Bug 1268633 - Problem compiling custom module with antivirus_domain_template
Problem compiling custom module with antivirus_domain_template
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: policycoreutils (Show other bugs)
22
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Petr Lautrbach
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-03 20:16 EDT by Robin Powell
Modified: 2016-07-19 14:06 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-19 14:06:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robin Powell 2015-10-03 20:16:42 EDT
The following custom module:

- ----------

policy_module(MYLOCAL_localtweaks,1.4.0)

#***************
# No idea what's causing all these ;haven't submitted bugs
#***************
require {
        type system_cronjob_t;
        type staff_screen_t;
}

#============= staff_screen_t ==============
# userdom_user_home_content_filetrans(staff_screen_t)

#============= system_cronjob_t ==============
antivirus_domain_template(system_cronjob_t)

- -----------

makes normally:

+ /usr/bin/make -f /usr/share/selinux/devel/Makefile
Compiling targeted MYLOCAL_localtweaks module
/usr/bin/checkmodule:  loading policy configuration from tmp/MYLOCAL_localtweaks.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/MYLOCAL_localtweaks.mod
Creating targeted MYLOCAL_localtweaks.pp policy package
rm tmp/MYLOCAL_localtweaks.mod tmp/MYLOCAL_localtweaks.mod.fc

but can't load:

+ /usr/sbin/semodule -i MYLOCAL_localtweaks.pp
libsepol.expand_terule_helper: conflicting TE rule for (system_cronjob_t, var_log_t:file):  old was antivirus_log_t, new is cron_log_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
/usr/sbin/semodule:  Failed!

I made this module because of the following AVCs:

type=USER_AVC msg=audit(1443906301.615:122467): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=16)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1443911633.802:123239): avc:  denied  { write } for  pid=18998 comm="clamav-notify-s" name="clamd.sock" dev="tmpfs" ino=18731 scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:antivirus_var_run_t:s0 tclass=sock_file permissive=0

which I don't know what's causing them, *shrug*.
Comment 1 Robin Powell 2015-10-03 20:24:29 EDT
Sorry, problem *loading*; the compilation goes fine.
Comment 2 Robin Powell 2015-10-05 17:08:54 EDT
Sorry, I forgot the important bit: the rule that's breaking was generated by audit2allow
Comment 3 Fedora End Of Life 2016-07-19 14:06:13 EDT
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.