Description of problem: /usr/share/selinux/devel/policygentool does not recognise valid input as valid input Version-Release number of selected component (if applicable): rpm -qf /usr/share/selinux/devel/policygentool selinux-policy-devel-2.4.6-255.el5 How reproducible: Run /usr/share/selinux/devel/policygentool with appropriate args and enter a number 1 - 4 when prompted Steps to Reproduce: 1. /usr/share/selinux/devel/policygentool xymon /usr/share/xymon/cgi-bin/bb-hostsvc.sh 2. Press <ENTER> when prompted 3. At the menu enter a number between 1 and 4 (in my case 3) 4. The same menu is presented again as the input is not recognised as valid Actual results: [root@montest ~]# /usr/share/selinux/devel/policygentool xymon /usr/share/xymon/cgi-bin/bb-hostsvc.sh This tool generate three files for policy development, A Type Enforcement (te) file, a File Context (fc), and a Interface File(if). Most of the policy rules will be written in the te file. Use the File Context file to associate file paths with security context. Use the interface rules to allow other protected domains to interact with the newly defined domains. After generating these files use the /usr/share/selinux/devel/Makefile to compile your policy package. Then use the semodule tool to load it. # /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp # make -f /usr/share/selinux/devel/Makefile # semodule -i myapp.pp # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc" Now you can turn on permissive mode, start your application and avc messages will be generated. You can use audit2allow to help translate the avc messages into policy. # setenforce 0 # service myapp start # audit2allow -R -i /var/log/audit/audit.log Return to continue: What type of application are you trying to confine? 1. Standard Init Daemon 2. Internet Services Daemon (inetd) 3 Web Application/Script (cgi) 4 User Application 3 What type of application are you trying to confine? 1. Standard Init Daemon 2. Internet Services Daemon (inetd) 3 Web Application/Script (cgi) 4 User Application 3 What type of application are you trying to confine? 1. Standard Init Daemon 2. Internet Services Daemon (inetd) 3 Web Application/Script (cgi) 4 User Application 3 What type of application are you trying to confine? 1. Standard Init Daemon 2. Internet Services Daemon (inetd) 3 Web Application/Script (cgi) 4 User Application 3 What type of application are you trying to confine? 1. Standard Init Daemon 2. Internet Services Daemon (inetd) 3 Web Application/Script (cgi) 4 User Application Expected results: [root@montest ~]# /usr/share/selinux/devel/policygentool xymon /usr/share/xymon/cgi-bin/bb-hostsvc.sh This tool generate three files for policy development, A Type Enforcement (te) file, a File Context (fc), and a Interface File(if). Most of the policy rules will be written in the te file. Use the File Context file to associate file paths with security context. Use the interface rules to allow other protected domains to interact with the newly defined domains. After generating these files use the /usr/share/selinux/devel/Makefile to compile your policy package. Then use the semodule tool to load it. # /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp # make -f /usr/share/selinux/devel/Makefile # semodule -i myapp.pp # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc" Now you can turn on permissive mode, start your application and avc messages will be generated. You can use audit2allow to help translate the avc messages into policy. # setenforce 0 # service myapp start # audit2allow -R -i /var/log/audit/audit.log Return to continue: What type of application are you trying to confine? 1. Standard Init Daemon 2. Internet Services Daemon (inetd) 3 Web Application/Script (cgi) 4 User Application 3 If the module uses pidfiles, what is the pidfile called? /var/log/xymon/server/hobbitd_history.pid /var/log/xymon/server/hobbitd.pid /var/log/xymon/server/hobbitlaunch.pid If the module uses logfiles, where are they stored? /var/log/xymon/server/ If the module has var/lib files, where are they stored? /var/lib/xymon/ Does the module have a init script? [yN] y Does the module use the network? [yN] y Traceback (most recent call last): File "/usr/share/selinux/devel/policygentool", line 108, in ? gen_policy( NameError: name 'gen_policy' is not defined Additional info: Patch attached
Created attachment 366761 [details] Patch to correctly test for valid input
Still trying to track down "NameError: name 'gen_policy' is not defined"
This tool is really being deprecated and we are encouraging users to use either selinux-polgengui or slide.
OK, I'll use selinux-polgengui as that's already in RHEL. Thanks CC
*** This bug has been marked as a duplicate of bug 528655 ***