. Is there anything we need to be careful of that the 2 macros are doing that could be interfering with each other?
>

Exactly. The gen_user() call has to be the last line in the policy
module, or else it wont work and you will get that very unhelpful error.

As for IRC: I am not sure what channel youve tried but we're on #selinux
at irc.freenode.org


> Thanks & Regards,
> Walid
>
> -----Original Message-----
> From: Borg-Cardona, Jack
> Sent: 28 July 2016 11:06
> To: Fakim, Walid
> Subject: FW: [refpolicy] Compile Error when using the userdom_login_user_template() macro...
>
>
>
> -----Original Message-----
> From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-bounces at oss.tresys.com] On Behalf Of Dominick Grift
> Sent: 28 July 2016 10:44
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] Compile Error when using the userdom_login_user_template() macro...
>
> On 07/28/2016 11:02 AM, Borg-Cardona, Jack wrote:
>> Morning,
>>
>> I've been working on my first custom policies recently and have begun the compile process and am working through the various syntax errors I have made. I have come across one error that I can't decipher, and does not seem to reference the syntax in my own policy but rather the syntax in the tmp/cosapp.tmp folder that is created at compile time.
>>
>
> Hi, Is this refpolicy or some fork (redhat maybe?) If this is a redhat fork then you might want to ask on the fedora-selinux maillist or #fedora-selinux or irc.freenode.org for better results
>
> Regardless, I would probably start by narrowing this down.
>
> cat >>mytest.te<<EOF
> policy_module(mytest,1.0.0)
> userdom_login_user_template(cos)
> EOF
> make -f /usr/share/selinux/devel/Makefile mytest.pp
>
> Do you see the same error message?
>
>
>> >From my policy (.te) the offending line is:
>> userdom_login_user_template(cos)
>>
>> The error message is:
>> cosapp.te":61:ERROR 'syntax error' at token 'require' on line 4050:
>> require {
>> #line 61
>> /usr/bin/checkmodule: error(s) encountered while parsing
>> configuration
>> make: *** [tmp/cosapp.mod] Error 1
>>
>> Looking at the cospp.tmp file more closely I went to line 4050 #line
>> 61
>> require {
>> #line 61
>>
>> #line 61
>> class context contains; #line 61
>> attribute login_userdomain; #line 61
>>
>> #line 61
>> } # end require
>> As this is not my syntax I am a bit puzzled as to what is actually wrong?
>> A couple of thoughts that I had are:
>> The macro userdom_login_user_template(cos)references a new custom user 'cos_u' I have not yet added the user file_contexts file to /etc/selinux/targeted/contexts/users so could this be causing the error? If so I am surprised that the gen_user() statement the line before works.
>> Are there any dependencies I need to consider for this template to work, that I may not have thought about?
>>
>> Then finally I jumped on the IRC channel yesterday no one was around, what time to people tend to be on it?
>>
>> Thanks for the help
>> Jack
>>
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160728/d5097dee/attachment.bin

2016-07-28 14:28:52

by walid.fakim

[permalink] [raw]
Subject: [refpolicy] Compile Error when using the userdom_login_user_template() macro...

Hi Dominick,

Thanks for your response.

I've moved on to trying to load the upstream reference policy on my VM (running CentOS 6.8) - I'm getting the following error:

====

[staff at blue policy]$ sudo make load
Compliling tresys-test-refpolicy abrt.mod module
m4 -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -s support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/loadable_module.spt policy/support/misc_macros.spt policy/support/misc_patterns.spt policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt support/undivert.m4 tmp/generated_definitions.conf tmp/all_interfaces.conf policy/modules/contrib/abrt.te > tmp/abrt.tmp
/usr/bin/checkmodule -m tmp/abrt.tmp -o tmp/abrt.mod
/usr/bin/checkmodule: loading policy configuration from tmp/abrt.tmp
policy/modules/contrib/abrt.te":37:ERROR 'syntax error' at token 'attribute_role' on line 509:


====

Is this a compatibility issue between the latest reference policy and CentOS 6.8 or am I missing something?

Thanks & Regards,
Walid

-----Original Message-----
From: [email protected] [mailto:refpolicy-bounces at oss.tresys.com] On Behalf Of Dominick Grift
Sent: 28 July 2016 12:53
To: refpolicy at oss.tresys.com
Subject: Re: [refpolicy] Compile Error when using the userdom_login_user_template() macro...

