On Sun, 2009-02-01 at 16:51 -0600, Serge E. Hallyn wrote: > Quoting Christopher J. PeBenito ([email protected]): > > On Fri, 2009-01-30 at 11:14 -0600, Serge E. Hallyn wrote: > > > Quoting Stephen Smalley ([email protected]): > > > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: > > > > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: > > > > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > > > > > > > I'm trying to run the LTP SELinux tests using the latest CVS > > > > > > > version of > > > > > > > LTP and current Fedora development, and get the following policy > > > > > > > compilation error: > > > > > > > > > > > > > > ---- > > > > > > > Compiling targeted test_policy module > > > > > > > > > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please > > > > > > > use list_dir_perms instead. > > > > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please > > > > > > > use read_file_perms instead. > > > > > > > [lots of warnings similar to the above] > > > > > > > > > > > > > > /usr/bin/checkmodule: loading policy configuration from > > > > > > > tmp/test_policy.tmp > > > > > > > test_policy.te":16:ERROR 'syntax error' at token > > > > > > > 'userdom_use_sysadm_terms' on line 3198: > > > > > > > userdom_use_sysadm_terms(testdomain) > > > > > > > # This allows read and write sysadm ttys and ptys. > > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing > > > > > > > configuration > > > > > > > make[1]: *** [tmp/test_policy.mod] Error 1 > > > > > > > make[1]: Leaving directory `/usr/share/selinux/devel' > > > > > > > make: *** [load] Error 2 > > > > > > > Failed to build and load test_policy module, aborting test run. > > > > > > > ---- > > > > > > > > > > > > > > Is this likely to be fixed soon, and/or any suggestions for a > > > > > > > workaround? > > > > > > > > > > > > It won't compile with the current trunk refpolicy, since the current > > > > > > release was a major, API breaking change. I'll try to get a patch > > > > > > out > > > > > > shortly. > > > > > > > > > > I updated the policy since its fairly old, though I didn't convert its > > > > > raw rules over to use interfaces. However this didn't completely fix > > > > > it, as there is usage of a "unconfined_runs_test()", which isn't in > > > > > the > > > > > upstream refpolicy nor the fedora policy, as far as I can see. One of > > > > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is > > > > > in > > > > > the upstream refpolicy, but doesn't seem to have made its way > > > > > downstream > > > > > to the fedora policy. I have attached my work so someone familiar > > > > > with > > > > > the LTP test cases can use it to complete the fix. > > > > > > > > Serge put together a patch and script under selinux-testsuite/misc that > > > > defines unconfined_runs_test() as well as converting some of the > > > > interfaces. That was done so that the ltp testsuite could still be run > > > > on older distributions (w/ the older policy) and on newer distributions > > > > (w/ the patch applied to perform conversion). It was originally done > > > > based on the deprecation of the sbin interfaces, which is why it is > > > > named that way even though it now includes more than just conversion of > > > > those interfaces. > > > > > > (Sorry, this thread is rolling into my inbox delayed and out-of-order) > > > > > > So the unconfined_runs_test() shouldn't actually be a problem (right, > > > Chris? pls let me know if you actually get compile failures as then > > > something went wrong with the build scripts). > > > > I just went to the directory and ran make. Sounds like I might have > > done something wrong. > > > > > But what could have happened with sysadm_entry_spec_domtrans_to()? It > > > must have been in fedora's policy before, since it definately worked on > > > fedora 7 and 8. Has it been removed? (I'll fire up a f10 partition and > > > look through the policy sources...) > > > > Well it used to be userdom_sysadm_entry_spec_domtrans_to(). > > > > > As for the list_dir_perms and read_file_perms, have those always macros > > > in the refpolicy? If so, then a straight search-and-replace is fine. > > > If not, then we'll have to do another hook at the policy build to make > > > the substitutions only when the policy is new enough. :( > > > > Those have been around for a while. While the old r_dir_perms and > > r_file_perms macros aren't going anywhere for the forseeable future, > > their use is problematic as those may not get updated for new perms, > > such as open. > > So I guess we should switch all the instances over, and have > misc/update_refpolicy.sh switch them back if list_dir_perms > doesn't exist. > > What would be a good way to determine whether we're in a kernel > version too old to use those? Can we just check whether > sestatus | grep version | awk -F: '{ print $2 '} is less than, > say, 22?
Well the new permission sets have been around since the end of 2006. But a kernel with v22 policy would probably be a good way to determine if it should be switched. Those kernels wouldn't have new permissions like open, so it would be safe to use the old permission sets. -- Chris PeBenito <[email protected]> Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________ Ltp-list mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ltp-list
