From: James M. <jm...@na...> - 2009-01-29 11:28:34
|
I'm trying to run the LTP SELinux tests using the latest CVS version of LTP and current Fedora development, and get the following policy compilation error: ---- Compiling targeted test_policy module test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. [lots of warnings similar to the above] /usr/bin/checkmodule: loading policy configuration from tmp/test_policy.tmp test_policy.te":16:ERROR 'syntax error' at token 'userdom_use_sysadm_terms' on line 3198: userdom_use_sysadm_terms(testdomain) # This allows read and write sysadm ttys and ptys. /usr/bin/checkmodule: error(s) encountered while parsing configuration make[1]: *** [tmp/test_policy.mod] Error 1 make[1]: Leaving directory `/usr/share/selinux/devel' make: *** [load] Error 2 Failed to build and load test_policy module, aborting test run. ---- Is this likely to be fixed soon, and/or any suggestions for a workaround? - James -- James Morris <jm...@na...> |
From: Stephen S. <sd...@ty...> - 2009-01-29 18:46:17
|
On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > > > I'm trying to run the LTP SELinux tests using the latest CVS version of > > > LTP and current Fedora development, and get the following policy > > > compilation error: > > > > > > ---- > > > Compiling targeted test_policy module > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. > > > [lots of warnings similar to the above] > > > > > > /usr/bin/checkmodule: loading policy configuration from > > > tmp/test_policy.tmp > > > test_policy.te":16:ERROR 'syntax error' at token > > > 'userdom_use_sysadm_terms' on line 3198: > > > userdom_use_sysadm_terms(testdomain) > > > # This allows read and write sysadm ttys and ptys. > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > make[1]: *** [tmp/test_policy.mod] Error 1 > > > make[1]: Leaving directory `/usr/share/selinux/devel' > > > make: *** [load] Error 2 > > > Failed to build and load test_policy module, aborting test run. > > > ---- > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround? > > > > It won't compile with the current trunk refpolicy, since the current > > release was a major, API breaking change. I'll try to get a patch out > > shortly. > > I updated the policy since its fairly old, though I didn't convert its > raw rules over to use interfaces. However this didn't completely fix > it, as there is usage of a "unconfined_runs_test()", which isn't in the > upstream refpolicy nor the fedora policy, as far as I can see. One of > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in > the upstream refpolicy, but doesn't seem to have made its way downstream > to the fedora policy. I have attached my work so someone familiar with > the LTP test cases can use it to complete the fix. Serge put together a patch and script under selinux-testsuite/misc that defines unconfined_runs_test() as well as converting some of the interfaces. That was done so that the ltp testsuite could still be run on older distributions (w/ the older policy) and on newer distributions (w/ the patch applied to perform conversion). It was originally done based on the deprecation of the sbin interfaces, which is why it is named that way even though it now includes more than just conversion of those interfaces. -- Stephen Smalley National Security Agency |
From: Christopher J. P. <cpe...@tr...> - 2009-01-29 13:55:50
|
On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > I'm trying to run the LTP SELinux tests using the latest CVS version of > LTP and current Fedora development, and get the following policy > compilation error: > > ---- > Compiling targeted test_policy module > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. > [lots of warnings similar to the above] > > /usr/bin/checkmodule: loading policy configuration from > tmp/test_policy.tmp > test_policy.te":16:ERROR 'syntax error' at token > 'userdom_use_sysadm_terms' on line 3198: > userdom_use_sysadm_terms(testdomain) > # This allows read and write sysadm ttys and ptys. > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make[1]: *** [tmp/test_policy.mod] Error 1 > make[1]: Leaving directory `/usr/share/selinux/devel' > make: *** [load] Error 2 > Failed to build and load test_policy module, aborting test run. > ---- > > Is this likely to be fixed soon, and/or any suggestions for a workaround? It won't compile with the current trunk refpolicy, since the current release was a major, API breaking change. I'll try to get a patch out shortly. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 |
From: Christopher J. P. <cpe...@tr...> - 2009-01-29 16:52:48
Attachments:
ltp-full-20081231-selinux.diff
|
