Bug 966920
| Summary: | sepolicy generate: Setup script of --cgi policy uses wrong spec file | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Michal Trunecka <mtruneck> |
| Component: | policycoreutils | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Michal Trunecka <mtruneck> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | ebenes, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 12:26:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 917049 | ||
|
Description
Michal Trunecka
2013-05-24 09:18:17 UTC
Fixed in policycoreutils-2.1.14-46.el7 VERIFIED using automated regression test:
:: [ PASS ] :: Running 'sleep 1'
Loaded plugins: product-id
Created the following files:
mypolicy/testpolicy.te # Type Enforcement file
mypolicy/testpolicy.if # Interface file
mypolicy/testpolicy.fc # File Contexts file
mypolicy/testpolicy_selinux.spec # Spec file
mypolicy/testpolicy.sh # Setup Script
:: [ PASS ] :: Running 'sepolicy generate -p mypolicy --cgi /usr/bin/testpolicy '
policy_module(testpolicy, 1.0.0)
########################################
#
# Declarations
#
apache_content_template(testpolicy)
permissive httpd_testpolicy_script_t;
########################################
#
# httpd_testpolicy_script local policy
#
domain_use_interactive_fds(httpd_testpolicy_script_t)
files_read_etc_files(httpd_testpolicy_script_t)
miscfiles_read_localization(httpd_testpolicy_script_t)
:: [ PASS ] :: Running 'cat mypolicy/testpolicy.te'
## <summary>policy for httpd_testpolicy_script</summary>
########################################
## <summary>
## Execute TEMPLATE in the httpd_testpolicy_script domin.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`httpd_testpolicy_script_domtrans',`
gen_require(`
type httpd_testpolicy_script_t, httpd_testpolicy_script_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, httpd_testpolicy_script_exec_t, httpd_testpolicy_script_t)
')
:: [ PASS ] :: Running 'cat mypolicy/testpolicy.if'
/usr/bin/testpolicy -- gen_context(system_u:object_r:httpd_testpolicy_script_exec_t,s0)
:: [ PASS ] :: Running 'cat mypolicy/testpolicy.fc'
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile testpolicy.pp
make[1]: Entering directory `/root/policycoreutils/Sanity/sepolicy-generate/mypolicy'
Compiling targeted testpolicy module
/usr/bin/checkmodule: loading policy configuration from tmp/testpolicy.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 17) to tmp/testpolicy.mod
Creating targeted testpolicy.pp policy package
rm tmp/testpolicy.mod tmp/testpolicy.mod.fc
make[1]: Leaving directory `/root/policycoreutils/Sanity/sepolicy-generate/mypolicy'
+ /usr/sbin/semodule -i testpolicy.pp
+ sepolicy manpage -p . -d httpd_testpolicy_script_t
./httpd_testpolicy_script_selinux.8
+ /sbin/restorecon -F -R -v /usr/bin/testpolicy
/sbin/restorecon reset /usr/bin/testpolicy context system_u:object_r:unlabeled_t:s0->system_u:object_r:httpd_testpolicy_script_exec_t:s0
++ pwd
+ pwd=/root/policycoreutils/Sanity/sepolicy-generate/mypolicy
+ rpmbuild --define '_sourcedir /root/policycoreutils/Sanity/sepolicy-generate/mypolicy' --define '_specdir /root/policycoreutils/Sanity/sepolicy-generate/mypolicy' --define '_builddir /root/policycoreutils/Sanity/sepolicy-generate/mypolicy' --define '_srcrpmdir /root/policycoreutils/Sanity/sepolicy-generate/mypolicy' --define '_rpmdir /root/policycoreutils/Sanity/sepolicy-generate/mypolicy' --define '_buildrootdir /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build' -ba testpolicy_selinux.spec
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.gyp0v3
+ umask 022
+ cd /root/policycoreutils/Sanity/sepolicy-generate/mypolicy
+ install -d /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64/usr/share/selinux/packages
+ install -m 644 /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/testpolicy.pp /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64/usr/share/selinux/packages
+ install -d /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64/usr/share/selinux/devel/include/contrib
+ install -m 644 /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/testpolicy.if /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64/usr/share/selinux/devel/include/contrib/
+ install -d /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64/usr/share/man/man8/
+ install -m 644 /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/httpd_testpolicy_script_selinux.8 /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64/usr/share/man/man8/httpd_testpolicy_script_selinux.8
