Bug 607912 - some .pp files cannot be loaded because admin interfaces contain an error
Summary: some .pp files cannot be loaded because admin interfaces contain an error
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Keywords:
: 607943 (view as bug list)
Depends On:
Blocks: 599016
TreeView+ depends on / blocked
 
Reported: 2010-06-25 07:35 UTC by Milos Malik
Modified: 2012-10-16 12:30 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-28.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-10 21:34:55 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Miroslav I just got the policy updated in Rawhide to make this te file work (4.80 KB, application/octet-stream)
2010-06-25 17:24 UTC, Daniel Walsh
no flags Details

Description Milos Malik 2010-06-25 07:35:29 UTC
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-27.el6.noarch
selinux-policy-3.7.19-27.el6.noarch
libsemanage-python-2.0.43-4.el6.i686
libsemanage-2.0.43-4.el6.i686
libsepol-2.0.41-3.el6.i686

How reproducible:
always

Steps to Reproduce:
Using selinux-polgengui I generated following .te file (comments and blank lines removed):

policy_module(confined_admin,1.0.0)
userdom_admin_user_template(confined_admin)
domain_use_interactive_fds(confined_admin_t)
files_read_etc_files(confined_admin_t)
miscfiles_read_localization(confined_admin_t)

# echo "apache_admin(confined_admin_t,confined_admin_r)" >> confined_admin.te
# make -f /usr/share/selinux/devel/Makefile'
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/confined_admin.mod
Creating targeted confined_admin.pp policy package
rm tmp/confined_admin.mod.fc tmp/confined_admin.mod
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
# semodule -i confined_admin.pp
libsepol.expand_terule_helper: conflicting TE rule for (confined_admin_t, tmp_t:dir):  old was user_tmp_t, new is httpd_tmp_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!
# semodule -r confined_admin
libsemanage.semanage_direct_remove: Module confined_admin was not found.
semodule:  Failed!

  
Actual results:
"semodule -i confined_admin" failed

Expected results:
"semodule -i confined_admin" succeeded

Additional info:
I would like to test all admin interfaces found in /usr/share/selinux/devel/include/services/ in the same way.

Comment 2 Miroslav Grepl 2010-06-25 07:55:25 UTC
This is caused by

files_tmp_filetrans($1, httpd_tmp_t, { file dir })

rule in 'apache_admin' interface and it is a problem also for other confined
users which are based on 'userdom_login_user_template' interface.

Comment 3 Milos Malik 2010-06-25 08:21:10 UTC
If you use "bind_admin(confined_admin_t,confined_admin_r)" instead of "apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute named_var_lib_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

Comment 4 Milos Malik 2010-06-25 08:39:52 UTC
If you use "bluetooth_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute bluetooth_spool_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

Comment 5 Milos Malik 2010-06-25 08:43:05 UTC
If you use "ddclient_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute ddclient_var_lib_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

Comment 6 Milos Malik 2010-06-25 08:44:35 UTC
If you use "dovecot_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute dovecot_log_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

Comment 7 Milos Malik 2010-06-25 09:01:13 UTC
If you use "ifplugd_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute ifplugd_initrc_exec_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

Comment 8 Milos Malik 2010-06-25 10:08:10 UTC
If you use "postfix_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute postfix_map_tmp
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

Comment 9 Milos Malik 2010-06-25 10:11:27 UTC
If you use "postfixpolicyd_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute postfix_policyd_initrc_exec_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

Comment 10 Milos Malik 2010-06-25 10:15:10 UTC
If you use "samba_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute smbd_spool_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

Comment 11 Milos Malik 2010-06-25 10:16:41 UTC
If you use "setroubleshoot_admin(confined_admin_t,confined_admin_r)" instead of
"apache_admin(confined_admin_t,confined_admin_r)" as described in comment #0
you will see following error messages:

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute setroubleshoot_log_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

Comment 12 Milos Malik 2010-06-25 12:42:27 UTC
And the last is:
ssh_admin_server(confined_admin_t,confined_admin_r)

# semodule -i confined_admin.pp
libsepol.print_missing_requirements: confined_admin's global requirements were not met: type/attribute sshdd_initrc_exec_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

Comment 13 Daniel Walsh 2010-06-25 17:24:34 UTC
Created attachment 426941 [details]
Miroslav  I just got the policy updated in Rawhide to make this te file work

We should probably test this te file to make sure _admin compiles and installs properly.

Comment 14 Daniel Walsh 2010-06-25 18:08:57 UTC
*** Bug 607943 has been marked as a duplicate of this bug. ***

Comment 16 Miroslav Grepl 2010-06-29 15:32:04 UTC
Fixed in selinux-policy-3.7.19-28.el6.noarch

Comment 20 releng-rhel@redhat.com 2010-11-10 21:34:55 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.