Bug 722896

Summary:	interface body is not consistent with interface header
Product:	Red Hat Enterprise Linux 6	Reporter:	Milos Malik <mmalik>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Michal Trunecka <mtruneck>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	6.1	CC:	dwalsh, ebenes, mtruneck
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.7.19-146.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-06-20 12:24:33 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Milos Malik 2011-07-18 12:28:02 UTC

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-minimum-3.7.19-93.el6_1.2.noarch
selinux-policy-doc-3.7.19-93.el6_1.2.noarch
selinux-policy-3.7.19-93.el6_1.2.noarch
selinux-policy-targeted-3.7.19-93.el6_1.2.noarch
selinux-policy-mls-3.7.19-93.el6_1.2.noarch

How reproducible:
always

Steps to Reproduce:
1. look into following file:
/usr/share/selinux/devel/include/services/cups.if
2. search for the definition of following interface:
cups_backend
3. compare the number of parameters described in the header and used in the body
########################################
## <summary>
##      Setup cups to transtion to the cups backend domain
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`cups_backend',`
        gen_require(`
                type cupsd_t;
        ')

        domain_type($1)
        domain_entry_file($1, $2)
        role system_r types $1;

        domtrans_pattern(cupsd_t, $2, $1)
        allow cupsd_t $1:process signal;
        allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms;

        cups_read_config($1)
        cups_append_log($1)
')
  
Actual results:
* the number of parameters described in the header is not equal to the number of parameters used in the body 

Expected results:
* the number of parameters described in the header is equal to the number of parameters used in the body

Comment 1 Milos Malik 2011-07-18 12:42:00 UTC

/usr/share/selinux/devel/include/services/virt.if

#######################################
## <summary>
##  Execute a domain transition to run virt.
## </summary>
## <param name="domain">
## <summary>
##  Domain allowed to transition.
## </summary>
## </param>
#
interface(`virt_run',`
    gen_require(`
        type virtd_t;
                type qemu_t;
    ')

    virt_domtrans($1)

    role $2 types virtd_t;
        role $2 types qemu_t;

')

Comment 2 Miroslav Grepl 2011-07-19 06:12:25 UTC

I will backport fixes from Fedora.

Comment 3 Milos Malik 2011-07-19 12:57:56 UTC

/usr/share/selinux/devel/include/admin/accountsd.if

########################################
## <summary>
##      All of the rules required to administrate 
##      an accountsd environment
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <param name="role">
##      <summary>
##      Role allowed access.
##      </summary>
## </param>
## <rolecap/>
#
interface(`accountsd_admin',`
        gen_require(`
                type accountsd_t;
        ')
        allow $1 accountsd_t:process { ptrace signal_perms getattr };
        read_files_pattern($1, accountsd_t, accountsd_t)

        accountsd_manage_var_lib($1)
')

Comment 4 Milos Malik 2011-07-19 13:07:53 UTC

/usr/share/selinux/devel/include/services/devicekit.if

########################################
## <summary>
##      All of the rules required to administrate 
##      an devicekit environment
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <param name="role">
##      <summary>
##      The role to be allowed to manage the devicekit domain.
##      </summary>
## </param>
## <param name="terminal">
##      <summary>
##      The type of the user terminal.
##      </summary>
## </param>
## <rolecap/>
#
interface(`devicekit_admin',`
        gen_require(`
                type devicekit_t, devicekit_disk_t, devicekit_power_t;
                type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
        ')

        allow $1 devicekit_t:process { ptrace signal_perms };
        ps_process_pattern($1, devicekit_t)

        allow $1 devicekit_disk_t:process { ptrace signal_perms };
        ps_process_pattern($1, devicekit_disk_t)

        allow $1 devicekit_power_t:process { ptrace signal_perms };
        ps_process_pattern($1, devicekit_power_t)

        admin_pattern($1, devicekit_tmp_t)
        files_search_tmp($1)

        admin_pattern($1, devicekit_var_lib_t)
        files_search_var_lib($1)

        admin_pattern($1, devicekit_var_run_t)
        files_search_pids($1)
')

