[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CIL/SELinux Userspace Integration



I added (genfscon selinuxfs / ...) as Eric suggested and booleans now work okay in policy.

I found getsebool and sestatus -b worked okay. 

setsebool worked setting a different value in running policy, however 'setsebool -P ..' core dumped. 

Richard

--- On Wed, 7/12/11, Eric Paris <eparis@xxxxxxxxxxxxxx> wrote:

> From: Eric Paris <eparis@xxxxxxxxxxxxxx>
> Subject: Re: CIL/SELinux Userspace Integration
> To: "Steve Lawrence" <slawrence@xxxxxxxxxx>
> Cc: "Richard Haines" <richard_c_haines@xxxxxxxxxxxxxx>, selinux@xxxxxxxxxxxxx
> Date: Wednesday, 7 December, 2011, 20:15
> So the problem comes from the code
> which creates the files in
> /selinux/booleans.  It does an explicit check for a
> genfs rule for
> selinuxfs to label the new inode.  I'm not certain why
> we need this
> bit of code.  Maybe it is there to support labeling of
> individual
> booleans somehow, but I don't see how of why this
> particular piece of
> code is needed.  In any case I believe (Steve tested
> but I'm not
> exactly sure what he did) that you can add a genfs
> statement for
> selinuxfs and it will start working...
> 
> On Wed, Dec 7, 2011 at 1:45 PM, Eric Paris <eparis@xxxxxxxxxxxxxx>
> wrote:
> > I've found and fixed one kernel bug using this policy,
> but not THE
> > kernel bug.  Weeeee
> >
> > On Wed, Dec 7, 2011 at 9:04 AM, Steve Lawrence <slawrence@xxxxxxxxxx>
> wrote:
> >> On 12/07/2011 08:54 AM, Eric Paris wrote:
> >>>
> >>> On Wed, Dec 7, 2011 at 8:32 AM, Steve
> Lawrence<slawrence@xxxxxxxxxx>
> >>>  wrote:
> >>>>
> >>>> On 12/03/2011 11:30 AM, Richard Haines
> wrote:
> >>>
> >>>
> >>>>> 5) I could not load a new policy that
> had a boolean and supporting
> >>>>>    statements in it. The actual
> binary policy was fine (using apol), but
> >>>>>    load_policy had problems. I
> started with a Fedora 16 base and added
> >>>>>    the new Integration code with no
> problems. Is it a known problem as
> >>>>>    if not I'll check further.
> >>>>>    The errors I had when running
> semodule with a boolean were (Note: I
> >>>>>    had already built a new base
> policy (SELINUXTYPE=rch-test1) with no
> >>>>>    problems):
> >>>>
> >>>>
> >>>>
> >>>> Hmmm, this is interesting. Both seinfo and
> apol are fine with my
> >>>> CIL-generated binary, but fails to load
> when I add booleans. I also
> >>>> generated a similar mdp policy.conf, ran
> checkpolicy, and that failed to
> >>>> load as well. sediff also shows the two
> binaries to be the same.
> >>>>
> >>>> I'll look into this more, but because of
> that, I'm thinking this is a
> >>>> kernel
> >>>> bug. If anyone else wants to look at it,
> I've attached a simple file that
> >>>> is
> >>>> the standard mdp.conf with a single
> boolean defined, and single
> >>>> conditional
> >>>> statement using that boolean. This builds
> a binary fine, and apol/seinfo
> >>>> have no problem with it, but fails to load
> with load_policy.
> >>>>
> >>>>>
> >>>>>                      
> ------ Start --------------
> >>>>> # semodule -i base.cil ext_gateway.cil
> int_gateway.cil move_file.cil
> >>>>>
> >>>>> SELinux:  Could not load policy file
> >>>>>
> /etc/selinux/rch-test1/policy/policy.26:  No such file or
> directory
> >>>>> /sbin/load_policy:  Can't load
> policy:  No such file or directory
> >>>>>
> >>>>> libsemanage.semanage_reload_policy:
> load_policy returned error code 2.
> >>>>> (No
> >>>>> such file or directory).
> >>>>> SELinux:  Could not load policy file
> >>>>>
> /etc/selinux/rch-test1/policy/policy.26:  No such file or
> directory
> >>>>> /sbin/load_policy:  Can't load
> policy:  No such file or directory
> >>>>>
> >>>>> libsemanage.semanage_reload_policy:
> load_policy returned error code 2.
> >>>>> (No
> >>>>> such file or directory).
> >>>>> semodule:  Failed!
> >>>>>
> >>>>>                     -----
> End -----------------
> >>>
> >>>
> >>> If you send me the policy.X in question I'll
> spend a couple minutes
> >>> figuring out what the kernel is upset
> about...
> >>
> >>
> >> policy.24 attached. Thanks.
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.


[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux