Bug 446430 - audit2allow role allow rules have issues
Summary: audit2allow role allow rules have issues
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-14 15:51 UTC by Eric Paris
Modified: 2008-09-09 17:31 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-09 17:31:21 UTC


Attachments (Terms of Use)

Description Eric Paris 2008-05-14 15:51:43 UTC
Description of problem:

Running livecd-creator (after relabeling it to bin_t) I get a bunch of AVC
denieds.  But audit2allow -a -m modlivecd > modlivecd.te produces and illegal
.te file.  It includes

=========== ROLES ===============
role unconfined_r types groupadd_exec_t;
role unconfined_r types useradd_exec_t;
role unconfined_r types groupadd_exec_t;
role unconfined_r types useradd_exec_t;
role unconfined_r types depmod_exec_t;
role unconfined_r types depmod_exec_t;

4 problems with that block.

1) the role unconfined_r is not in the requires block
2) none of the types (groupadd_exec_t, useradd_exec_t, etc) are in the requires
3) it shows the same rules more than once
4) the ===== ROLES ===== line does not start with a #

Comment 1 Eric Paris 2008-05-14 16:03:08 UTC
policycoreutils-2.0.46-5.fc9.x86_64
selinux-policy-3.3.1-51.fc9.noarch

My guess is that they are a result of audit messages like this

type=SELINUX_ERR msg=audit(1210780569.882:4384): security_compute_sid:  invalid
context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for
scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023
tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process

Comment 2 Daniel Walsh 2008-09-09 17:31:21 UTC
Fixed in policycoreutils-2.0.55-5.fc10.x86_64


Note You need to log in before you can comment on or make changes to this bug.