RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 607943 - some .te files cannot be compiled because admin interfaces contain errors
Summary: some .te files cannot be compiled because admin interfaces contain errors
Keywords:
Status: CLOSED DUPLICATE of bug 607912
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.0
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-25 09:19 UTC by Milos Malik
Modified: 2012-10-16 12:30 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-25 18:08:14 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Milos Malik 2010-06-25 09:19:38 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-27.el6.noarch
selinux-policy-3.7.19-27.el6.noarch
libsemanage-python-2.0.43-4.el6.i686
libsemanage-2.0.43-4.el6.i686
libsepol-2.0.41-3.el6.i686

How reproducible:
always

Steps to Reproduce:
Using selinux-polgengui I generated following .te file (comments and blank
lines removed):

policy_module(confined_admin,1.0.0)
userdom_admin_user_template(confined_admin)
domain_use_interactive_fds(confined_admin_t)
files_read_etc_files(confined_admin_t)
miscfiles_read_localization(confined_admin_t)

# echo "boinc_admin(confined_admin_t,confined_admin_r)" >> confined_admin.te
# make -f /usr/share/selinux/devel/Makefile'
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type myboinc_initrc_exec_t' at token ';' on
 line 43486:
        role_transition confined_admin_r myboinc_initrc_exec_t system_r;
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'

  
Actual results:
.te -> .pp compilation failed

Expected results:
.te -> .pp compilation succeeded

Additional info:
I would like to test all admin interfaces found in /usr/share/selinux/devel/include/services/ in the same way.
Comment 2 Milos Malik 2010-06-25 09:32:25 UTC 
If you use "certmonger_admin(confined_admin_t,confined_admin_r)" instead of "boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type cermonger_var_lib_t' at token ';' on line 43538:
        allow confined_admin_t cermonger_var_lib_t:dir { open read getattr lock search ioctl add_name remove_name write };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Comment 3 Milos Malik 2010-06-25 09:35:01 UTC 
If you use "chronyd_admin(confined_admin_t,confined_admin_r)" instead of
"boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you
will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type chronyd_tmp_t' at token ';' on line 44
048:
        allow confined_admin_t chronyd_tmp_t:dir { open read getattr lock search ioctl add_name remove_name write };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Comment 4 Milos Malik 2010-06-25 09:37:23 UTC 
If you use "cobblerd_admin(confined_admin_t,confined_admin_r)" instead of
"boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you
will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type httpd_cobbler_content_rw_t' at token ';' on line 43724:
        allow confined_admin_t httpd_cobbler_content_rw_t:dir { open read getattr lock search ioctl add_name remove_name write };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Comment 5 Milos Malik 2010-06-25 09:39:31 UTC 
If you use "ksmtuned_admin(confined_admin_t,confined_admin_r)" instead of
"boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you
will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'syntax error' at token ':' on line 43298:
        allow ksmtumed_t :dir { getattr search open read lock ioctl };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Comment 6 RHEL Program Management 2010-06-25 09:43:01 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 7 Milos Malik 2010-06-25 09:48:21 UTC 
If you use "memcached_admin(confined_admin_t,confined_admin_r)" instead of
"boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you
will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory
`/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type memcached_var_run_t' at token ';' on
line 43466:
        allow confined_admin_t memcached_var_run_t:dir { open read getattr lock
search ioctl add_name remove_name write };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory
`/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Comment 8 Milos Malik 2010-06-25 09:51:41 UTC 
If you use "psad_admin(confined_admin_t,confined_admin_r)" instead of
"boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you
will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type psad_etc_t' at token ';' on line 43504:
        allow confined_admin_t psad_etc_t:dir { open read getattr lock search ioctl add_name remove_name write };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Comment 9 Milos Malik 2010-06-25 09:58:10 UTC 
If you use "rpcbind_admin(confined_admin_t,confined_admin_r)" instead of
"boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you
will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type rbcbind_initrc_exec_t' at token ';' on line 43346:
        allow confined_admin_t rbcbind_initrc_exec_t:file { getattr open read execute };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Comment 11 Daniel Walsh 2010-06-25 18:08:14 UTC 

*** This bug has been marked as a duplicate of bug 426941 ***
Comment 12 Daniel Walsh 2010-06-25 18:08:57 UTC 

*** This bug has been marked as a duplicate of bug 607912 ***
Comment 13 Milos Malik 2010-06-28 12:10:14 UTC 
If you use "shorewall_admin(confined_admin_t,confined_admin_r)" instead of
"boinc_admin(confined_admin_t,confined_admin_r)" as described in comment #0 you
will see following error messages:

# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Compiling targeted confined_admin module
confined_admin.te":26:ERROR 'unknown type shorewall_etc_t' at token ';' on line 43450:
        allow confined_admin_t shorewall_etc_t:dir { open read getattr lock search ioctl add_name remove_name write };
#line 26
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from tmp/confined_admin.tmp
make[1]: *** [tmp/confined_admin.mod] Error 1
make[1]: Leaving directory `/mnt/testarea/tests/selinux-policy/Sanity/confined-admins-and-their-services'
Note You need to log in before you can comment on or make changes to this bug.