Comment 5 Milos Malik 2011-07-19 13:08:55 UTC

########################################
## <summary>
##      rw any files inherited from another process
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <rolecap/>
#
interface(`files_rw_all_inherited_files',`
        gen_require(`
                attribute file_type;
        ')

        allow $1 { file_type $2 }:file rw_inherited_file_perms;
        allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
        allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
        allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
')

Comment 6 Milos Malik 2011-07-19 13:18:43 UTC

#######################################
## <summary>
##      The per role template for the openoffice module.
## </summary>
## <param name="user_role">
##      <summary>
##      The role associated with the user domain.
##      </summary>
## </param>
## <param name="user_domain">
##      <summary>
##      The type of the user domain.
##      </summary>
## </param>
#
interface(`openoffice_plugin_role',`
        gen_require(`
                type openoffice_exec_t;
                type openoffice_t;
        ')
        
        ########################################
        #
        # Local policy
        #

        domtrans_pattern($1, openoffice_exec_t, openoffice_t)
        allow $1 openoffice_t:process { signal sigkill };
')

Comment 7 Milos Malik 2011-07-19 13:20:04 UTC

########################################
## <summary>
##      All of the rules required to administrate 
##      an plymouthd environment
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <param name="role">
##      <summary>
##      Role allowed access.
##      </summary>
## </param>
## <rolecap/>
#
interface(`plymouthd_admin', `
        gen_require(`
                type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
                type plymouthd_var_run_t;
        ')

        allow $1 plymouthd_t:process { ptrace signal_perms };
        ps_process_pattern($1, plymouthd_t)

        files_search_var_lib($1)
        admin_pattern($1, plymouthd_spool_t)

        admin_pattern($1, plymouthd_var_lib_t)

        files_search_pids($1)
        admin_pattern($1, plymouthd_var_run_t)  

')

Comment 8 Milos Malik 2011-07-19 13:26:14 UTC

########################################
## <summary>
##      All of the rules required to administrate 
##      an setroubleshoot environment
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <param name="role">
##      <summary>
##      The role to be allowed to manage the setroubleshoot domain.
##      </summary>
## </param>
## <rolecap/>
#
interface(`setroubleshoot_admin',`
        gen_require(`
                type setroubleshootd_t, setroubleshoot_var_log_t;
                type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
        ')

        allow $1 setroubleshootd_t:process { ptrace signal_perms };
        ps_process_pattern($1, setroubleshootd_t)
                
        logging_list_logs($1)
        admin_pattern($1, setroubleshoot_var_log_t)

        files_list_var_lib($1)
        admin_pattern($1, setroubleshoot_var_lib_t)

        files_list_pids($1)
        admin_pattern($1, setroubleshoot_var_run_t)
')

Comment 9 Milos Malik 2011-07-19 14:05:50 UTC

#######################################
## <summary>
##      Role access for nsplugin
## </summary>
## <param name="userdomain_prefix">
##      <summary>
##      The prefix of the user domain (e.g., user
##      is the prefix for user_t).
##      </summary>
## </param>
## <param name="user_role">
##      <summary>
##      The role associated with the user domain.
##      </summary>
## </param>
## <param name="user_domain">
##      <summary>
##      The type of the user domain.
##      </summary>
## </param>
#
interface(`nsplugin_role',`
        gen_require(`
                type nsplugin_exec_t;
                type nsplugin_config_exec_t;
                type nsplugin_t;
                type nsplugin_config_t;
        ')

        nsplugin_role_notrans($1, $2)

        domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
        domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)

')

Comment 10 Milos Malik 2011-07-19 14:12:26 UTC

* samba_admin() describes 2 parameters in the header but uses 3 parameters in the body
* seutil_role_allow_setfiles() describes 2 parameters in the header but uses only 1 parameter in the body

Comment 13 Miroslav Grepl 2011-08-10 16:17:43 UTC

Fixed in selinux-policy-3.7.19-107.el6

Comment 34 errata-xmlrpc 2012-06-20 12:24:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html