Description of problem: in case one wants to allow only firefox to access internet with xguest there is no way to do so. The curren solution is: # setsebool -P xguest_connect_network 0 Create a file that looks like # cat myxguest.te policy_module(myxguest,1.0) gen_require(` type xguest_t; role xguest_r; ') mozilla_role(xguest_r, xguest_t) # make -f /usr/share/selinux/devel/Makefile myxguest.pp # semodule -i myxguest.pp but it fails like: libsepol.expand_terule_helper: conflicting TE rule for (mozilla_t, tmp_t:dir): old was mozilla_tmp_t, new is user_tmp_t libsepol.expand_module: Error during expand libsemanage.semanage_expand___sandbox: Expand module failed semodule: Failed! Any Idea what might be wrong? A quick and dirty solution will do for me as long as it works... Thanks! Rumen
Fedora 19 rc2 is also affected. [root@localhost rumen]# cat myxguest.te policy_module(myxguest,1.0) gen_require(` type xguest_t; role xguest_r; ') mozilla_role(xguest_r, xguest_t) [root@localhost rumen]# make -f /usr/share/selinux/devel/Makefile Compiling targeted myxguest module /usr/bin/checkmodule: loading policy configuration from tmp/myxguest.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/myxguest.mod Creating targeted myxguest.pp policy package rm tmp/myxguest.mod tmp/myxguest.mod.fc [root@localhost rumen]# semodule -i myxguest.pp libsepol.expand_terule_helper: conflicting TE rule for (mozilla_t, tmp_t:dir): old was mozilla_tmp_t, new is user_tmp_t libsepol.expand_module: Error during expand libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! [root@localhost rumen]# cat /etc/redhat-release Fedora release 19 (Schrödinger’s Cat)
One clue: comenting lines in mozilla.te: 109: #files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) 379: #fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) #userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) makes possible for the module myxguest.pp to load.
Ruben, yes, we need to comment out files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-90.fc18
Package selinux-policy-3.11.1-90.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-5742/selinux-policy-3.11.1-90.fc18 then log in and leave karma (feedback).
No it is not fixed. Now it is different. [rumen@localhost ~]$ make -f /usr/share/selinux/devel/Makefile Compiling targeted myxgyest module /usr/bin/checkmodule: loading policy configuration from tmp/myxgyest.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 15) to tmp/myxgyest.mod Creating targeted myxgyest.pp policy package rm tmp/myxgyest.mod.fc tmp/myxgyest.mod [rumen@localhost ~]$ sudo semodule -i myxgyest.pp [sudo] password for rumen: libsepol.expand_terule_helper: conflicting TE rule for (mozilla_plugin_t, tmpfs_t:fifo_file): old was mozilla_plugin_tmpfs_t, new is user_tmpfs_t libsepol.expand_module: Error during expand libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! [rumen@localhost ~]$ The 3 lines I have mentioned above must be commented or fixed in order to be able to load minule containing interface mozilla_role()
I am looking at this again.
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.