Bug 607943
| Summary: | some .te files cannot be compiled because admin interfaces contain errors | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 6.0 | CC: | dwalsh, mgrepl |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-06-25 18:08:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
If you use "certmonger_admin(confined_admin_t,confined_admin_r)" instead of "boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you will see following error messages: # make -f /usr/share/selinux/devel/Makefile make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' Compiling targeted confined_admin module confined_admin.te":26:ERROR 'unknown type cermonger_var_lib_t' at token ';' on line 43538: allow confined_admin_t cermonger_var_lib_t:dir { open read getattr lock search ioctl add_name remove_name write }; #line 26 /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from tmp/confined_admin.tmp make[1]: *** [tmp/confined_admin.mod] Error 1 make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' If you use "chronyd_admin(confined_admin_t,confined_admin_r)" instead of "boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you will see following error messages: # make -f /usr/share/selinux/devel/Makefile make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' Compiling targeted confined_admin module confined_admin.te":26:ERROR 'unknown type chronyd_tmp_t' at token ';' on line 44 048: allow confined_admin_t chronyd_tmp_t:dir { open read getattr lock search ioctl add_name remove_name write }; #line 26 /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from tmp/confined_admin.tmp make[1]: *** [tmp/confined_admin.mod] Error 1 make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' If you use "cobblerd_admin(confined_admin_t,confined_admin_r)" instead of "boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you will see following error messages: # make -f /usr/share/selinux/devel/Makefile make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' Compiling targeted confined_admin module confined_admin.te":26:ERROR 'unknown type httpd_cobbler_content_rw_t' at token ';' on line 43724: allow confined_admin_t httpd_cobbler_content_rw_t:dir { open read getattr lock search ioctl add_name remove_name write }; #line 26 /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from tmp/confined_admin.tmp make[1]: *** [tmp/confined_admin.mod] Error 1 make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' If you use "ksmtuned_admin(confined_admin_t,confined_admin_r)" instead of "boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you will see following error messages: # make -f /usr/share/selinux/devel/Makefile make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' Compiling targeted confined_admin module confined_admin.te":26:ERROR 'syntax error' at token ':' on line 43298: allow ksmtumed_t :dir { getattr search open read lock ioctl }; #line 26 /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from tmp/confined_admin.tmp make[1]: *** [tmp/confined_admin.mod] Error 1 make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion. If you use "memcached_admin(confined_admin_t,confined_admin_r)" instead of "boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you will see following error messages: # make -f /usr/share/selinux/devel/Makefile make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' Compiling targeted confined_admin module confined_admin.te":26:ERROR 'unknown type memcached_var_run_t' at token ';' on line 43466: allow confined_admin_t memcached_var_run_t:dir { open read getattr lock search ioctl add_name remove_name write }; #line 26 /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from tmp/confined_admin.tmp make[1]: *** [tmp/confined_admin.mod] Error 1 make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' If you use "psad_admin(confined_admin_t,confined_admin_r)" instead of "boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you will see following error messages: # make -f /usr/share/selinux/devel/Makefile make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' Compiling targeted confined_admin module confined_admin.te":26:ERROR 'unknown type psad_etc_t' at token ';' on line 43504: allow confined_admin_t psad_etc_t:dir { open read getattr lock search ioctl add_name remove_name write }; #line 26 /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from tmp/confined_admin.tmp make[1]: *** [tmp/confined_admin.mod] Error 1 make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' If you use "rpcbind_admin(confined_admin_t,confined_admin_r)" instead of "boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you will see following error messages: # make -f /usr/share/selinux/devel/Makefile make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' Compiling targeted confined_admin module confined_admin.te":26:ERROR 'unknown type rbcbind_initrc_exec_t' at token ';' on line 43346: allow confined_admin_t rbcbind_initrc_exec_t:file { getattr open read execute }; #line 26 /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from tmp/confined_admin.tmp make[1]: *** [tmp/confined_admin.mod] Error 1 make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' *** This bug has been marked as a duplicate of bug 426941 *** *** This bug has been marked as a duplicate of bug 607912 *** If you use "shorewall_admin(confined_admin_t,confined_admin_r)" instead of "boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you will see following error messages: # make -f /usr/share/selinux/devel/Makefile make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' Compiling targeted confined_admin module confined_admin.te":26:ERROR 'unknown type shorewall_etc_t' at token ';' on line 43450: allow confined_admin_t shorewall_etc_t:dir { open read getattr lock search ioctl add_name remove_name write }; #line 26 /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from tmp/confined_admin.tmp make[1]: *** [tmp/confined_admin.mod] Error 1 make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' |
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-27.el6.noarch selinux-policy-3.7.19-27.el6.noarch libsemanage-python-2.0.43-4.el6.i686 libsemanage-2.0.43-4.el6.i686 libsepol-2.0.41-3.el6.i686 How reproducible: always Steps to Reproduce: Using selinux-polgengui I generated following .te file (comments and blank lines removed): policy_module(confined_admin,1.0.0) userdom_admin_user_template(confined_admin) domain_use_interactive_fds(confined_admin_t) files_read_etc_files(confined_admin_t) miscfiles_read_localization(confined_admin_t) # echo "boinc_admin(confined_admin_t,confined_admin_r)" >> confined_admin.te # make -f /usr/share/selinux/devel/Makefile' make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' Compiling targeted confined_admin module confined_admin.te":26:ERROR 'unknown type myboinc_initrc_exec_t' at token ';' on line 43486: role_transition confined_admin_r myboinc_initrc_exec_t system_r; #line 26 /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from tmp/confined_admin.tmp make[1]: *** [tmp/confined_admin.mod] Error 1 make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services' Actual results: .te -> .pp compilation failed Expected results: .te -> .pp compilation succeeded Additional info: I would like to test all admin interfaces found in /usr/share/selinux/devel/include/services/ in the same way.