1268633 – Problem compiling custom module with antivirus_domain_template

Bug 1268633 - Problem compiling custom module with antivirus_domain_template

Summary: Problem compiling custom module with antivirus_domain_template

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	policycoreutils
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Petr Lautrbach
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-04 00:16 UTC by Robin Powell
Modified:	2016-07-19 18:06 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-19 18:06:13 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Robin Powell 2015-10-04 00:16:42 UTC

The following custom module:

- ----------

policy_module(MYLOCAL_localtweaks,1.4.0)

#***************
# No idea what's causing all these ;haven't submitted bugs
#***************
require {
        type system_cronjob_t;
        type staff_screen_t;
}

#============= staff_screen_t ==============
# userdom_user_home_content_filetrans(staff_screen_t)

#============= system_cronjob_t ==============
antivirus_domain_template(system_cronjob_t)

- -----------

makes normally:

+ /usr/bin/make -f /usr/share/selinux/devel/Makefile
Compiling targeted MYLOCAL_localtweaks module
/usr/bin/checkmodule:  loading policy configuration from tmp/MYLOCAL_localtweaks.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/MYLOCAL_localtweaks.mod
Creating targeted MYLOCAL_localtweaks.pp policy package
rm tmp/MYLOCAL_localtweaks.mod tmp/MYLOCAL_localtweaks.mod.fc

but can't load:

+ /usr/sbin/semodule -i MYLOCAL_localtweaks.pp
libsepol.expand_terule_helper: conflicting TE rule for (system_cronjob_t, var_log_t:file):  old was antivirus_log_t, new is cron_log_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
/usr/sbin/semodule:  Failed!

I made this module because of the following AVCs:

type=USER_AVC msg=audit(1443906301.615:122467): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=16)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1443911633.802:123239): avc:  denied  { write } for  pid=18998 comm="clamav-notify-s" name="clamd.sock" dev="tmpfs" ino=18731 scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:antivirus_var_run_t:s0 tclass=sock_file permissive=0

which I don't know what's causing them, *shrug*.

Comment 1 Robin Powell 2015-10-04 00:24:29 UTC

Sorry, problem *loading*; the compilation goes fine.

Comment 2 Robin Powell 2015-10-05 21:08:54 UTC

Sorry, I forgot the important bit: the rule that's breaking was generated by audit2allow

Comment 3 Fedora End Of Life 2016-07-19 18:06:13 UTC

Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.