Bug 951260 - interface mozilla_role(xguest_r, xguest_t) fails when loading module containing it.
Summary: interface mozilla_role(xguest_r, xguest_t) fails when loading module contain...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-11 20:58 UTC by Rumen B.
Modified: 2013-04-18 02:52 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-18 02:52:18 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Rumen B. 2013-04-11 20:58:34 UTC
Description of problem:
in case one wants to allow only firefox to access internet with xguest there is no way to do so. The curren solution is:

# setsebool -P xguest_connect_network 0

Create a file that looks like

# cat myxguest.te
policy_module(myxguest,1.0)
gen_require(`
type xguest_t;
role xguest_r;
')
mozilla_role(xguest_r, xguest_t)

# make -f /usr/share/selinux/devel/Makefile myxguest.pp
# semodule -i myxguest.pp

but it fails like:

libsepol.expand_terule_helper: conflicting TE rule for (mozilla_t, 
tmp_t:dir):  old was mozilla_tmp_t, new is user_tmp_t 
libsepol.expand_module: Error during expand 
libsemanage.semanage_expand___sandbox: Expand module failed semodule: Failed!


Any Idea what might be wrong? A quick and dirty solution will do for me as long as it works...

Thanks!
Rumen

Comment 1 Rumen B. 2013-04-12 12:09:21 UTC
Fedora 19 rc2 is also affected.

[root@localhost rumen]# cat myxguest.te 
policy_module(myxguest,1.0)
gen_require(`
    type xguest_t;
    role xguest_r;
')
mozilla_role(xguest_r, xguest_t)

[root@localhost rumen]# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted myxguest module
/usr/bin/checkmodule:  loading policy configuration from tmp/myxguest.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/myxguest.mod
Creating targeted myxguest.pp policy package
rm tmp/myxguest.mod tmp/myxguest.mod.fc

[root@localhost rumen]# semodule -i myxguest.pp
libsepol.expand_terule_helper: conflicting TE rule for (mozilla_t, tmp_t:dir):  old was mozilla_tmp_t, new is user_tmp_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

[root@localhost rumen]# cat /etc/redhat-release 
Fedora release 19 (Schrödinger’s Cat)

Comment 2 Rumen B. 2013-04-12 21:45:36 UTC
One clue:
comenting lines in mozilla.te: 

109:
#files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })

379:
#fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
#userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })


makes possible for the module myxguest.pp to load.

Comment 3 Miroslav Grepl 2013-04-15 06:10:34 UTC
Ruben,
yes, we need to comment out

files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })

Comment 4 Fedora Update System 2013-04-15 11:12:19 UTC
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-90.fc18

Comment 5 Fedora Update System 2013-04-16 00:07:45 UTC
Package selinux-policy-3.11.1-90.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5742/selinux-policy-3.11.1-90.fc18
then log in and leave karma (feedback).

Comment 6 Rumen B. 2013-04-16 22:04:39 UTC
No it is not fixed.
Now it is different.

[rumen@localhost ~]$ make -f /usr/share/selinux/devel/Makefile 
Compiling targeted myxgyest module
/usr/bin/checkmodule:  loading policy configuration from tmp/myxgyest.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 15) to tmp/myxgyest.mod
Creating targeted myxgyest.pp policy package
rm tmp/myxgyest.mod.fc tmp/myxgyest.mod
[rumen@localhost ~]$ sudo semodule -i myxgyest.pp
[sudo] password for rumen: 
libsepol.expand_terule_helper: conflicting TE rule for (mozilla_plugin_t, tmpfs_t:fifo_file):  old was mozilla_plugin_tmpfs_t, new is user_tmpfs_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!
[rumen@localhost ~]$ 


The 3 lines I have mentioned above must be commented or fixed in order to be able to load minule containing interface mozilla_role()

Comment 7 Miroslav Grepl 2013-04-17 12:19:17 UTC
I am looking at this again.

Comment 8 Fedora Update System 2013-04-18 02:52:19 UTC
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.