Bug 528655 - policygentool does not react on user inputs
Summary: policygentool does not react on user inputs
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE
: 531982 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2009-10-13 08:36 UTC by Milos Malik
Modified: 2009-12-21 12:05 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-10-15 18:36:46 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Milos Malik 2009-10-13 08:36:06 UTC
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1) /usr/share/selinux/devel/policygentool ls /bin/ls
2) hit ENTER
3) enter any number and hit ENTER
4) policygentool prints the following:
                What type of application are you trying to confine?
                1. Standard Init Daemon
                2. Internet Services Daemon (inetd)
                3  Web Application/Script (cgi)
                4  User Application
5) repeat steps 3,4
Actual results:
you can the first question only

Expected results:
you can see other questions too

Additional info:

Comment 1 Milos Malik 2009-10-13 08:42:30 UTC
# diff /usr/share/selinux/devel/policygentool /usr/share/selinux/devel/policygentool.orig 
<               if input > "0" and input < "5":
<                       type = int(input)
>               if input > "0" and input < 5:
>                       type = int(type)

This fix works for me.

Comment 2 Milos Malik 2009-10-13 10:06:55 UTC
Even if comment #1 fix is present, policygentool prints traceback:

# /usr/share/selinux/devel/policygentool ls /bin/ls

This tool generate three files for policy development, A Type Enforcement (te)
file, a File Context (fc), and a Interface File(if).  Most of the policy rules
will be written in the te file.  Use the File Context file to associate file
paths with security context.  Use the interface rules to allow other protected
domains to interact with the newly defined domains.

After generating these files use the /usr/share/selinux/devel/Makefile to
compile your policy package.  Then use the semodule tool to load it.

# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myapp.pp
# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"

Now you can turn on permissive mode, start your application and avc messages
will be generated.  You can use audit2allow to help translate the avc messages
into policy.

# setenforce 0
# service myapp start
# audit2allow -R -i /var/log/audit/audit.log

Return to continue:

                What type of application are you trying to confine?
                1. Standard Init Daemon
                2. Internet Services Daemon (inetd)
                3  Web Application/Script (cgi)
                4  User Application

If the module uses pidfiles, what is the pidfile called?

If the module uses logfiles, where are they stored?

If the module has var/lib files, where are they stored?

Does the module have a init script? [yN]
Does the module use the network? [yN]
Traceback (most recent call last):
  File "/usr/share/selinux/devel/policygentool", line 108, in ?
NameError: name 'gen_policy' is not defined
# echo $?

Comment 3 Daniel Walsh 2009-10-13 14:20:03 UTC
Could you use /usr/share/system-config-selinux/polgengui.py

THis is the preferred way and this tool is going away.

Comment 4 Milos Malik 2009-10-13 14:48:45 UTC
/usr/share/system-config-selinux/polgengui.py works fine. Thanks for advice.

Comment 5 Daniel Walsh 2009-10-15 18:36:46 UTC
Since better work around won't fix and removed from the next release.

Comment 6 Miroslav Grepl 2009-12-21 12:05:35 UTC
*** Bug 531982 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.