Bug 531982 - policygentool does not recognise correct input
Summary: policygentool does not recognise correct input
Keywords:
Status: CLOSED DUPLICATE of bug 528655
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.4
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-30 04:48 UTC by Colin Coe
Modified: 2009-12-21 12:05 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-21 12:05:35 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Patch to correctly test for valid input (388 bytes, patch)
2009-10-30 04:53 UTC, Colin Coe
no flags Details | Diff

Description Colin Coe 2009-10-30 04:48:27 UTC
Description of problem:
/usr/share/selinux/devel/policygentool does not recognise valid input as valid input

Version-Release number of selected component (if applicable):
rpm -qf /usr/share/selinux/devel/policygentool
selinux-policy-devel-2.4.6-255.el5

How reproducible:
Run /usr/share/selinux/devel/policygentool with appropriate args and enter a number 1 - 4 when prompted

Steps to Reproduce:
1. /usr/share/selinux/devel/policygentool xymon /usr/share/xymon/cgi-bin/bb-hostsvc.sh
2. Press <ENTER> when prompted
3. At the menu enter a number between 1 and 4 (in my case 3)
4. The same menu is presented again as the input is not recognised as valid
  
Actual results:

[root@montest ~]# /usr/share/selinux/devel/policygentool xymon /usr/share/xymon/cgi-bin/bb-hostsvc.sh


This tool generate three files for policy development, A Type Enforcement (te)
file, a File Context (fc), and a Interface File(if).  Most of the policy rules
will be written in the te file.  Use the File Context file to associate file
paths with security context.  Use the interface rules to allow other protected
domains to interact with the newly defined domains.

After generating these files use the /usr/share/selinux/devel/Makefile to
compile your policy package.  Then use the semodule tool to load it.

# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myapp.pp
# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"

Now you can turn on permissive mode, start your application and avc messages
will be generated.  You can use audit2allow to help translate the avc messages
into policy.

# setenforce 0
# service myapp start
# audit2allow -R -i /var/log/audit/audit.log

Return to continue:


                What type of application are you trying to confine?
                1. Standard Init Daemon
                2. Internet Services Daemon (inetd)
                3  Web Application/Script (cgi)
                4  User Application

3

                What type of application are you trying to confine?
                1. Standard Init Daemon
                2. Internet Services Daemon (inetd)
                3  Web Application/Script (cgi)
                4  User Application

3

                What type of application are you trying to confine?
                1. Standard Init Daemon
                2. Internet Services Daemon (inetd)
                3  Web Application/Script (cgi)
                4  User Application

3

                What type of application are you trying to confine?
                1. Standard Init Daemon
                2. Internet Services Daemon (inetd)
                3  Web Application/Script (cgi)
                4  User Application

3

                What type of application are you trying to confine?
                1. Standard Init Daemon
                2. Internet Services Daemon (inetd)
                3  Web Application/Script (cgi)
                4  User Application


Expected results:
[root@montest ~]# /usr/share/selinux/devel/policygentool xymon /usr/share/xymon/cgi-bin/bb-hostsvc.sh


This tool generate three files for policy development, A Type Enforcement (te)
file, a File Context (fc), and a Interface File(if).  Most of the policy rules
will be written in the te file.  Use the File Context file to associate file
paths with security context.  Use the interface rules to allow other protected
domains to interact with the newly defined domains.

After generating these files use the /usr/share/selinux/devel/Makefile to
compile your policy package.  Then use the semodule tool to load it.

# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myapp.pp
# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"

Now you can turn on permissive mode, start your application and avc messages
will be generated.  You can use audit2allow to help translate the avc messages
into policy.

# setenforce 0
# service myapp start
# audit2allow -R -i /var/log/audit/audit.log

Return to continue:


                What type of application are you trying to confine?
                1. Standard Init Daemon
                2. Internet Services Daemon (inetd)
                3  Web Application/Script (cgi)
                4  User Application

3
If the module uses pidfiles, what is the pidfile called?
/var/log/xymon/server/hobbitd_history.pid /var/log/xymon/server/hobbitd.pid /var/log/xymon/server/hobbitlaunch.pid
If the module uses logfiles, where are they stored?
/var/log/xymon/server/
If the module has var/lib files, where are they stored?
/var/lib/xymon/
Does the module have a init script? [yN]
y
Does the module use the network? [yN]
y
Traceback (most recent call last):
  File "/usr/share/selinux/devel/policygentool", line 108, in ?
    gen_policy(
NameError: name 'gen_policy' is not defined

Additional info:
Patch attached

Comment 1 Colin Coe 2009-10-30 04:53:11 UTC
Created attachment 366761 [details]
Patch to correctly test for valid input

Comment 2 Colin Coe 2009-10-30 04:55:20 UTC
Still trying to track down "NameError: name 'gen_policy' is not defined"

Comment 3 Daniel Walsh 2009-10-30 12:22:20 UTC
This tool is really being deprecated and we are encouraging users to use either selinux-polgengui or slide.

Comment 4 Colin Coe 2009-11-06 05:13:48 UTC
OK, I'll use selinux-polgengui as that's already in RHEL.

Thanks

CC

Comment 5 Miroslav Grepl 2009-12-21 12:05:35 UTC

*** This bug has been marked as a duplicate of bug 528655 ***


Note You need to log in before you can comment on or make changes to this bug.