On 07/28/2016 01:30 PM, Fakim, Walid wrote:
> Hi Dominick,
>
> I am working with Jack on this issue. So we tried your code snippet and that worked. We do have the reference policy downloaded - how do we confirm that we are indeed using it?
>
> Going back to Jack's comment regarding the userdom_unpriv_user_template() macro :
>
> I've switched the order of the code round from :
>
> ==== Old Code ====
> role cos_r;
> gen_user(cos_u, dsp_user, cos_r, s0, s0 - mls_systemhigh, mcs_allcats)
>
> userdom_unpriv_user_template(cos)
> ================
>
> To
>
> ====New Code====
> userdom_unpriv_user_template(cos)
>
> role cos_r;
> gen_user(cos_u, dsp_user, cos_r, s0, s0 - mls_systemhigh, mcs_allcats)
> ================
>
> And now the code has compiled with no errors. Is there anything we need to be careful of that the 2 macros are doing that could be interfering with each other?
>

Exactly. The gen_user() call has to be the last line in the policy module, or else it wont work and you will get that very unhelpful error.

As for IRC: I am not sure what channel youve tried but we're on #selinux at irc.freenode.org


> Thanks & Regards,
> Walid
>
> -----Original Message-----
> From: Borg-Cardona, Jack
> Sent: 28 July 2016 11:06
> To: Fakim, Walid
> Subject: FW: [refpolicy] Compile Error when using the userdom_login_user_template() macro...
>
>
>
> -----Original Message-----
> From: refpolicy-bounces at oss.tresys.com
> [mailto:refpolicy-bounces at oss.tresys.com] On Behalf Of Dominick Grift
> Sent: 28 July 2016 10:44
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] Compile Error when using the userdom_login_user_template() macro...
>
> On 07/28/2016 11:02 AM, Borg-Cardona, Jack wrote:
>> Morning,
>>
>> I've been working on my first custom policies recently and have begun the compile process and am working through the various syntax errors I have made. I have come across one error that I can't decipher, and does not seem to reference the syntax in my own policy but rather the syntax in the tmp/cosapp.tmp folder that is created at compile time.
>>
>
> Hi, Is this refpolicy or some fork (redhat maybe?) If this is a redhat
> fork then you might want to ask on the fedora-selinux maillist or
> #fedora-selinux or irc.freenode.org for better results
>
> Regardless, I would probably start by narrowing this down.
>
> cat >>mytest.te<<EOF
> policy_module(mytest,1.0.0)
> userdom_login_user_template(cos)
> EOF
> make -f /usr/share/selinux/devel/Makefile mytest.pp
>
> Do you see the same error message?
>
>
>> >From my policy (.te) the offending line is:
>> userdom_login_user_template(cos)
>>
>> The error message is:
>> cosapp.te":61:ERROR 'syntax error' at token 'require' on line 4050:
>> require {
>> #line 61
>> /usr/bin/checkmodule: error(s) encountered while parsing
>> configuration
>> make: *** [tmp/cosapp.mod] Error 1
>>
>> Looking at the cospp.tmp file more closely I went to line 4050 #line
>> 61
>> require {
>> #line 61
>>
>> #line 61
>> class context contains; #line 61
>> attribute login_userdomain; #line 61
>>
>> #line 61
>> } # end require
>> As this is not my syntax I am a bit puzzled as to what is actually wrong?
>> A couple of thoughts that I had are:
>> The macro userdom_login_user_template(cos)references a new custom user 'cos_u' I have not yet added the user file_contexts file to /etc/selinux/targeted/contexts/users so could this be causing the error? If so I am surprised that the gen_user() statement the line before works.
>> Are there any dependencies I need to consider for this template to work, that I may not have thought about?
>>
>> Then finally I jumped on the IRC channel yesterday no one was around, what time to people tend to be on it?
>>
>> Thanks for the help
>> Jack
>>
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

2016-07-28 14:35:47

by Dac Override

[permalink] [raw]
Subject: [refpolicy] Compile Error when using the userdom_login_user_template() macro...

On 07/28/2016 04:28 PM, Fakim, Walid wrote:
> Hi Dominick,
>
> Thanks for your response.
>
> I've moved on to trying to load the upstream reference policy on my VM (running CentOS 6.8) - I'm getting the following error:
>
> ====
>
> [staff at blue policy]$ sudo make load
> Compliling tresys-test-refpolicy abrt.mod module
> m4 -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -s support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/loadable_module.spt policy/support/misc_macros.spt policy/support/misc_patterns.spt policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt support/undivert.m4 tmp/generated_definitions.conf tmp/all_interfaces.conf policy/modules/contrib/abrt.te > tmp/abrt.tmp
> /usr/bin/checkmodule -m tmp/abrt.tmp -o tmp/abrt.mod
> /usr/bin/checkmodule: loading policy configuration from tmp/abrt.tmp
> policy/modules/contrib/abrt.te":37:ERROR 'syntax error' at token 'attribute_role' on line 509:
>
>
> ====
>
> Is this a compatibility issue between the latest reference policy and CentOS 6.8 or am I missing something?

