From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 02 Dec 2008 13:53:29 -0500
Subject: [refpolicy] new svn refpolicy difficuties:
In-Reply-To: <1228233441.2973.17.camel@unix>
References: <1228112352.3841.13.camel@unix>  <1228223603.9691.19.camel@gorn>
	<1228233441.2973.17.camel@unix>
Message-ID: <1228244012.9691.22.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2008-12-02 at 07:57 -0800, Justin P. Mattock wrote:
> On Tue, 2008-12-02 at 08:13 -0500, Christopher J. PeBenito wrote:
> > On Sun, 2008-11-30 at 22:19 -0800, Justin P. Mattock wrote:
> > > With the latest refpolicy, I'm 
> > > able to have all of the allow rules
> > > during the boot process applied to the policy,
> > > but as soon as I add any of the allow rules
> > > after startx, with any role I'm denied 
> > > with building the policy i.g.
> > > 
> > > :ERROR 'type staff_dbusd_t is not within scope' at token ';' on line
> > > 2581459:
> > > 
> > > I think this has to do with my policy/users
> > > file.(where can I find info on setting a prefix?)
> > 
> > I suspect it is actually related to this:
> > 
> > http://marc.info/?l=selinux&m=122477138927253&w=2
> > 
> > What changes have you made (if any) to the policy?  Also the
> > policy/modules.conf and build.conf?
> > 
> 
> This is the same issue from a few weeks ago
> (just never got around to working it);
> as for changes to the modules.conf, I sent
> you that a few weeks ago, which basically has nothing modified
> (my goal is to keep the policy as generic as possible
> no tweaking of any kind); I do modify the build.conf
> and policy/users.
> as for the users I set
> gen_user(user,system_u, sysadm_r staff_r user_r, s0, s0 -mls_systemhigh,
> mcs_allcats)
> 
> and the build.conf I change the policy number setting
> debian, monolithic=y deny unkown=y not much stuff..
> 
> Overall,
> I'm not sure but after reading the users file it say's 
>  
> Note: Identities without a prefix wil not be listed
> in the users_extra file used by genhomedircon.
> (BTW there a typo in there "will") 
> 
> This here tells me that If I don't have this set
> correctly(prefix), I won't be able to build the policy
> accordingly with my user name and roles? hence the always
> an error during compiling when I add something like
> staff_dbus_t. 
> If I have this correct will
> staff_dbus_t change to staff_t? or something to satisfy
> the compiling of the policy...

No.  This is error is not related to this.  The users_extra content is
used for genhomedircon, and is in fact no longer used now that there is
UBAC.  It has to do with issues with scoping in the compiler.  I can't
reproduce this, where did you put the rules?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150