Description of problem: Version-Release number of selected component (if applicable): selinux-policy-devel-2.4.6-255.el5 How reproducible: always Steps to Reproduce: 1) /usr/share/selinux/devel/policygentool ls /bin/ls 2) hit ENTER 3) enter any number and hit ENTER 4) policygentool prints the following: What type of application are you trying to confine? 1. Standard Init Daemon 2. Internet Services Daemon (inetd) 3 Web Application/Script (cgi) 4 User Application 5) repeat steps 3,4 Actual results: you can the first question only Expected results: you can see other questions too Additional info:
# diff /usr/share/selinux/devel/policygentool /usr/share/selinux/devel/policygentool.orig 75,76c75,76 < if input > "0" and input < "5": < type = int(input) --- > if input > "0" and input < 5: > type = int(type) This fix works for me.
Even if comment #1 fix is present, policygentool prints traceback: # /usr/share/selinux/devel/policygentool ls /bin/ls This tool generate three files for policy development, A Type Enforcement (te) file, a File Context (fc), and a Interface File(if). Most of the policy rules will be written in the te file. Use the File Context file to associate file paths with security context. Use the interface rules to allow other protected domains to interact with the newly defined domains. After generating these files use the /usr/share/selinux/devel/Makefile to compile your policy package. Then use the semodule tool to load it. # /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp # make -f /usr/share/selinux/devel/Makefile # semodule -i myapp.pp # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc" Now you can turn on permissive mode, start your application and avc messages will be generated. You can use audit2allow to help translate the avc messages into policy. # setenforce 0 # service myapp start # audit2allow -R -i /var/log/audit/audit.log Return to continue: What type of application are you trying to confine? 1. Standard Init Daemon 2. Internet Services Daemon (inetd) 3 Web Application/Script (cgi) 4 User Application 4 If the module uses pidfiles, what is the pidfile called? If the module uses logfiles, where are they stored? If the module has var/lib files, where are they stored? Does the module have a init script? [yN] n Does the module use the network? [yN] n Traceback (most recent call last): File "/usr/share/selinux/devel/policygentool", line 108, in ? gen_policy( NameError: name 'gen_policy' is not defined # echo $? 1
Could you use /usr/share/system-config-selinux/polgengui.py THis is the preferred way and this tool is going away.
/usr/share/system-config-selinux/polgengui.py works fine. Thanks for advice.
Since better work around won't fix and removed from the next release.
*** Bug 531982 has been marked as a duplicate of this bug. ***