On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > > I'm trying to run the LTP SELinux tests using the latest CVS version of > > LTP and current Fedora development, and get the following policy > > compilation error: > > > > ---- > > Compiling targeted test_policy module > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. > > [lots of warnings similar to the above] > > > > /usr/bin/checkmodule: loading policy configuration from > > tmp/test_policy.tmp > > test_policy.te":16:ERROR 'syntax error' at token > > 'userdom_use_sysadm_terms' on line 3198: > > userdom_use_sysadm_terms(testdomain) > > # This allows read and write sysadm ttys and ptys. > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > make[1]: *** [tmp/test_policy.mod] Error 1 > > make[1]: Leaving directory `/usr/share/selinux/devel' > > make: *** [load] Error 2 > > Failed to build and load test_policy module, aborting test run. > > ---- > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround? > > It won't compile with the current trunk refpolicy, since the current > release was a major, API breaking change. I'll try to get a patch out > shortly. I updated the policy since its fairly old, though I didn't convert its raw rules over to use interfaces. However this didn't completely fix it, as there is usage of a "unconfined_runs_test()", which isn't in the upstream refpolicy nor the fedora policy, as far as I can see. One of the updates includes use of sysadm_entry_spec_domtrans_to(), which is in the upstream refpolicy, but doesn't seem to have made its way downstream to the fedora policy. I have attached my work so someone familiar with the LTP test cases can use it to complete the fix. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 |
From: Serge E. H. <se...@us...> - 2009-01-30 17:14:57
|
Quoting Stephen Smalley (sd...@ty...): > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of > > > > LTP and current Fedora development, and get the following policy > > > > compilation error: > > > > > > > > ---- > > > > Compiling targeted test_policy module > > > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. > > > > [lots of warnings similar to the above] > > > > > > > > /usr/bin/checkmodule: loading policy configuration from > > > > tmp/test_policy.tmp > > > > test_policy.te":16:ERROR 'syntax error' at token > > > > 'userdom_use_sysadm_terms' on line 3198: > > > > userdom_use_sysadm_terms(testdomain) > > > > # This allows read and write sysadm ttys and ptys. > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > make[1]: *** [tmp/test_policy.mod] Error 1 > > > > make[1]: Leaving directory `/usr/share/selinux/devel' > > > > make: *** [load] Error 2 > > > > Failed to build and load test_policy module, aborting test run. > > > > ---- > > > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround? > > > > > > It won't compile with the current trunk refpolicy, since the current > > > release was a major, API breaking change. I'll try to get a patch out > > > shortly. > > > > I updated the policy since its fairly old, though I didn't convert its > > raw rules over to use interfaces. However this didn't completely fix > > it, as there is usage of a "unconfined_runs_test()", which isn't in the > > upstream refpolicy nor the fedora policy, as far as I can see. One of > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in > > the upstream refpolicy, but doesn't seem to have made its way downstream > > to the fedora policy. I have attached my work so someone familiar with > > the LTP test cases can use it to complete the fix. > > Serge put together a patch and script under selinux-testsuite/misc that > defines unconfined_runs_test() as well as converting some of the > interfaces. That was done so that the ltp testsuite could still be run > on older distributions (w/ the older policy) and on newer distributions > (w/ the patch applied to perform conversion). It was originally done > based on the deprecation of the sbin interfaces, which is why it is > named that way even though it now includes more than just conversion of > those interfaces. (Sorry, this thread is rolling into my inbox delayed and out-of-order) So the unconfined_runs_test() shouldn't actually be a problem (right, Chris? pls let me know if you actually get compile failures as then something went wrong with the build scripts). But what could have happened with sysadm_entry_spec_domtrans_to()? It must have been in fedora's policy before, since it definately worked on fedora 7 and 8. Has it been removed? (I'll fire up a f10 partition and look through the policy sources...) As for the list_dir_perms and read_file_perms, have those always macros in the refpolicy? If so, then a straight search-and-replace is fine. If not, then we'll have to do another hook at the policy build to make the substitutions only when the policy is new enough. :( thanks, -serge |
From: Serge E. H. <se...@us...> - 2009-01-30 17:37:16
|
Quoting Serge E. Hallyn (se...@us...): > Quoting Stephen Smalley (sd...@ty...): > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: > > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: > > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of > > > > > LTP and current Fedora development, and get the following policy > > > > > compilation error: > > > > > > > > > > ---- > > > > > Compiling targeted test_policy module > > > > > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. > > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. > > > > > [lots of warnings similar to the above] > > > > > > > > > > /usr/bin/checkmodule: loading policy configuration from > > > > > tmp/test_policy.tmp > > > > > test_policy.te":16:ERROR 'syntax error' at token > > > > > 'userdom_use_sysadm_terms' on line 3198: > > > > > userdom_use_sysadm_terms(testdomain) > > > > > # This allows read and write sysadm ttys and ptys. > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > > make[1]: *** [tmp/test_policy.mod] Error 1 > > > > > make[1]: Leaving directory `/usr/share/selinux/devel' > > > > > make: *** [load] Error 2 > > > > > Failed to build and load test_policy module, aborting test run. > > > > > ---- > > > > > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround? > > > > > > > > It won't compile with the current trunk refpolicy, since the current > > > > release was a major, API breaking change. I'll try to get a patch out > > > > shortly. > > > > > > I updated the policy since its fairly old, though I didn't convert its > > > raw rules over to use interfaces. However this didn't completely fix > > > it, as there is usage of a "unconfined_runs_test()", which isn't in the > > > upstream refpolicy nor the fedora policy, as far as I can see. One of > > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in > > > the upstream refpolicy, but doesn't seem to have made its way downstream > > > to the fedora policy. I have attached my work so someone familiar with sysadm_entry_spec_domtrans is in fedora 10's policy sources, at least, in modules/roles/sysadm.if. (I don't have a fedora devel system installed). thanks, -serge |
From: Christopher J. P. <peb...@ie...> - 2009-01-30 20:10:34
|
On Fri, 2009-01-30 at 11:14 -0600, Serge E. Hallyn wrote: > Quoting Stephen Smalley (sd...@ty...): > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: > > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: > > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of > > > > > LTP and current Fedora development, and get the following policy > > > > > compilation error: > > > > > > > > > > ---- > > > > > Compiling targeted test_policy module > > > > > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. > > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. > > > > > [lots of warnings similar to the above] > > > > > > > > > > /usr/bin/checkmodule: loading policy configuration from > > > > > tmp/test_policy.tmp > > > > > test_policy.te":16:ERROR 'syntax error' at token > > > > > 'userdom_use_sysadm_terms' on line 3198: > > > > > userdom_use_sysadm_terms(testdomain) > > > > > # This allows read and write sysadm ttys and ptys. > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > > make[1]: *** [tmp/test_policy.mod] Error 1 > > > > > make[1]: Leaving directory `/usr/share/selinux/devel' > > > > > make: *** [load] Error 2 > > > > > Failed to build and load test_policy module, aborting test run. > > > > > ---- > > > > > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround? > > > > > > > > It won't compile with the current trunk refpolicy, since the current > > > > release was a major, API breaking change. I'll try to get a patch out > > > > shortly. > > > > > > I updated the policy since its fairly old, though I didn't convert its > > > raw rules over to use interfaces. However this didn't completely fix > > > it, as there is usage of a "unconfined_runs_test()", which isn't in the > > > upstream refpolicy nor the fedora policy, as far as I can see. One of > > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in > > > the upstream refpolicy, but doesn't seem to have made its way downstream > > > to the fedora policy. I have attached my work so someone familiar with > > > the LTP test cases can use it to complete the fix. > > > > Serge put together a patch and script under selinux-testsuite/misc that > > defines unconfined_runs_test() as well as converting some of the > > interfaces. That was done so that the ltp testsuite could still be run > > on older distributions (w/ the older policy) and on newer distributions > > (w/ the patch applied to perform conversion). It was originally done > > based on the deprecation of the sbin interfaces, which is why it is > > named that way even though it now includes more than just conversion of > > those interfaces. > > (Sorry, this thread is rolling into my inbox delayed and out-of-order) > > So the unconfined_runs_test() shouldn't actually be a problem (right, > Chris? pls let me know if you actually get compile failures as then > something went wrong with the build scripts). I just went to the directory and ran make. Sounds like I might have done something wrong. > But what could have happened with sysadm_entry_spec_domtrans_to()? It > must have been in fedora's policy before, since it definately worked on > fedora 7 and 8. Has it been removed? (I'll fire up a f10 partition and > look through the policy sources...) Well it used to be userdom_sysadm_entry_spec_domtrans_to(). > As for the list_dir_perms and read_file_perms, have those always macros > in the refpolicy? If so, then a straight search-and-replace is fine. > If not, then we'll have to do another hook at the policy build to make > the substitutions only when the policy is new enough. :( Those have been around for a while. While the old r_dir_perms and r_file_perms macros aren't going anywhere for the forseeable future, their use is problematic as those may not get updated for new perms, such as open. -- Chris PeBenito <peb...@ie...> AIM: PeBenito78 ICQ#: 10434387 "Engineering does not require science. Science helps a lot, but people built perfectly good brick walls long before they knew why cement works."-Alan Cox |
From: Christopher J. P. <peb...@ie...> - 2009-01-30 20:11:46
|
