Bug 607943 - some .te files cannot be compiled because admin interfaces contain errors
some .te files cannot be compiled because admin interfaces contain errors
Status: CLOSED DUPLICATE of bug 607912
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.0
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-25 05:19 EDT by Milos Malik
Modified: 2012-10-16 08:30 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-25 14:08:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2010-06-25 05:19:38 EDT
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-27.el6.noarch
selinux-policy-3.7.19-27.el6.noarch
libsemanage-python-2.0.43-4.el6.i686
libsemanage-2.0.43-4.el6.i686
libsepol-2.0.41-3.el6.i686

How reproducible:
always

Steps to Reproduce:
Using selinux-polgengui I generated following .te file (comments and blank
lines removed):

policy_module(confined_admin,1.0.0)
userdom_admin_user_template(confined_admin)
domain_use_interactive_fds(confined_admin_t)
files_read_etc_files(confined_admin_t)
miscfiles_read_localization(confined_admin_t)

# echo "boinc_admin(confined_admin_t,confined_admin_r)" >> confined_admin.te
# make -f /usr/share/selinux/devel/Makefile'
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type myboinc_initrc_exec_t' at token ';' on
 line 43486:
        role_transition confined_admin_r myboinc_initrc_exec_t system_r;
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'

  
Actual results:
.te -> .pp compilation failed

Expected results:
.te -> .pp compilation succeeded

Additional info:
I would like to test all admin interfaces found in /usr/share/selinux/devel/include/services/ in the same way.
Comment 2 Milos Malik 2010-06-25 05:32:25 EDT
If you use "certmonger_admin(confined_admin_t,confined_admin_r)" instead of "boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type cermonger_var_lib_t' at token ';' on line 43538:
        allow confined_admin_t cermonger_var_lib_t:dir { open read getattr lock search ioctl add_name remove_name write };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Comment 3 Milos Malik 2010-06-25 05:35:01 EDT
If you use "chronyd_admin(confined_admin_t,confined_admin_r)" instead of
"boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you
will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type chronyd_tmp_t' at token ';' on line 44
048:
        allow confined_admin_t chronyd_tmp_t:dir { open read getattr lock search ioctl add_name remove_name write };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Comment 4 Milos Malik 2010-06-25 05:37:23 EDT
If you use "cobblerd_admin(confined_admin_t,confined_admin_r)" instead of
"boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you
will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type httpd_cobbler_content_rw_t' at token ';' on line 43724:
        allow confined_admin_t httpd_cobbler_content_rw_t:dir { open read getattr lock search ioctl add_name remove_name write };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Comment 5 Milos Malik 2010-06-25 05:39:31 EDT
If you use "ksmtuned_admin(confined_admin_t,confined_admin_r)" instead of
"boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you
will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'syntax error' at token ':' on line 43298:
        allow ksmtumed_t :dir { getattr search open read lock ioctl };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Comment 6 RHEL Product and Program Management 2010-06-25 05:43:01 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 7 Milos Malik 2010-06-25 05:48:21 EDT
If you use "memcached_admin(confined_admin_t,confined_admin_r)" instead of
"boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you
will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory
`/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type memcached_var_run_t' at token ';' on
line 43466:
        allow confined_admin_t memcached_var_run_t:dir { open read getattr lock
search ioctl add_name remove_name write };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory
`/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Comment 8 Milos Malik 2010-06-25 05:51:41 EDT
If you use "psad_admin(confined_admin_t,confined_admin_r)" instead of
"boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you
will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type psad_etc_t' at token ';' on line 43504:
        allow confined_admin_t psad_etc_t:dir { open read getattr lock search ioctl add_name remove_name write };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Comment 9 Milos Malik 2010-06-25 05:58:10 EDT
If you use "rpcbind_admin(confined_admin_t,confined_admin_r)" instead of
"boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you
will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type rbcbind_initrc_exec_t' at token ';' on line 43346:
        allow confined_admin_t rbcbind_initrc_exec_t:file { getattr open read execute };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Comment 11 Daniel Walsh 2010-06-25 14:08:14 EDT

*** This bug has been marked as a duplicate of bug 426941 ***
Comment 12 Daniel Walsh 2010-06-25 14:08:57 EDT

*** This bug has been marked as a duplicate of bug 607912 ***
Comment 13 Milos Malik 2010-06-28 08:10:14 EDT
If you use "shorewall_admin(confined_admin_t,confined_admin_r)" instead of
"boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you
will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type shorewall_etc_t' at token ';' on line 43450:
        allow confined_admin_t shorewall_etc_t:dir { open read getattr lock search ioctl add_name remove_name write };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'

Note You need to log in before you can comment on or make changes to this bug.