Bug 1268635 - Can't build custom module with userdom_user_home_content_filetrans
Can't build custom module with userdom_user_home_content_filetrans
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: policycoreutils (Show other bugs)
22
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Petr Lautrbach
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-03 20:19 EDT by Robin Powell
Modified: 2016-07-19 16:55 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-19 16:55:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robin Powell 2015-10-03 20:19:05 EDT
The following custom module:

- ----------

policy_module(MYLOCAL_localtweaks,1.4.0)
                                                                                                                                                                              #***************
# No idea what's causing all these ;haven't submitted bugs                                                                                                                    #***************
require {                                                                                                                                                                             type system_cronjob_t;
        type staff_screen_t;                                                                                                                                                  }

#============= staff_screen_t ==============
userdom_user_home_content_filetrans(staff_screen_t)

#============= system_cronjob_t ==============
# antivirus_domain_template(system_cronjob_t)

- --------------

fails the make step like so:

+ /usr/bin/make -f /usr/share/selinux/devel/Makefile
Compiling targeted MYLOCAL_localtweaks module
/usr/bin/checkmodule:  loading policy configuration from tmp/MYLOCAL_localtweaks.tmp
MYLOCAL_localtweaks.te:12:ERROR 'syntax error' at token ';' on line 3234:
        type_transition staff_screen_t user_home_t:  ;
#line 12
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/share/selinux/devel/include/Makefile:154: recipe for target 'tmp/MYLOCAL_localtweaks.mod' failed
make: *** [tmp/MYLOCAL_localtweaks.mod] Error 1

I made it because of the following AVCs:

type=AVC msg=audit(1443859275.327:71208): avc:  denied  { read } for  pid=20255 comm="tmux" name="tpm" dev="vdd1" ino=320004 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1443859275.336:71211): avc:  denied  { read } for  pid=20262 comm="tmux" name="tpm" dev="vdd1" ino=320004 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0

Which I have no idea what's up with that.
Comment 1 Miroslav Grepl 2015-10-05 02:48:37 EDT
You need to call it with the following arguments

userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir}).

We have fixes for 


type=AVC msg=audit(1443859275.327:71208): avc:  denied  { read } for  pid=20255 comm="tmux" name="tpm" dev="vdd1" ino=320004 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1443859275.336:71211): avc:  denied  { read } for  pid=20262 comm="tmux" name="tpm" dev="vdd1" ino=320004 scontext=staff_u:staff_r:staff_screen_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0

in Rawhide. 

Just add allow rules for these AVCs using audit2allow for now.
Comment 2 Robin Powell 2015-10-05 17:08:50 EDT
Sorry, I forgot the important bit: the rule that's breaking was generated by audit2allow
Comment 3 Fedora End Of Life 2016-07-19 16:55:17 EDT
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.