+ install -d /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64/etc/selinux/targeted/contexts/users/
+ /usr/lib/rpm/brp-compress
+ /usr/lib/rpm/brp-strip /usr/bin/strip
+ /usr/lib/rpm/brp-strip-static-archive /usr/bin/strip
+ /usr/lib/rpm/brp-strip-comment-note /usr/bin/strip /usr/bin/objdump
Processing files: testpolicy_selinux-1.0-1.el7.noarch
Provides: testpolicy_selinux = 1.0-1.el7
Requires(interp): /bin/sh /bin/sh
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires(post): /bin/sh selinux-policy-base >= 3.12.1-44
Requires(postun): /bin/sh
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64
Wrote: /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/testpolicy_selinux-1.0-1.el7.src.rpm
Wrote: /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/noarch/testpolicy_selinux-1.0-1.el7.noarch.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.wd54Ql
+ umask 022
+ cd /root/policycoreutils/Sanity/sepolicy-generate/mypolicy
+ /usr/bin/rm -rf /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64
+ exit 0
:: [ PASS ] :: Running 'mypolicy/testpolicy.sh'
testpolicy 1.0.0
:: [ PASS ] :: Running 'semodule -l | grep testpolicy'
/usr/sbin/semanage: SELinux user testpolicy_u is not defined
:: [ PASS ] :: Running 'semanage user -d testpolicy_u'
:: [ PASS ] :: Running 'semodule -r testpolicy'
:: [ PASS ] :: Running 'rm -rf mypolicy/*'
:: [ PASS ] :: Running 'sleep 1'
Loaded plugins: product-id
Created the following files:
mypolicy/testpolicy.te # Type Enforcement file
mypolicy/testpolicy.if # Interface file
mypolicy/testpolicy.fc # File Contexts file
mypolicy/testpolicy_selinux.spec # Spec file
mypolicy/testpolicy.sh # Setup Script
:: [ PASS ] :: Running 'sepolicy generate -p mypolicy -w /home --cgi /usr/bin/testpolicy '
policy_module(testpolicy, 1.0.0)
########################################
#
# Declarations
#
apache_content_template(testpolicy)
permissive httpd_testpolicy_script_t;
########################################
#
# httpd_testpolicy_script local policy
#
manage_dirs_pattern(httpd_testpolicy_script_t, httpd_testpolicy_script_rw_t, httpd_testpolicy_script_rw_t)
manage_files_pattern(httpd_testpolicy_script_t, httpd_testpolicy_script_rw_t, httpd_testpolicy_script_rw_t)
manage_lnk_files_pattern(httpd_testpolicy_script_t, httpd_testpolicy_script_rw_t, httpd_testpolicy_script_rw_t)
domain_use_interactive_fds(httpd_testpolicy_script_t)
files_read_etc_files(httpd_testpolicy_script_t)
miscfiles_read_localization(httpd_testpolicy_script_t)
:: [ PASS ] :: Running 'cat mypolicy/testpolicy.te'
## <summary>policy for httpd_testpolicy_script</summary>
########################################
## <summary>
## Execute TEMPLATE in the httpd_testpolicy_script domin.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`httpd_testpolicy_script_domtrans',`
gen_require(`
type httpd_testpolicy_script_t, httpd_testpolicy_script_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, httpd_testpolicy_script_exec_t, httpd_testpolicy_script_t)
')
########################################
## <summary>
## Search httpd_testpolicy_script rw directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`httpd_testpolicy_script_search_rw_dir',`
gen_require(`
type httpd_testpolicy_script_rw_t;
')
allow $1 httpd_testpolicy_script_rw_t:dir search_dir_perms;
files_search_rw($1)
')
########################################
## <summary>
## Read httpd_testpolicy_script rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`httpd_testpolicy_script_read_rw_files',`
gen_require(`
type httpd_testpolicy_script_rw_t;
')
read_files_pattern($1, httpd_testpolicy_script_rw_t, httpd_testpolicy_script_rw_t)
allow $1 httpd_testpolicy_script_rw_t:dir list_dir_perms;
files_search_rw($1)
')
########################################
## <summary>
## Manage httpd_testpolicy_script rw files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`httpd_testpolicy_script_manage_rw_files',`
gen_require(`
type httpd_testpolicy_script_rw_t;
')
manage_files_pattern($1, httpd_testpolicy_script_rw_t, httpd_testpolicy_script_rw_t)
')
########################################
## <summary>
## Create, read, write, and delete
## httpd_testpolicy_script rw dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`httpd_testpolicy_script_manage_rw_dirs',`
gen_require(`
type httpd_testpolicy_script_rw_t;
')
manage_dirs_pattern($1, httpd_testpolicy_script_rw_t, httpd_testpolicy_script_rw_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an httpd_testpolicy_script environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`httpd_testpolicy_script_admin',`
