* [PATCH] python/sepolicy: Fix template for confined user policy modules
@ 2023-06-01 16:34 Vit Mojzis
2023-06-05 9:12 ` Petr Lautrbach
0 siblings, 1 reply; 3+ messages in thread
From: Vit Mojzis @ 2023-06-01 16:34 UTC (permalink / raw)
To: selinux
The following commit
https://github.com/SELinuxProject/refpolicy/commit/330b0fc3331d3b836691464734c96f3da3044490
changed the userdom_base_user_template, which now requires a role
corresponding to the user being created to be defined outside of the
template.
Similar change was also done to fedora-selinux/selinux-policy
https://github.com/fedora-selinux/selinux-policy/commit/e1e216b25df1bdb4eb7dbb8f73f32927ad6f3d1f
Although I believe the template should define the role (just as it
defines the new user), that will require extensive changes to refpolicy.
In the meantime the role needs to be defined separately.
Fixes:
\# sepolicy generate --term_user -n newuser
Created the following files:
/root/a/test/newuser.te # Type Enforcement file
/root/a/test/newuser.if # Interface file
/root/a/test/newuser.fc # File Contexts file
/root/a/test/newuser_selinux.spec # Spec file
/root/a/test/newuser.sh # Setup Script
\# ./newuser.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile newuser.pp
Compiling targeted newuser module
Creating targeted newuser.pp policy package
rm tmp/newuser.mod tmp/newuser.mod.fc
+ /usr/sbin/semodule -i newuser.pp
Failed to resolve roleattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/newuser/cil:8
Failed to resolve AST
/usr/sbin/semodule: Failed!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/sepolicy/sepolicy/templates/user.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/python/sepolicy/sepolicy/templates/user.py b/python/sepolicy/sepolicy/templates/user.py
index 1ff9d2ce..7081fbae 100644
--- a/python/sepolicy/sepolicy/templates/user.py
+++ b/python/sepolicy/sepolicy/templates/user.py
@@ -28,6 +28,8 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
+role TEMPLATETYPE_r;
+
userdom_unpriv_user_template(TEMPLATETYPE)
"""
@@ -38,6 +40,8 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
+role TEMPLATETYPE_r;
+
userdom_admin_user_template(TEMPLATETYPE)
"""
@@ -48,6 +52,7 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
+role TEMPLATETYPE_r;
userdom_restricted_user_template(TEMPLATETYPE)
"""
@@ -59,6 +64,7 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
+role TEMPLATETYPE_r;
userdom_restricted_xwindows_user_template(TEMPLATETYPE)
"""
@@ -89,6 +95,7 @@ gen_tunable(TEMPLATETYPE_manage_user_files, false)
#
# Declarations
#
+role TEMPLATETYPE_r;
userdom_base_user_template(TEMPLATETYPE)
"""
--
2.40.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] python/sepolicy: Fix template for confined user policy modules
2023-06-01 16:34 [PATCH] python/sepolicy: Fix template for confined user policy modules Vit Mojzis
@ 2023-06-05 9:12 ` Petr Lautrbach
2023-06-12 17:47 ` Petr Lautrbach
0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2023-06-05 9:12 UTC (permalink / raw)
To: Vit Mojzis, selinux
Vit Mojzis <vmojzis@redhat.com> writes:
> The following commit
> https://github.com/SELinuxProject/refpolicy/commit/330b0fc3331d3b836691464734c96f3da3044490
> changed the userdom_base_user_template, which now requires a role
> corresponding to the user being created to be defined outside of the
> template.
> Similar change was also done to fedora-selinux/selinux-policy
> https://github.com/fedora-selinux/selinux-policy/commit/e1e216b25df1bdb4eb7dbb8f73f32927ad6f3d1f
>
> Although I believe the template should define the role (just as it
> defines the new user), that will require extensive changes to refpolicy.
> In the meantime the role needs to be defined separately.
>
> Fixes:
> \# sepolicy generate --term_user -n newuser
> Created the following files:
> /root/a/test/newuser.te # Type Enforcement file
> /root/a/test/newuser.if # Interface file
> /root/a/test/newuser.fc # File Contexts file
> /root/a/test/newuser_selinux.spec # Spec file
> /root/a/test/newuser.sh # Setup Script
If you don't mind, I'd push it with indented text, i.e.
Fixes:
# sepolicy generate --term_user -n newuser
Created the following files:
/root/a/test/newuser.te # Type Enforcement file
/root/a/test/newuser.if # Interface file
/root/a/test/newuser.fc # File Contexts file
/root/a/test/newuser_selinux.spec # Spec file
/root/a/test/newuser.sh # Setup Script
> \# ./newuser.sh
> Building and Loading Policy
> + make -f /usr/share/selinux/devel/Makefile newuser.pp
> Compiling targeted newuser module
> Creating targeted newuser.pp policy package
> rm tmp/newuser.mod tmp/newuser.mod.fc
> + /usr/sbin/semodule -i newuser.pp
> Failed to resolve roleattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/newuser/cil:8
> Failed to resolve AST
> /usr/sbin/semodule: Failed!