On Fri, 2009-01-30 at 11:37 -0600, Serge E. Hallyn wrote: > Quoting Serge E. Hallyn (se...@us...): > > Quoting Stephen Smalley (sd...@ty...): > > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: > > > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: > > > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > > > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of > > > > > > LTP and current Fedora development, and get the following policy > > > > > > compilation error: > > > > > > > > > > > > ---- > > > > > > Compiling targeted test_policy module > > > > > > > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. > > > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. > > > > > > [lots of warnings similar to the above] > > > > > > > > > > > > /usr/bin/checkmodule: loading policy configuration from > > > > > > tmp/test_policy.tmp > > > > > > test_policy.te":16:ERROR 'syntax error' at token > > > > > > 'userdom_use_sysadm_terms' on line 3198: > > > > > > userdom_use_sysadm_terms(testdomain) > > > > > > # This allows read and write sysadm ttys and ptys. > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > > > make[1]: *** [tmp/test_policy.mod] Error 1 > > > > > > make[1]: Leaving directory `/usr/share/selinux/devel' > > > > > > make: *** [load] Error 2 > > > > > > Failed to build and load test_policy module, aborting test run. > > > > > > ---- > > > > > > > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround? > > > > > > > > > > It won't compile with the current trunk refpolicy, since the current > > > > > release was a major, API breaking change. I'll try to get a patch out > > > > > shortly. > > > > > > > > I updated the policy since its fairly old, though I didn't convert its > > > > raw rules over to use interfaces. However this didn't completely fix > > > > it, as there is usage of a "unconfined_runs_test()", which isn't in the > > > > upstream refpolicy nor the fedora policy, as far as I can see. One of > > > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in > > > > the upstream refpolicy, but doesn't seem to have made its way downstream > > > > to the fedora policy. I have attached my work so someone familiar with > > sysadm_entry_spec_domtrans is in fedora 10's policy sources, at least, > in modules/roles/sysadm.if. (I don't have a fedora devel system > installed). That has the opposite transition direction (the specified domain transitions to sysadm). -- Chris PeBenito <peb...@ie...> AIM: PeBenito78 ICQ#: 10434387 "Engineering does not require science. Science helps a lot, but people built perfectly good brick walls long before they knew why cement works."-Alan Cox |
From: Serge E. H. <se...@us...> - 2009-02-01 22:51:58
|
Quoting Christopher J. PeBenito (peb...@ie...): > On Fri, 2009-01-30 at 11:14 -0600, Serge E. Hallyn wrote: > > Quoting Stephen Smalley (sd...@ty...): > > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: > > > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: > > > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > > > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of > > > > > > LTP and current Fedora development, and get the following policy > > > > > > compilation error: > > > > > > > > > > > > ---- > > > > > > Compiling targeted test_policy module > > > > > > > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. > > > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. > > > > > > [lots of warnings similar to the above] > > > > > > > > > > > > /usr/bin/checkmodule: loading policy configuration from > > > > > > tmp/test_policy.tmp > > > > > > test_policy.te":16:ERROR 'syntax error' at token > > > > > > 'userdom_use_sysadm_terms' on line 3198: > > > > > > userdom_use_sysadm_terms(testdomain) > > > > > > # This allows read and write sysadm ttys and ptys. > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > > > make[1]: *** [tmp/test_policy.mod] Error 1 > > > > > > make[1]: Leaving directory `/usr/share/selinux/devel' > > > > > > make: *** [load] Error 2 > > > > > > Failed to build and load test_policy module, aborting test run. > > > > > > ---- > > > > > > > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround? > > > > > > > > > > It won't compile with the current trunk refpolicy, since the current > > > > > release was a major, API breaking change. I'll try to get a patch out > > > > > shortly. > > > > > > > > I updated the policy since its fairly old, though I didn't convert its > > > > raw rules over to use interfaces. However this didn't completely fix > > > > it, as there is usage of a "unconfined_runs_test()", which isn't in the > > > > upstream refpolicy nor the fedora policy, as far as I can see. One of > > > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in > > > > the upstream refpolicy, but doesn't seem to have made its way downstream > > > > to the fedora policy. I have attached my work so someone familiar with > > > > the LTP test cases can use it to complete the fix. > > > > > > Serge put together a patch and script under selinux-testsuite/misc that > > > defines unconfined_runs_test() as well as converting some of the > > > interfaces. That was done so that the ltp testsuite could still be run > > > on older distributions (w/ the older policy) and on newer distributions > > > (w/ the patch applied to