From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sun, 26 Feb 2012 14:19:27 +0100
Subject: [refpolicy] Showing role attributes + issue when calling selinux
	utilities
Message-ID: <20120226131858.GA30221@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi guys,

Continuing the 20120215 release testing, I noticed that I can't call
run_init anymore:

  ~# run_init
  -bash: /usr/sbin/run_init: Permission denied

Same for newrole:

  ~# newrole -r sysadm_r
  -bash: /usr/bin/newrole: Permission denied

The denial is because of invalid context:

~# dmesg | tail -1
[ 6165.059146] type=1401 audit(1330261818.013:2712): security_compute_sid:
invalid context root:staff_r:newrole_t for scontext=root:staff_r:newrole_t
tcontext=root:staff_r:newrole_t tclass=unix_stream_socket

It looks that it has something to do with the role attribute support,
because seutil_run_runinit has changed between 20110726 and 20120215 to that
regard:

  ~$ ## 20110726 policy
  ~$ seshowif seutil_run_runinit
  interface(`seutil_run_runinit',`
          gen_require(`
                  type run_init_t;
                  role system_r;
          ')
  
          auth_run_chk_passwd(run_init_t, $2)
          seutil_domtrans_runinit($1)
          role $2 types run_init_t;
  
          allow $2 system_r;
  ')

  ~$ ## 20120215 policy
  $ seshowif seutil_run_runinit
  interface(`seutil_run_runinit',`
          gen_require(`
                  attribute_role run_init_roles;
          ')
  
          seutil_domtrans_runinit($1)
          roleattribute $2 run_init_roles;
  ')

Do I need to include "allow $2 system_r" again here?

Another question: is it possible to query the role attributes on the system?
seinfo only shows those for types...

Wkr,
	Sven Vermeulen