>
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
> ---
> python/sepolicy/sepolicy/templates/user.py | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/python/sepolicy/sepolicy/templates/user.py b/python/sepolicy/sepolicy/templates/user.py
> index 1ff9d2ce..7081fbae 100644
> --- a/python/sepolicy/sepolicy/templates/user.py
> +++ b/python/sepolicy/sepolicy/templates/user.py
> @@ -28,6 +28,8 @@ policy_module(TEMPLATETYPE, 1.0.0)
> #
> # Declarations
> #
> +role TEMPLATETYPE_r;
> +
> userdom_unpriv_user_template(TEMPLATETYPE)
> """
>
> @@ -38,6 +40,8 @@ policy_module(TEMPLATETYPE, 1.0.0)
> #
> # Declarations
> #
> +role TEMPLATETYPE_r;
> +
> userdom_admin_user_template(TEMPLATETYPE)
> """
>
> @@ -48,6 +52,7 @@ policy_module(TEMPLATETYPE, 1.0.0)
> #
> # Declarations
> #
> +role TEMPLATETYPE_r;
>
> userdom_restricted_user_template(TEMPLATETYPE)
> """
> @@ -59,6 +64,7 @@ policy_module(TEMPLATETYPE, 1.0.0)
> #
> # Declarations
> #
> +role TEMPLATETYPE_r;
>
> userdom_restricted_xwindows_user_template(TEMPLATETYPE)
> """
> @@ -89,6 +95,7 @@ gen_tunable(TEMPLATETYPE_manage_user_files, false)
> #
> # Declarations
> #
> +role TEMPLATETYPE_r;
>
> userdom_base_user_template(TEMPLATETYPE)
> """
> --
> 2.40.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] python/sepolicy: Fix template for confined user policy modules
2023-06-05 9:12 ` Petr Lautrbach
@ 2023-06-12 17:47 ` Petr Lautrbach
0 siblings, 0 replies; 3+ messages in thread
From: Petr Lautrbach @ 2023-06-12 17:47 UTC (permalink / raw)
To: Vit Mojzis, selinux
Petr Lautrbach <lautrbach@redhat.com> writes:
> Vit Mojzis <vmojzis@redhat.com> writes:
>
>> The following commit
>> https://github.com/SELinuxProject/refpolicy/commit/330b0fc3331d3b836691464734c96f3da3044490
>> changed the userdom_base_user_template, which now requires a role
>> corresponding to the user being created to be defined outside of the
>> template.
>> Similar change was also done to fedora-selinux/selinux-policy
>> https://github.com/fedora-selinux/selinux-policy/commit/e1e216b25df1bdb4eb7dbb8f73f32927ad6f3d1f
>>
>> Although I believe the template should define the role (just as it
>> defines the new user), that will require extensive changes to refpolicy.
>> In the meantime the role needs to be defined separately.
>>
>> Fixes:
>> \# sepolicy generate --term_user -n newuser
>> Created the following files:
>> /root/a/test/newuser.te # Type Enforcement file
>> /root/a/test/newuser.if # Interface file
>> /root/a/test/newuser.fc # File Contexts file
>> /root/a/test/newuser_selinux.spec # Spec file
>> /root/a/test/newuser.sh # Setup Script
>
> If you don't mind, I'd push it with indented text, i.e.
>
> Fixes:
> # sepolicy generate --term_user -n newuser
> Created the following files:
> /root/a/test/newuser.te # Type Enforcement file
> /root/a/test/newuser.if # Interface file
> /root/a/test/newuser.fc # File Contexts file
> /root/a/test/newuser_selinux.spec # Spec file
> /root/a/test/newuser.sh # Setup Script
>
>
>
>> \# ./newuser.sh
>> Building and Loading Policy
>> + make -f /usr/share/selinux/devel/Makefile newuser.pp
>> Compiling targeted newuser module
>> Creating targeted newuser.pp policy package
>> rm tmp/newuser.mod tmp/newuser.mod.fc
>> + /usr/sbin/semodule -i newuser.pp
>> Failed to resolve roleattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/newuser/cil:8
>> Failed to resolve AST
>> /usr/sbin/semodule: Failed!
>>
>> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
>
> Acked-by: Petr Lautrbach <lautrbach@redhat.com>
>
Merged with reformatted commit message. Thanks!
>> ---
>> python/sepolicy/sepolicy/templates/user.py | 7 +++++++
>> 1 file changed, 7 insertions(+)
>>
>> diff --git a/python/sepolicy/sepolicy/templates/user.py b/python/sepolicy/sepolicy/templates/user.py
>> index 1ff9d2ce..7081fbae 100644
>> --- a/python/sepolicy/sepolicy/templates/user.py
>> +++ b/python/sepolicy/sepolicy/templates/user.py
>> @@ -28,6 +28,8 @@ policy_module(TEMPLATETYPE, 1.0.0)
>> #
>> # Declarations
>> #
>> +role TEMPLATETYPE_r;
>> +
>> userdom_unpriv_user_template(TEMPLATETYPE)
>> """
>>
>> @@ -38,6 +40,8 @@ policy_module(TEMPLATETYPE, 1.0.0)
>> #
>> # Declarations
>> #
>> +role TEMPLATETYPE_r;
>> +
>> userdom_admin_user_template(TEMPLATETYPE)
>> """
>>
>> @@ -48,6 +52,7 @@ policy_module(TEMPLATETYPE, 1.0.0)
>> #
>> # Declarations
>> #
>> +role TEMPLATETYPE_r;
>>
>> userdom_restricted_user_template(TEMPLATETYPE)
>> """
>> @@ -59,6 +64,7 @@ policy_module(TEMPLATETYPE, 1.0.0)
>> #
>> # Declarations
>> #
>> +role TEMPLATETYPE_r;
>>
>> userdom_restricted_xwindows_user_template(TEMPLATETYPE)
>> """
>> @@ -89,6 +95,7 @@ gen_tunable(TEMPLATETYPE_manage_user_files, false)
>> #
>> # Declarations
>> #
>> +role TEMPLATETYPE_r;
>>
>> userdom_base_user_template(TEMPLATETYPE)
>> """
>> --
>> 2.40.0
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-06-12 17:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-01 16:34 [PATCH] python/sepolicy: Fix template for confined user policy modules Vit Mojzis
2023-06-05 9:12 ` Petr Lautrbach
2023-06-12 17:47 ` Petr Lautrbach
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).