gen_require(`
type httpd_testpolicy_script_t;
type httpd_testpolicy_script_rw_t;
')
allow $1 httpd_testpolicy_script_t:process { ptrace signal_perms };
ps_process_pattern($1, httpd_testpolicy_script_t)
files_search_etc($1)
admin_pattern($1, httpd_testpolicy_script_rw_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')
:: [ PASS ] :: Running 'cat mypolicy/testpolicy.if'
/home(/.*)? gen_context(system_u:object_r:httpd_testpolicy_script_rw_t,s0)
/usr/bin/testpolicy -- gen_context(system_u:object_r:httpd_testpolicy_script_exec_t,s0)
:: [ PASS ] :: Running 'cat mypolicy/testpolicy.fc'
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile testpolicy.pp
make[1]: Entering directory `/root/policycoreutils/Sanity/sepolicy-generate/mypolicy'
Compiling targeted testpolicy module
/usr/bin/checkmodule: loading policy configuration from tmp/testpolicy.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 17) to tmp/testpolicy.mod
Creating targeted testpolicy.pp policy package
rm tmp/testpolicy.mod tmp/testpolicy.mod.fc
make[1]: Leaving directory `/root/policycoreutils/Sanity/sepolicy-generate/mypolicy'
+ /usr/sbin/semodule -i testpolicy.pp
+ sepolicy manpage -p . -d httpd_testpolicy_script_t
./httpd_testpolicy_script_selinux.8
+ /sbin/restorecon -F -R -v /usr/bin/testpolicy
+ /sbin/restorecon -F -R -v /home
++ pwd
+ pwd=/root/policycoreutils/Sanity/sepolicy-generate/mypolicy
+ rpmbuild --define '_sourcedir /root/policycoreutils/Sanity/sepolicy-generate/mypolicy' --define '_specdir /root/policycoreutils/Sanity/sepolicy-generate/mypolicy' --define '_builddir /root/policycoreutils/Sanity/sepolicy-generate/mypolicy' --define '_srcrpmdir /root/policycoreutils/Sanity/sepolicy-generate/mypolicy' --define '_rpmdir /root/policycoreutils/Sanity/sepolicy-generate/mypolicy' --define '_buildrootdir /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build' -ba testpolicy_selinux.spec
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.9ev7ry
+ umask 022
+ cd /root/policycoreutils/Sanity/sepolicy-generate/mypolicy
+ install -d /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64/usr/share/selinux/packages
+ install -m 644 /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/testpolicy.pp /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64/usr/share/selinux/packages
+ install -d /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64/usr/share/selinux/devel/include/contrib
+ install -m 644 /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/testpolicy.if /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64/usr/share/selinux/devel/include/contrib/
+ install -d /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64/usr/share/man/man8/
+ install -m 644 /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/httpd_testpolicy_script_selinux.8 /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64/usr/share/man/man8/httpd_testpolicy_script_selinux.8
+ install -d /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64/etc/selinux/targeted/contexts/users/
+ /usr/lib/rpm/brp-compress
+ /usr/lib/rpm/brp-strip /usr/bin/strip
+ /usr/lib/rpm/brp-strip-static-archive /usr/bin/strip
+ /usr/lib/rpm/brp-strip-comment-note /usr/bin/strip /usr/bin/objdump
Processing files: testpolicy_selinux-1.0-1.el7.noarch
Provides: testpolicy_selinux = 1.0-1.el7
Requires(interp): /bin/sh /bin/sh
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires(post): /bin/sh selinux-policy-base >= 3.12.1-44
Requires(postun): /bin/sh
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64
Wrote: /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/testpolicy_selinux-1.0-1.el7.src.rpm
Wrote: /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/noarch/testpolicy_selinux-1.0-1.el7.noarch.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.H5foG0
+ umask 022
+ cd /root/policycoreutils/Sanity/sepolicy-generate/mypolicy
+ /usr/bin/rm -rf /root/policycoreutils/Sanity/sepolicy-generate/mypolicy/.build/testpolicy_selinux-1.0-1.el7.x86_64
+ exit 0
:: [ PASS ] :: Running 'mypolicy/testpolicy.sh'
testpolicy 1.0.0
:: [ PASS ] :: Running 'semodule -l | grep testpolicy'
/usr/sbin/semanage: SELinux user testpolicy_u is not defined
:: [ PASS ] :: Running 'semanage user -d testpolicy_u'
:: [ PASS ] :: Running 'semodule -r testpolicy'
:: [ PASS ] :: Running 'rm -rf mypolicy/*'
:: [ PASS ] :: Running 'sleep 1'
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |