From: eparis@redhat.com (Eric Paris) Date: Sat, 12 Sep 2009 18:28:41 -0400 Subject: [refpolicy] [git bisected] 25354c4fee169710fd9da15f3bb2abaa24dcf933 is first bad commit In-Reply-To: References: Message-ID: <1252794521.13780.16.camel@dhcp231-106.rdu.redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, 2009-09-12 at 15:09 -0700, Justin Mattock wrote: > attached is dmesg of the latest > Head giving me an avc denial that > is giving me an error with checkpolicy: > > /usr/bin/checkpolicy -c 22 -U deny policy.conf -o policy.22 > /usr/bin/checkpolicy: loading policy configuration from policy.conf > policy/modules/services/xserver.te":1138:ERROR 'permission > module_request is not defined for class system' at token ';' on line > 2904222: > allow NetworkManager_t kernel_t:system module_request; > #============= NetworkManager_t ============== > policy/modules/services/xserver.te":1141:ERROR 'permission > module_request is not defined for class system' at token ';' on line > 2904225: > #============= insmod_t ============== > allow insmod_t kernel_t:system module_request; > policy/modules/services/xserver.te":1144:ERROR 'permission > module_request is not defined for class system' at token ';' on line It's because you are using the -U deny. You are telling the kernel to deny unknown permissions and then you are trying to define an unknown permission. There is nothing wrong with the kernel. I do need to submit the policy path to define it, but that's not a good idea until we know more or all of the places it is needed. I hoped to work on that with dwalsh in rawhide before we push the policy patch upstream. You can help there! In your base policy module you need to define 'request_module' in the system class in policy/flash/access_vectors rebuild and load the base policy policy module. Then you can use the request_module permission. -Eric