From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 6 Dec 2013 09:21:03 -0500 Subject: [refpolicy] [PATCH 25/39] users: move the unconfined_u user statement to the unconfined module (if possible) so that it will be removed if the unconfined module is disabled, or removed In-Reply-To: <1386337774.2469.54.camel@d30> References: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com> <1383990320-3340-25-git-send-email-dominick.grift@gmail.com> <52A1D0EA.2000906@tresys.com> <1386337774.2469.54.camel@d30> Message-ID: <52A1DD4F.6020405@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/06/13 08:49, Dominick Grift wrote: > On Fri, 2013-12-06 at 08:28 -0500, Christopher J. PeBenito wrote: >> On 11/09/13 04:45, Dominick Grift wrote: >>> Signed-off-by: Dominick Grift >>> --- >>> policy/modules/system/unconfined.te | 6 ++++++ >>> policy/users | 7 ------- >>> 2 files changed, 6 insertions(+), 7 deletions(-) >>> >>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te >>> index 28a2188..4e4a4c5 100644 >>> --- a/policy/modules/system/unconfined.te >>> +++ b/policy/modules/system/unconfined.te >>> @@ -213,3 +213,9 @@ unconfined_domain_noaudit(unconfined_execmem_t) >>> optional_policy(` >>> unconfined_dbus_chat(unconfined_execmem_t) >>> ') >>> + >>> +ifdef(`direct_sysadm_daemon',` >>> + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) >>> +',` >>> + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) >>> +') >>> diff --git a/policy/users b/policy/users >>> index 5db8cf4..25402af 100644 >>> --- a/policy/users >>> +++ b/policy/users >>> @@ -28,13 +28,6 @@ gen_user(user_u, user, user_r, s0, s0) >>> gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) >>> gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) >>> >>> -# Until order dependence is fixed for users: >>> -ifdef(`direct_sysadm_daemon',` >>> - gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) >>> -',` >>> - gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) >>> -') >>> - >>> # >>> # The following users correspond to Unix identities. >>> # These identities are typically assigned as the user attribute >> >> I believe this will break monolithic build, otherwise I would have done it a long time ago. It would take a little work to implement user line moving in the build system to get this into the right place in policy.conf that checkpolicy expects. >> >> Alternatively, if semodule_expand was enhanced to output all of the files in the expanded policy, we could simplify refpolicy by doing a monolithic build by doing a modular build and then linking/expanding it locally. Then we'd get around the more painful ordering requirements of checkpolicy. >> > > Ouch, i seem to not have tested that. i should follow my own advice. > problem is monolithic builts take so long. Atleast with modular you can > cheat by skipping the assertion checking (although i should not do that > either) > > Do you think this error might be related to that? It could be, but a further inspection of the policy.conf would be required, since the error message by itself isn't very helpful. >> /usr/bin/checkpolicy -M -U allow policy.conf -o policy.29 >> /usr/bin/checkpolicy: loading policy configuration from policy.conf >> policy/modules/roles/unprivuser.te":13:ERROR 'syntax error' at token 'typeattribute' on line 2436000: >> typeattribute user_t domain; >> #line 13 >> checkpolicy: error(s) encountered while parsing configuration >> make: *** [policy.29] Error 1 >> > > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com