Bug 951260

Summary: interface mozilla_role(xguest_r, xguest_t) fails when loading module containing it.
Product: [Fedora] Fedora Reporter: Rumen B. <rumen>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, mgrepl, rumen
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-18 02:52:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rumen B. 2013-04-11 20:58:34 UTC 
Description of problem:
in case one wants to allow only firefox to access internet with xguest there is no way to do so. The curren solution is:

# setsebool -P xguest_connect_network 0

Create a file that looks like

# cat myxguest.te
policy_module(myxguest,1.0)
gen_require(`
type xguest_t;
role xguest_r;
')
mozilla_role(xguest_r, xguest_t)

# make -f /usr/share/selinux/devel/Makefile myxguest.pp
# semodule -i myxguest.pp

but it fails like:

libsepol.expand_terule_helper: conflicting TE rule for (mozilla_t, 
tmp_t:dir):  old was mozilla_tmp_t, new is user_tmp_t 
libsepol.expand_module: Error during expand 
libsemanage.semanage_expand___sandbox: Expand module failed semodule: Failed!


Any Idea what might be wrong? A quick and dirty solution will do for me as long as it works...

Thanks!
Rumen
Comment 1 Rumen B. 2013-04-12 12:09:21 UTC 
Fedora 19 rc2 is also affected.

[root@localhost rumen]# cat myxguest.te 
policy_module(myxguest,1.0)
gen_require(`
    type xguest_t;
    role xguest_r;
')
mozilla_role(xguest_r, xguest_t)

[root@localhost rumen]# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted myxguest module
/usr/bin/checkmodule:  loading policy configuration from tmp/myxguest.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/myxguest.mod
Creating targeted myxguest.pp policy package
rm tmp/myxguest.mod tmp/myxguest.mod.fc

[root@localhost rumen]# semodule -i myxguest.pp
libsepol.expand_terule_helper: conflicting TE rule for (mozilla_t, tmp_t:dir):  old was mozilla_tmp_t, new is user_tmp_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

[root@localhost rumen]# cat /etc/redhat-release 
Fedora release 19 (Schrödinger’s Cat)
Comment 2 Rumen B. 2013-04-12 21:45:36 UTC 
One clue:
comenting lines in mozilla.te: 

109:
#files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })

379:
#fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
#userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })


makes possible for the module myxguest.pp to load.
Comment 3 Miroslav Grepl 2013-04-15 06:10:34 UTC 
Ruben,
yes, we need to comment out

files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
Comment 4 Fedora Update System 2013-04-15 11:12:19 UTC 
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-90.fc18
Comment 5 Fedora Update System 2013-04-16 00:07:45 UTC 
Package selinux-policy-3.11.1-90.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5742/selinux-policy-3.11.1-90.fc18
then log in and leave karma (feedback).
Comment 6 Rumen B. 2013-04-16 22:04:39 UTC 
No it is not fixed.
Now it is different.

[rumen@localhost ~]$ make -f /usr/share/selinux/devel/Makefile 
Compiling targeted myxgyest module
/usr/bin/checkmodule:  loading policy configuration from tmp/myxgyest.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 15) to tmp/myxgyest.mod
Creating targeted myxgyest.pp policy package
rm tmp/myxgyest.mod.fc tmp/myxgyest.mod
[rumen@localhost ~]$ sudo semodule -i myxgyest.pp
[sudo] password for rumen: 
libsepol.expand_terule_helper: conflicting TE rule for (mozilla_plugin_t, tmpfs_t:fifo_file):  old was mozilla_plugin_tmpfs_t, new is user_tmpfs_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!
[rumen@localhost ~]$ 


The 3 lines I have mentioned above must be commented or fixed in order to be able to load minule containing interface mozilla_role()
Comment 7 Miroslav Grepl 2013-04-17 12:19:17 UTC 
I am looking at this again.
Comment 8 Fedora Update System 2013-04-18 02:52:19 UTC 
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.