Bug 528655
Summary: | policygentool does not react on user inputs | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE <qe-baseos-auto> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.4 | CC: | colin.coe |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-10-15 18:36:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Milos Malik
2009-10-13 08:36:06 UTC
# diff /usr/share/selinux/devel/policygentool /usr/share/selinux/devel/policygentool.orig
75,76c75,76
< if input > "0" and input < "5":
< type = int(input)
---
> if input > "0" and input < 5:
> type = int(type)
This fix works for me.
Even if comment #1 fix is present, policygentool prints traceback: # /usr/share/selinux/devel/policygentool ls /bin/ls This tool generate three files for policy development, A Type Enforcement (te) file, a File Context (fc), and a Interface File(if). Most of the policy rules will be written in the te file. Use the File Context file to associate file paths with security context. Use the interface rules to allow other protected domains to interact with the newly defined domains. After generating these files use the /usr/share/selinux/devel/Makefile to compile your policy package. Then use the semodule tool to load it. # /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp # make -f /usr/share/selinux/devel/Makefile # semodule -i myapp.pp # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc" Now you can turn on permissive mode, start your application and avc messages will be generated. You can use audit2allow to help translate the avc messages into policy. # setenforce 0 # service myapp start # audit2allow -R -i /var/log/audit/audit.log Return to continue: What type of application are you trying to confine? 1. Standard Init Daemon 2. Internet Services Daemon (inetd) 3 Web Application/Script (cgi) 4 User Application 4 If the module uses pidfiles, what is the pidfile called? If the module uses logfiles, where are they stored? If the module has var/lib files, where are they stored? Does the module have a init script? [yN] n Does the module use the network? [yN] n Traceback (most recent call last): File "/usr/share/selinux/devel/policygentool", line 108, in ? gen_policy( NameError: name 'gen_policy' is not defined # echo $? 1 Could you use /usr/share/system-config-selinux/polgengui.py THis is the preferred way and this tool is going away. /usr/share/system-config-selinux/polgengui.py works fine. Thanks for advice. Since better work around won't fix and removed from the next release. *** Bug 531982 has been marked as a duplicate of this bug. *** |