Yes, may well be. role attributes may not be supported in Centos6.8. Hmm
we should have considered that this would break compatibility.

Best to stick to what your distribution provides

>
> Thanks & Regards,
> Walid
>
> -----Original Message-----
> From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-bounces at oss.tresys.com] On Behalf Of Dominick Grift
> Sent: 28 July 2016 12:53
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] Compile Error when using the userdom_login_user_template() macro...
>
> On 07/28/2016 01:30 PM, Fakim, Walid wrote:
>> Hi Dominick,
>>
>> I am working with Jack on this issue. So we tried your code snippet and that worked. We do have the reference policy downloaded - how do we confirm that we are indeed using it?
>>
>> Going back to Jack's comment regarding the userdom_unpriv_user_template() macro :
>>
>> I've switched the order of the code round from :
>>
>> ==== Old Code ====
>> role cos_r;
>> gen_user(cos_u, dsp_user, cos_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>
>> userdom_unpriv_user_template(cos)
>> ================
>>
>> To
>>
>> ====New Code====
>> userdom_unpriv_user_template(cos)
>>
>> role cos_r;
>> gen_user(cos_u, dsp_user, cos_r, s0, s0 - mls_systemhigh, mcs_allcats)
>> ================
>>
>> And now the code has compiled with no errors. Is there anything we need to be careful of that the 2 macros are doing that could be interfering with each other?
>>
>
> Exactly. The gen_user() call has to be the last line in the policy module, or else it wont work and you will get that very unhelpful error.
>
> As for IRC: I am not sure what channel youve tried but we're on #selinux at irc.freenode.org
>
>
>> Thanks & Regards,
>> Walid
>>
>> -----Original Message-----
>> From: Borg-Cardona, Jack
>> Sent: 28 July 2016 11:06
>> To: Fakim, Walid
>> Subject: FW: [refpolicy] Compile Error when using the userdom_login_user_template() macro...
>>
>>
>>
>> -----Original Message-----
>> From: refpolicy-bounces at oss.tresys.com
>> [mailto:refpolicy-bounces at oss.tresys.com] On Behalf Of Dominick Grift
>> Sent: 28 July 2016 10:44
>> To: refpolicy at oss.tresys.com
>> Subject: Re: [refpolicy] Compile Error when using the userdom_login_user_template() macro...
>>
>> On 07/28/2016 11:02 AM, Borg-Cardona, Jack wrote:
>>> Morning,
>>>
>>> I've been working on my first custom policies recently and have begun the compile process and am working through the various syntax errors I have made. I have come across one error that I can't decipher, and does not seem to reference the syntax in my own policy but rather the syntax in the tmp/cosapp.tmp folder that is created at compile time.
>>>
>>
>> Hi, Is this refpolicy or some fork (redhat maybe?) If this is a redhat
>> fork then you might want to ask on the fedora-selinux maillist or
>> #fedora-selinux or irc.freenode.org for better results
>>
>> Regardless, I would probably start by narrowing this down.
>>
>> cat >>mytest.te<<EOF
>> policy_module(mytest,1.0.0)
>> userdom_login_user_template(cos)
>> EOF
>> make -f /usr/share/selinux/devel/Makefile mytest.pp
>>
>> Do you see the same error message?
>>
>>
>>> >From my policy (.te) the offending line is:
>>> userdom_login_user_template(cos)
>>>
>>> The error message is:
>>> cosapp.te":61:ERROR 'syntax error' at token 'require' on line 4050:
>>> require {
>>> #line 61
>>> /usr/bin/checkmodule: error(s) encountered while parsing
>>> configuration
>>> make: *** [tmp/cosapp.mod] Error 1
>>>
>>> Looking at the cospp.tmp file more closely I went to line 4050 #line
>>> 61
>>> require {
>>> #line 61
>>>
>>> #line 61
>>> class context contains; #line 61
>>> attribute login_userdomain; #line 61
>>>
>>> #line 61
>>> } # end require
>>> As this is not my syntax I am a bit puzzled as to what is actually wrong?
>>> A couple of thoughts that I had are:
>>> The macro userdom_login_user_template(cos)references a new custom user 'cos_u' I have not yet added the user file_contexts file to /etc/selinux/targeted/contexts/users so could this be causing the error? If so I am surprised that the gen_user() statement the line before works.
>>> Are there any dependencies I need to consider for this template to work, that I may not have thought about?
>>>
>>> Then finally I jumped on the IRC channel yesterday no one was around, what time to people tend to be on it?
>>>
>>> Thanks for the help
>>> Jack
>>>
>>>
>>>
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>
>>
>>
>> --
>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>> Dominick Grift
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
>


--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160728/34dddb8b/attachment.bin