Bug 531982 - policygentool does not recognise correct input
policygentool does not recognise correct input
Status: CLOSED DUPLICATE of bug 528655
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-30 00:48 EDT by Colin Coe
Modified: 2009-12-21 07:05 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-12-21 07:05:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch to correctly test for valid input (388 bytes, patch)
2009-10-30 00:53 EDT, Colin Coe
no flags Details | Diff

  None (edit)
Description Colin Coe 2009-10-30 00:48:27 EDT
Description of problem:
/usr/share/selinux/devel/policygentool does not recognise valid input as valid input

Version-Release number of selected component (if applicable):
rpm -qf /usr/share/selinux/devel/policygentool
selinux-policy-devel-2.4.6-255.el5

How reproducible:
Run /usr/share/selinux/devel/policygentool with appropriate args and enter a number 1 - 4 when prompted

Steps to Reproduce:
1. /usr/share/selinux/devel/policygentool xymon /usr/share/xymon/cgi-bin/bb-hostsvc.sh
2. Press <ENTER> when prompted
3. At the menu enter a number between 1 and 4 (in my case 3)
4. The same menu is presented again as the input is not recognised as valid
  
Actual results:

[root@montest ~]# /usr/share/selinux/devel/policygentool xymon /usr/share/xymon/cgi-bin/bb-hostsvc.sh


This tool generate three files for policy development, A Type Enforcement (te)
file, a File Context (fc), and a Interface File(if).  Most of the policy rules
will be written in the te file.  Use the File Context file to associate file
paths with security context.  Use the interface rules to allow other protected
domains to interact with the newly defined domains.

After generating these files use the /usr/share/selinux/devel/Makefile to
compile your policy package.  Then use the semodule tool to load it.

# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myapp.pp
# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"

Now you can turn on permissive mode, start your application and avc messages
will be generated.  You can use audit2allow to help translate the avc messages
into policy.

# setenforce 0
# service myapp start
# audit2allow -R -i /var/log/audit/audit.log

Return to continue:


                What type of application are you trying to confine?
                1. Standard Init Daemon
                2. Internet Services Daemon (inetd)
                3  Web Application/Script (cgi)
                4  User Application

3

                What type of application are you trying to confine?
                1. Standard Init Daemon
                2. Internet Services Daemon (inetd)
                3  Web Application/Script (cgi)
                4  User Application

3

                What type of application are you trying to confine?
                1. Standard Init Daemon
                2. Internet Services Daemon (inetd)
                3  Web Application/Script (cgi)
                4  User Application

3

                What type of application are you trying to confine?
                1. Standard Init Daemon
                2. Internet Services Daemon (inetd)
                3  Web Application/Script (cgi)
                4  User Application

3

                What type of application are you trying to confine?
                1. Standard Init Daemon
                2. Internet Services Daemon (inetd)
                3  Web Application/Script (cgi)
                4  User Application


Expected results:
[root@montest ~]# /usr/share/selinux/devel/policygentool xymon /usr/share/xymon/cgi-bin/bb-hostsvc.sh


This tool generate three files for policy development, A Type Enforcement (te)
file, a File Context (fc), and a Interface File(if).  Most of the policy rules
will be written in the te file.  Use the File Context file to associate file
paths with security context.  Use the interface rules to allow other protected
domains to interact with the newly defined domains.

After generating these files use the /usr/share/selinux/devel/Makefile to
compile your policy package.  Then use the semodule tool to load it.

# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myapp.pp
# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"

Now you can turn on permissive mode, start your application and avc messages
will be generated.  You can use audit2allow to help translate the avc messages
into policy.

# setenforce 0
# service myapp start
# audit2allow -R -i /var/log/audit/audit.log

Return to continue:


                What type of application are you trying to confine?
                1. Standard Init Daemon
                2. Internet Services Daemon (inetd)
                3  Web Application/Script (cgi)
                4  User Application

3
If the module uses pidfiles, what is the pidfile called?
/var/log/xymon/server/hobbitd_history.pid /var/log/xymon/server/hobbitd.pid /var/log/xymon/server/hobbitlaunch.pid
If the module uses logfiles, where are they stored?
/var/log/xymon/server/
If the module has var/lib files, where are they stored?
/var/lib/xymon/
Does the module have a init script? [yN]
y
Does the module use the network? [yN]
y
Traceback (most recent call last):
  File "/usr/share/selinux/devel/policygentool", line 108, in ?
    gen_policy(
NameError: name 'gen_policy' is not defined

Additional info:
Patch attached
Comment 1 Colin Coe 2009-10-30 00:53:11 EDT
Created attachment 366761 [details]
Patch to correctly test for valid input
Comment 2 Colin Coe 2009-10-30 00:55:20 EDT
Still trying to track down "NameError: name 'gen_policy' is not defined"
Comment 3 Daniel Walsh 2009-10-30 08:22:20 EDT
This tool is really being deprecated and we are encouraging users to use either selinux-polgengui or slide.
Comment 4 Colin Coe 2009-11-06 00:13:48 EST
OK, I'll use selinux-polgengui as that's already in RHEL.

Thanks

CC
Comment 5 Miroslav Grepl 2009-12-21 07:05:35 EST

*** This bug has been marked as a duplicate of bug 528655 ***

Note You need to log in before you can comment on or make changes to this bug.