Bug 499519 - checkmodule interrupts parsing .te-file at init_script_type because of syntax error
checkmodule interrupts parsing .te-file at init_script_type because of syntax...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: policycoreutils (Show other bugs)
10
x86_64 Linux
low Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-06 18:58 EDT by oni
Modified: 2009-11-18 05:27 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 05:27:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description oni 2009-05-06 18:58:14 EDT
Description of problem:
checkmodule interrupts parsing .te-file at init_script_type because of syntax error.

Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
Compiling targeted vsftpd module
/usr/bin/checkmodule:  loading policy configuration from tmp/vsftpd.tmp
vsftpd.te":15:ERROR 'syntax error' at token 'init_script_type' on line 4218:
init_script_type(vsftpd_script_exec_t)
type vsftpd_script_exec_t;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/vsftpd.mod] Fehler 1
+ /usr/sbin/semodule -i vsftpd.pp
/usr/sbin/semodule:  Could not read file 'vsftpd.pp': No such file or directory
+ /sbin/restorecon -F -R -v /usr/sbin/vsftpd
+ /sbin/restorecon -F -R -v /etc/rc.d/init.d/vsftpd
+ /sbin/restorecon -F -R -v /mnt/data





How reproducible:


Steps to Reproduce:
1.generate policy with the gui-policy-generator
2.execute the generated .sh
  
thanks for fixing/help
Comment 1 oni 2009-05-06 19:02:50 EDT
.te-file:

policy_module(vsftpd,1.0.0)

########################################
#
# Declarations
#

type vsftpd_t;
type vsftpd_exec_t;
init_daemon_domain(vsftpd_t, vsftpd_exec_t)

permissive vsftpd_t;

type vsftpd_script_exec_t;
init_script_type(vsftpd_script_exec_t)

type vsftpd_rw_t;
files_type(vsftpd_rw_t)

########################################
#
# vsftpd local policy
#

# Init script handling
domain_use_interactive_fds(vsftpd_t)

# internal communication is often done using fifo and unix sockets.
allow vsftpd_t self:fifo_file rw_file_perms;
allow vsftpd_t self:unix_stream_socket create_stream_socket_perms;

files_read_etc_files(vsftpd_t)

libs_use_ld_so(vsftpd_t)
libs_use_shared_libs(vsftpd_t)

miscfiles_read_localization(vsftpd_t)


allow vsftpd_t vsftpd_rw_t:file manage_file_perms;
allow vsftpd_t vsftpd_rw_t:dir create_dir_perms;

sysnet_dns_name_resolve(vsftpd_t)
corenet_all_recvfrom_unlabeled(vsftpd_t)

allow vsftpd_t self:tcp_socket create_stream_socket_perms;
corenet_tcp_sendrecv_all_if(vsftpd_t)
corenet_tcp_sendrecv_all_nodes(vsftpd_t)
corenet_tcp_sendrecv_all_ports(vsftpd_t)
corenet_tcp_bind_all_nodes(vsftpd_t)
corenet_tcp_connect_all_ports(vsftpd_t)
corenet_tcp_bind_ftp_port(vsftpd_t)

logging_send_syslog_msg(vsftpd_t)

auth_domtrans_chk_passwd(vsftpd_t)
Comment 2 Miroslav Grepl 2009-05-07 04:52:24 EDT
For now you can change the 'init_script_type' macro to the 'init_script_file' macro manually in your .te file.
Comment 3 Daniel Walsh 2009-05-07 10:16:06 EDT
oni, 

There is already policy for vsftpd in SELinux.   (ftp.te)
Comment 4 Daniel Walsh 2009-05-07 10:19:07 EDT
Miroslav, I think this is fixed in 

policycoreutils-2.0.57-20.fc10

Which should probably be put into Fedora Testing.  Can you take over this package in F10?
Comment 5 Miroslav Grepl 2009-05-07 11:42:54 EDT
(In reply to comment #4)
> Miroslav, I think this is fixed in 
> 
> policycoreutils-2.0.57-20.fc10
> 
> Which should probably be put into Fedora Testing.  Can you take over this
> package in F10?  

Yes, I can. I'm taking it over.
Comment 6 Miroslav Grepl 2009-05-13 06:59:26 EDT
Fixed in policycoreutils-2.0.57-21.fc10
Comment 7 Jim Cromie 2009-06-25 11:08:50 EDT
hi Miroslav,

this bugzilla report seemed close enough in subject, time and status (modified)
so I didnt open separate one.

I installed, then tried ftp localhost, was refused, and selinux complained,
and asked for a bug report.

SELinux is preventing vsftpd (ftpd_t) "sys_admin" ftpd_t. 

Detailed Description
SELinux denied access requested by vsftpd. It is not expected that this access is required by vsftpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. 

Allowing Access
You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.
Comment 8 Daniel Walsh 2009-06-26 16:09:04 EDT
Jim check to see if pam_namspace is being called in your pam stack?
Comment 9 Jim Cromie 2009-06-27 07:43:53 EDT
it seems so. (/me needs to read up on pam)

[jimc@harpo pam.d]$ sudo grep pam_namespace *
gdm:session    required    pam_namespace.so
gdm-autologin:session    required    pam_namespace.so
gdm-fingerprint:session     required      pam_namespace.so
gdm-password:session     required      pam_namespace.so
login:session    required     pam_namespace.so
newrole:session    required	pam_namespace.so unmnt_remnt no_unmount_on_close
remote:session    required     pam_namespace.so
[jimc@harpo pam.d]$
Comment 10 Jim Cromie 2009-06-27 08:28:03 EDT
hmm.  I have no /etc/pam.conf, but rpm indicates thats ok: ?!

[jimc@harpo etc]$ rpm -qf /etc/pam.d
pam-1.0.91-6.fc11.i586
[jimc@harpo etc]$ rpm -V pam-1.0.91-6.fc11.i586
....L....  c /etc/pam.d/fingerprint-auth
....L....  c /etc/pam.d/password-auth
....L....  c /etc/pam.d/smartcard-auth
....L....  c /etc/pam.d/system-auth
S.5....T.  c /etc/security/limits.conf
..?......  c /etc/security/opasswd
..?......    /sbin/unix_update
[jimc@harpo etc]$
Comment 11 Bug Zapper 2009-11-18 05:01:14 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.