perform conversion). It was originally done > > > based on the deprecation of the sbin interfaces, which is why it is > > > named that way even though it now includes more than just conversion of > > > those interfaces. > > > > (Sorry, this thread is rolling into my inbox delayed and out-of-order) > > > > So the unconfined_runs_test() shouldn't actually be a problem (right, > > Chris? pls let me know if you actually get compile failures as then > > something went wrong with the build scripts). > > I just went to the directory and ran make. Sounds like I might have > done something wrong. > > > But what could have happened with sysadm_entry_spec_domtrans_to()? It > > must have been in fedora's policy before, since it definately worked on > > fedora 7 and 8. Has it been removed? (I'll fire up a f10 partition and > > look through the policy sources...) > > Well it used to be userdom_sysadm_entry_spec_domtrans_to(). > > > As for the list_dir_perms and read_file_perms, have those always macros > > in the refpolicy? If so, then a straight search-and-replace is fine. > > If not, then we'll have to do another hook at the policy build to make > > the substitutions only when the policy is new enough. :( > > Those have been around for a while. While the old r_dir_perms and > r_file_perms macros aren't going anywhere for the forseeable future, > their use is problematic as those may not get updated for new perms, > such as open. So I guess we should switch all the instances over, and have misc/update_refpolicy.sh switch them back if list_dir_perms doesn't exist. What would be a good way to determine whether we're in a kernel version too old to use those? Can we just check whether sestatus | grep version | awk -F: '{ print $2 '} is less than, say, 22? thanks, -serge |
From: Chris P. <peb...@ge...> - 2009-02-03 13:52:13
|
On Sun, 2009-02-01 at 16:51 -0600, Serge E. Hallyn wrote: > Quoting Christopher J. PeBenito (peb...@ie...): > > On Fri, 2009-01-30 at 11:14 -0600, Serge E. Hallyn wrote: > > > Quoting Stephen Smalley (sd...@ty...): > > > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: > > > > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: > > > > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > > > > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of > > > > > > > LTP and current Fedora development, and get the following policy > > > > > > > compilation error: > > > > > > > > > > > > > > ---- > > > > > > > Compiling targeted test_policy module > > > > > > > > > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. > > > > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. > > > > > > > [lots of warnings similar to the above] > > > > > > > > > > > > > > /usr/bin/checkmodule: loading policy configuration from > > > > > > > tmp/test_policy.tmp > > > > > > > test_policy.te":16:ERROR 'syntax error' at token > > > > > > > 'userdom_use_sysadm_terms' on line 3198: > > > > > > > userdom_use_sysadm_terms(testdomain) > > > > > > > # This allows read and write sysadm ttys and ptys. > > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > > > > make[1]: *** [tmp/test_policy.mod] Error 1 > > > > > > > make[1]: Leaving directory `/usr/share/selinux/devel' > > > > > > > make: *** [load] Error 2 > > > > > > > Failed to build and load test_policy module, aborting test run. > > > > > > > ---- > > > > > > > > > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround? > > > > > > > > > > > > It won't compile with the current trunk refpolicy, since the current > > > > > > release was a major, API breaking change. I'll try to get a patch out > > > > > > shortly. > > > > > > > > > > I updated the policy since its fairly old, though I didn't convert its > > > > > raw rules over to use interfaces. However this didn't completely fix > > > > > it, as there is usage of a "unconfined_runs_test()", which isn't in the > > > > > upstream refpolicy nor the fedora policy, as far as I can see. One of > > > > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in > > > > > the upstream refpolicy, but doesn't seem to have made its way downstream > > > > > to the fedora policy. I have attached my work so someone familiar with > > > > > the LTP test cases can use it to complete the fix. > > > > > > > > Serge put together a patch and script under selinux-testsuite/misc that > > > > defines unconfined_runs_test() as well as converting some of the > > > > interfaces. That was done so that the ltp testsuite could still be run > > > > on older distributions (w/ the older policy) and on newer distributions > > > > (w/ the patch applied to perform conversion). It was originally done > > > > based on the deprecation of the sbin interfaces, which is why it is > > > > named that way even though it now includes more than just conversion of > > > > those interfaces. > > > > > > (Sorry, this thread is rolling into my inbox delayed and out-of-order) > > > > > > So the unconfined_runs_test() shouldn't actually be a problem (right, > > > Chris? pls let me know if you actually get compile failures as then > > > something went wrong with the build scripts). > > > > I just went to the directory and ran make. Sounds like I might have > > done something wrong. > > > > > But what could have happened with sysadm_entry_spec_domtrans_to()? It > > > must