From: walid.fakim@cgi.com (Fakim, Walid) Date: Thu, 28 Jul 2016 14:28:52 +0000 Subject: [refpolicy] Compile Error when using the userdom_login_user_template() macro... In-Reply-To: <7824ccd2-6889-26d2-035a-dc42b4c3b5a6@gmail.com> References: <53E0DE5B854BBC4EA982E3197A0C96D24B111CB0@SE-EX021.groupinfra.com> <93b453d1-0c9a-ab52-0eb6-b3f191188354@gmail.com> <53E0DE5B854BBC4EA982E3197A0C96D24B111E05@SE-EX021.groupinfra.com> <67130EC7AFA3FE4E9290B03665B351F4017CD6@SE-EX021.groupinfra.com> <7824ccd2-6889-26d2-035a-dc42b4c3b5a6@gmail.com> Message-ID: <67130EC7AFA3FE4E9290B03665B351F4017E26@SE-EX021.groupinfra.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Dominick, Thanks for your response. I've moved on to trying to load the upstream reference policy on my VM (running CentOS 6.8) - I'm getting the following error: ==== [staff at blue policy]$ sudo make load Compliling tresys-test-refpolicy abrt.mod module m4 -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -s support/divert.m4 policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/loadable_module.spt policy/support/misc_macros.spt policy/support/misc_patterns.spt policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt support/undivert.m4 tmp/generated_definitions.conf tmp/all_interfaces.conf policy/modules/contrib/abrt.te > tmp/abrt.tmp /usr/bin/checkmodule -m tmp/abrt.tmp -o tmp/abrt.mod /usr/bin/checkmodule: loading policy configuration from tmp/abrt.tmp policy/modules/contrib/abrt.te":37:ERROR 'syntax error' at token 'attribute_role' on line 509: ==== Is this a compatibility issue between the latest reference policy and CentOS 6.8 or am I missing something? Thanks & Regards, Walid -----Original Message----- From: refpolicy-bounces@oss.tresys.com [mailto:refpolicy-bounces at oss.tresys.com] On Behalf Of Dominick Grift Sent: 28 July 2016 12:53 To: refpolicy at oss.tresys.com Subject: Re: [refpolicy] Compile Error when using the userdom_login_user_template() macro... On 07/28/2016 01:30 PM, Fakim, Walid wrote: > Hi Dominick, > > I am working with Jack on this issue. So we tried your code snippet and that worked. We do have the reference policy downloaded - how do we confirm that we are indeed using it? > > Going back to Jack's comment regarding the userdom_unpriv_user_template() macro : > > I've switched the order of the code round from : > > ==== Old Code ==== > role cos_r; > gen_user(cos_u, dsp_user, cos_r, s0, s0 - mls_systemhigh, mcs_allcats) > > userdom_unpriv_user_template(cos) > ================ > > To > > ====New Code==== > userdom_unpriv_user_template(cos) > > role cos_r; > gen_user(cos_u, dsp_user, cos_r, s0, s0 - mls_systemhigh, mcs_allcats) > ================ > > And now the code has compiled with no errors. Is there anything we need to be careful of that the 2 macros are doing that could be interfering with each other? > Exactly. The gen_user() call has to be the last line in the policy module, or else it wont work and you will get that very unhelpful error. As for IRC: I am not sure what channel youve tried but we're on #selinux at irc.freenode.org > Thanks & Regards, > Walid > > -----Original Message----- > From: Borg-Cardona, Jack > Sent: 28 July 2016 11:06 > To: Fakim, Walid > Subject: FW: [refpolicy] Compile Error when using the userdom_login_user_template() macro... > > > > -----Original Message----- > From: refpolicy-bounces at oss.tresys.com > [mailto:refpolicy-bounces at oss.tresys.com] On Behalf Of Dominick Grift > Sent: 28 July 2016 10:44 > To: refpolicy at oss.tresys.com > Subject: Re: [refpolicy] Compile Error when using the userdom_login_user_template() macro... > > On 07/28/2016 11:02 AM, Borg-Cardona, Jack wrote: >> Morning, >> >> I've been working on my first custom policies recently and have begun the compile process and am working through the various syntax errors I have made. I have come across one error that I can't decipher, and does not seem to reference the syntax in my own policy but rather the syntax in the tmp/cosapp.tmp folder that is created at compile time. >> > > Hi, Is this refpolicy or some fork (redhat maybe?) If this is a redhat > fork then you might want to ask on the fedora-selinux maillist or > #fedora-selinux or irc.freenode.org for better results > > Regardless, I would probably start by narrowing this down. > > cat >>mytest.te< policy_module(mytest,1.0.0) > userdom_login_user_template(cos) > EOF > make -f /usr/share/selinux/devel/Makefile mytest.pp > > Do you see the same error message? > > >> >From my policy (.te) the offending line is: >> userdom_login_user_template(cos) >> >> The error message is: >> cosapp.te":61:ERROR 'syntax error' at token 'require' on line 4050: >> require { >> #line 61 >> /usr/bin/checkmodule: error(s) encountered while parsing >> configuration >> make: *** [tmp/cosapp.mod] Error 1 >> >> Looking at the cospp.tmp file more closely I went to line 4050 #line >> 61 >> require { >> #line 61 >> >> #line 61 >> class context contains; #line 61 >> attribute login_userdomain; #line 61 >> >> #line 61 >> } # end require >> As this is not my syntax I am a bit puzzled as to what is actually wrong? >> A couple of thoughts that I had are: >> The macro userdom_login_user_template(cos)references a new custom user 'cos_u' I have not yet added the user file_contexts file to /etc/selinux/targeted/contexts/users so could this be causing the error? If so I am surprised that the gen_user() statement the line before works. >> Are there any dependencies I need to consider for this template to work, that I may not have thought about? >> >> Then finally I jumped on the IRC channel yesterday no one was around, what time to people tend to be on it? >> >> Thanks for the help >> Jack >> >> >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >> > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift