Bug 607912 - some .pp files cannot be loaded because admin interfaces contain an error
some .pp files cannot be loaded because admin interfaces contain an error
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
: 607943 (view as bug list)
Depends On:
Blocks: 599016
  Show dependency treegraph
 
Reported: 2010-06-25 03:35 EDT by Milos Malik
Modified: 2012-10-16 08:30 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-28.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-10 16:34:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Miroslav I just got the policy updated in Rawhide to make this te file work (4.80 KB, application/octet-stream)
2010-06-25 13:24 EDT, Daniel Walsh
no flags Details

  None (edit)
Description Milos Malik 2010-06-25 03:35:29 EDT
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-27.el6.noarch
selinux-policy-3.7.19-27.el6.noarch
libsemanage-python-2.0.43-4.el6.i686
libsemanage-2.0.43-4.el6.i686
libsepol-2.0.41-3.el6.i686

How reproducible:
always

Steps to Reproduce:
Using selinux-polgengui I generated following .te file (comments and blank lines removed):

policy_module(confined_admin,1.0.0)
userdom_admin_user_template(confined_admin)
domain_use_interactive_fds(confined_admin_t)
files_read_etc_files(confined_admin_t)
miscfiles_read_localization(confined_admin_t)

# echo "apache_admin(confined_admin_t,confined_admin_r)" >> confined_admin.te
# make -f /usr/share/selinux/devel/Makefile'
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/confined_admin.mod
Creating targeted confined_admin.pp policy package
rm tmp/confined_admin.mod.fc tmp/confined_admin.mod
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
# semodule -i confined_admin.pp
libsepol.expand_terule_helper: conflicting TE rule for (confined_admin_t, tmp_t:dir):  old was user_tmp_t, new is httpd_tmp_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!
# semodule -r confined_admin
libsemanage.semanage_direct_remove: Module confined_admin was not found.
semodule:  Failed!

  
Actual results:
"semodule -i confined_admin" failed

Expected results:
"semodule -i confined_admin" succeeded

Additional info:
I would like to test all admin interfaces found in /usr/share/selinux/devel/include/services/ in the same way.
Comment 2 Miroslav Grepl 2010-06-25 03:55:25 EDT
This is caused by

files_tmp_filetrans($1, httpd_tmp_t, { file dir })

rule in 'apache_admin' interface and it is a problem also for other confined
users which are based on 'userdom_login_user_template' interface.
Comment 3 Milos Malik 2010-06-25 04:21:10 EDT
If you use "bind_admin(confined_admin_t,confined_admin_r)" instead of "apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute named_var_lib_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
Comment 4 Milos Malik 2010-06-25 04:39:52 EDT
If you use "bluetooth_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute bluetooth_spool_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!
Comment 5 Milos Malik 2010-06-25 04:43:05 EDT
If you use "ddclient_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute ddclient_var_lib_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
Comment 6 Milos Malik 2010-06-25 04:44:35 EDT
If you use "dovecot_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute dovecot_log_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
Comment 7 Milos Malik 2010-06-25 05:01:13 EDT
If you use "ifplugd_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute ifplugd_initrc_exec_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!
Comment 8 Milos Malik 2010-06-25 06:08:10 EDT
If you use "postfix_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute postfix_map_tmp
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!
Comment 9 Milos Malik 2010-06-25 06:11:27 EDT
If you use "postfixpolicyd_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute postfix_policyd_initrc_exec_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!
Comment 10 Milos Malik 2010-06-25 06:15:10 EDT
If you use "samba_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute smbd_spool_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
Comment 11 Milos Malik 2010-06-25 06:16:41 EDT
If you use "setroubleshoot_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute setroubleshoot_log_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!
Comment 12 Milos Malik 2010-06-25 08:42:27 EDT
And the last is:
ssh_admin_server(confined_admin_t,confined_admin_r)

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute sshdd_initrc_exec_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!
Comment 13 Daniel Walsh 2010-06-25 13:24:34 EDT
Created attachment 426941 [details]
Miroslav  I just got the policy updated in Rawhide to make this te file work

We should probably test this te file to make sure _admin compiles and installs properly.
Comment 14 Daniel Walsh 2010-06-25 14:08:57 EDT
*** Bug 607943 has been marked as a duplicate of this bug. ***
Comment 16 Miroslav Grepl 2010-06-29 11:32:04 EDT
Fixed in selinux-policy-3.7.19-28.el6.noarch
Comment 20 releng-rhel@redhat.com 2010-11-10 16:34:55 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.