have been in fedora's policy before, since it definately worked on > > > fedora 7 and 8. Has it been removed? (I'll fire up a f10 partition and > > > look through the policy sources...) > > > > Well it used to be userdom_sysadm_entry_spec_domtrans_to(). > > > > > As for the list_dir_perms and read_file_perms, have those always macros > > > in the refpolicy? If so, then a straight search-and-replace is fine. > > > If not, then we'll have to do another hook at the policy build to make > > > the substitutions only when the policy is new enough. :( > > > > Those have been around for a while. While the old r_dir_perms and > > r_file_perms macros aren't going anywhere for the forseeable future, > > their use is problematic as those may not get updated for new perms, > > such as open. > > So I guess we should switch all the instances over, and have > misc/update_refpolicy.sh switch them back if list_dir_perms > doesn't exist. > > What would be a good way to determine whether we're in a kernel > version too old to use those? Can we just check whether > sestatus | grep version | awk -F: '{ print $2 '} is less than, > say, 22? Well the new permission sets have been around since the end of 2006. But a kernel with v22 policy would probably be a good way to determine if it should be switched. Those kernels wouldn't have new permissions like open, so it would be safe to use the old permission sets. -- Chris PeBenito <peb...@ge...> Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
From: Serge E. H. <se...@us...> - 2009-02-01 22:54:40
|
Quoting Christopher J. PeBenito (peb...@ie...): > On Fri, 2009-01-30 at 11:37 -0600, Serge E. Hallyn wrote: > > Quoting Serge E. Hallyn (se...@us...): > > > Quoting Stephen Smalley (sd...@ty...): > > > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: > > > > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: > > > > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > > > > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of > > > > > > > LTP and current Fedora development, and get the following policy > > > > > > > compilation error: > > > > > > > > > > > > > > ---- > > > > > > > Compiling targeted test_policy module > > > > > > > > > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. > > > > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. > > > > > > > [lots of warnings similar to the above] > > > > > > > > > > > > > > /usr/bin/checkmodule: loading policy configuration from > > > > > > > tmp/test_policy.tmp > > > > > > > test_policy.te":16:ERROR 'syntax error' at token > > > > > > > 'userdom_use_sysadm_terms' on line 3198: > > > > > > > userdom_use_sysadm_terms(testdomain) > > > > > > > # This allows read and write sysadm ttys and ptys. > > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > > > > make[1]: *** [tmp/test_policy.mod] Error 1 > > > > > > > make[1]: Leaving directory `/usr/share/selinux/devel' > > > > > > > make: *** [load] Error 2 > > > > > > > Failed to build and load test_policy module, aborting test run. > > > > > > > ---- > > > > > > > > > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround? > > > > > > > > > > > > It won't compile with the current trunk refpolicy, since the current > > > > > > release was a major, API breaking change. I'll try to get a patch out > > > > > > shortly. > > > > > > > > > > I updated the policy since its fairly old, though I didn't convert its > > > > > raw rules over to use interfaces. However this didn't completely fix > > > > > it, as there is usage of a "unconfined_runs_test()", which isn't in the > > > > > upstream refpolicy nor the fedora policy, as far as I can see. One of > > > > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in > > > > > the upstream refpolicy, but doesn't seem to have made its way downstream > > > > > to the fedora policy. I have attached my work so someone familiar with > > > > sysadm_entry_spec_domtrans is in fedora 10's policy sources, at least, > > in modules/roles/sysadm.if. (I don't have a fedora devel system > > installed). > > That has the opposite transition direction (the specified domain > transitions to sysadm). Just to make sure... You're saying that in upstream refpolicy sysadm_entry_spec_domtrans(foo) means foo may transition to sysadm_t, while in fedora 10 policy sysadm_entry_spec_domtrans(foo) means sysadm_t may transition to foo? -serge |
From: Chris P. <peb...@ge...> - 2009-02-03 14:12:14
|
On Sun, 2009-02-01 at 16:54 -0600, Serge E. Hallyn wrote: > Quoting Christopher J. PeBenito (peb...@ie...): > > On Fri, 2009-01-30 at 11:37 -0600, Serge E. Hallyn wrote: > > > Quoting Serge E. Hallyn (se...@us...): > > > > Quoting Stephen Smalley (sd...@ty...): > > > > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: > > > > > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: > > > > > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > > > > > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of > > > > > > > > LTP and current Fedora development, and get the following policy > > > > > > > > compilation error: > > > > > > > > > > > > > > > > ---- > > > > > > > > Compiling targeted test_policy module > > > > > > > > > > > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. > > > > > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. > > > > > > > > [lots of warnings similar to the above] > > > > > > > > > > > > > > > > /usr/bin/checkmodule: loading policy configuration from > > > > > > > > tmp/test_policy.tmp > > > > > > > > test_policy.te":16:ERROR 'syntax error' at token > > > > > > > > 'userdom_use_sysadm_terms' on line 3198: > > > > > > > > userdom_use_sysadm_terms(testdomain) > > > > > > > > # This allows read and write sysadm ttys and ptys. > > > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > > > > > make[1]: *** [tmp/test_policy.mod] Error 1 > > > > > > > > make[1]: Leaving directory `/usr/share/selinux/devel' > > > > > > > > make: *** [load] Error 2 > > > > > > > > Failed to build and load test_policy module, aborting test run. > > > > > > > > ---- > > > > > > > > > > > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround? > > > > > > > > > > > > > > It won't compile with the current trunk refpolicy, since the current > > > > > > > release was a major, API breaking change. I'll try to get a patch out > > > > > > > shortly. > > > > > > > > > > > > I updated the policy since its fairly old, though I didn't convert its > > > > > > raw rules over to use interfaces. However this didn't completely fix > > > > > > it, as there is usage of a "unconfined_runs_test()", which isn't in the > > > > > > upstream refpolicy nor the fedora policy, as far as I can see. One of > > > > > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in > > > > > > the upstream refpolicy, but doesn't seem to have made its way downstream > > > > > > to the fedora policy. I have attached my work so someone familiar with > > > > > > sysadm_entry_spec_domtrans is in fedora 10's policy sources, at least, > > > in modules/roles/sysadm.if. (I don't have a fedora devel system > > > installed). > > > > That has the opposite transition direction (the specified domain > > transitions to sysadm). > > Just to make sure... > > You're saying that in upstream refpolicy sysadm_entry_spec_domtrans(foo) > means foo may transition to sysadm_t, while in fedora 10 policy > sysadm_entry_spec_domtrans(foo) means sysadm_t may transition to > foo? No. They have the same behavior. What happened is that the interface (the one you need to use, not the above ones) used to be called userdom_sysadm_entry_spec_domtrans_to(). Then I split all of the roles into individual policy modules, so that interface got renamed to sysadm_entry_spec_domtrans_to(), except the new interface was accidentally dropped. So I added it back in, and it just hasn't gotten downstream yet. -- Chris PeBenito <peb...@ge...> Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
From: Subrata M. <su...@li...> - 2009-02-02 13:40:02
|
Thanks. Regards-- Subrata On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > > > I'm trying to run the LTP SELinux tests using the latest CVS version of > > > LTP and current Fedora development, and get the following policy > > > compilation error: > > > > > > ---- > > > Compiling targeted test_policy module > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. > > > [lots of warnings similar to the above] > > > > > > /usr/bin/checkmodule: loading policy configuration from > > > tmp/test_policy.tmp > > > test_policy.te":16:ERROR 'syntax error' at token > > > 'userdom_use_sysadm_terms' on line 3198: > > > userdom_use_sysadm_terms(testdomain) > > > # This allows read and write sysadm ttys and ptys. > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > make[1]: *** [tmp/test_policy.mod] Error 1 > > > make[1]: Leaving directory `/usr/share/selinux/devel' > > > make: *** [load] Error 2 > > > Failed to build and load test_policy module, aborting test run. > > > ---- > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround? > > > > It won't compile with the current trunk refpolicy, since the current > > release was a major, API breaking change. I'll try to get a patch out > > shortly. > > I updated the policy since its fairly old, though I didn't convert its > raw rules over to use interfaces. However this didn't completely fix > it, as there is usage of a "unconfined_runs_test()", which isn't in the > upstream refpolicy nor the fedora policy, as far as I can see. One of > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in > the upstream refpolicy, but doesn't seem to have made its way downstream > to the fedora policy. I have attached my work so someone familiar with > the LTP test cases can use it to complete the fix. > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ Ltp-list mailing list Ltp...@li... https://lists.sourceforge.net/lists/listinfo/ltp-list |
From: Stephen S. <sd...@ty...> - 2009-04-29 18:45:37
|
On Mon, 2009-02-02 at 19:09 +0530, Subrata Modak wrote: > Thanks. > > Regards-- > Subrata Subrata - this patch never should have been applied. Chris said that it was incomplete, and I noted that it conflicted with Serge's conditionally applied patch. Please revert this, as it breaks the selinux ltp testsuite and the resulting policy will not build. > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of > > > > LTP and current Fedora development, and get the following policy > > > > compilation error: > > > > > > > > ---- > > > > Compiling targeted test_policy module > > > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. > > > > [lots of warnings similar to the above] > > > > > > > > /usr/bin/checkmodule: loading policy configuration from > > > > tmp/test_policy.tmp > > > > test_policy.te":16:ERROR 'syntax error' at token > > > > 'userdom_use_sysadm_terms' on line 3198: > > > > userdom_use_sysadm_terms(testdomain) > > > > # This allows read and write sysadm ttys and ptys. > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > make[1]: *** [tmp/test_policy.mod] Error 1 > > > > make[1]: Leaving directory `/usr/share/selinux/devel' > > > > make: *** [load] Error 2 > > > > Failed to build and load test_policy module, aborting test run. > > > > ---- > > > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround? > > > > > > It won't compile with the current trunk refpolicy, since the current > > > release was a major, API breaking change. I'll try to get a patch out > > > shortly. > > > > I updated the policy since its fairly old, though I didn't convert its > > raw rules over to use interfaces. However this didn't completely fix > > it, as there is usage of a "unconfined_runs_test()", which isn't in the > > upstream refpolicy nor the fedora policy, as far as I can see. One of > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in > > the upstream refpolicy, but doesn't seem to have made its way downstream > > to the fedora policy. I have attached my work so someone familiar with > > the LTP test cases can use it to complete the fix. > > > > ------------------------------------------------------------------------------ > > This SF.net email is sponsored by: > > SourcForge Community > > SourceForge wants to tell your story. > > http://p.sf.net/sfu/sf-spreadtheword > > _______________________________________________ Ltp-list mailing list Ltp...@li... https://lists.sourceforge.net/lists/listinfo/ltp-list > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Ltp-list mailing list > Ltp...@li... > https://lists.sourceforge.net/lists/listinfo/ltp-list -- Stephen Smalley National Security Agency |
From: Subrata M. <su...@li...> - 2009-04-30 10:26:49
|
On Wed, 2009-04-29 at 14:39 -0400, Stephen Smalley wrote: > On Mon, 2009-02-02 at 19:09 +0530, Subrata Modak wrote: > > Thanks. > > > > Regards-- > > Subrata > > Subrata - this patch never should have been applied. Chris said that it > was incomplete, and I noted that it conflicted with Serge's > conditionally applied patch. Please revert this, as it breaks the > selinux ltp testsuite and the resulting policy will not build. This one too is reverted. Will reflect in today´s release. Regards-- Subrata > > > > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: > > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: > > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of > > > > > LTP and current Fedora development, and get the following policy > > > > > compilation error: > > > > > > > > > > ---- > > > > > Compiling targeted test_policy module > > > > > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. > > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. > > > > > [lots of warnings similar to the above] > > > > > > > > > > /usr/bin/checkmodule: loading policy configuration from > > > > > tmp/test_policy.tmp > > > > > test_policy.te":16:ERROR 'syntax error' at token > > > > > 'userdom_use_sysadm_terms' on line 3198: > > > > > userdom_use_sysadm_terms(testdomain) > > > > > # This allows read and write sysadm ttys and ptys. > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > > make[1]: *** [tmp/test_policy.mod] Error 1 > > > > > make[1]: Leaving directory `/usr/share/selinux/devel' > > > > > make: *** [load] Error 2 > > > > > Failed to build and load test_policy module, aborting test run. > > > > > ---- > > > > > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround? > > > > > > > > It won't compile with the current trunk refpolicy, since the current > > > > release was a major, API breaking change. I'll try to get a patch out > > > > shortly. > > > > > > I updated the policy since its fairly old, though I didn't convert its > > > raw rules over to use interfaces. However this didn't completely fix > > > it, as there is usage of a "unconfined_runs_test()", which isn't in the > > > upstream refpolicy nor the fedora policy, as far as I can see. One of > > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in > > > the upstream refpolicy, but doesn't seem to have made its way downstream > > > to the fedora policy. I have attached my work so someone familiar with > > > the LTP test cases can use it to complete the fix. > > > > > > ------------------------------------------------------------------------------ > > > This SF.net email is sponsored by: > > > SourcForge Community > > > SourceForge wants to tell your story. > > > http://p.sf.net/sfu/sf-spreadtheword > > > _______________________________________________ Ltp-list mailing list Ltp...@li... https://lists.sourceforge.net/lists/listinfo/ltp-list > > > > > > ------------------------------------------------------------------------------ > > This SF.net email is sponsored by: > > SourcForge Community > > SourceForge wants to tell your story. > > http://p.sf.net/sfu/sf-spreadtheword > > _______________________________________________ > > Ltp-list mailing list > > Ltp...@li... > > https://lists.sourceforge.net/lists/listinfo/ltp-list |