FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-10-2012, 08:59 PM
Michael Atighetchi
 
Default circular policy references generated by sepolgen

All,

I have a number of custom policies that I developed on a Fedora 14
system by using sepolgen and iterating over the policies up to a point
where they are violation free.


When trying to install those policies on another system, I've run into a
circular dependency issue. No matter what order I call the 6 .sh
scripts created by sepolgen, I always end up with missing required
types, e.g.,:


----
[proxyuser@lime selinux]$ sudo ./CZwd.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
+ /usr/sbin/semodule -i CZwd.pp
libsepol.print_missing_requirements: CZwd's global requirements were not
met: type/attribute CZfwa_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).

/usr/sbin/semodule: Failed!
----

Presumably, one can break these cycles by defining all required types first.
Is there a manual way to do this using the SELinux tools?

Thanks
Michael


--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@bbn.com

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-11-2012, 09:16 AM
Miroslav Grepl
 
Default circular policy references generated by sepolgen

On 01/10/2012 10:59 PM, Michael Atighetchi wrote:

All,

I have a number of custom policies that I developed on a Fedora 14
system by using sepolgen and iterating over the policies up to a point
where they are violation free.


When trying to install those policies on another system, I've run into
a circular dependency issue. No matter what order I call the 6 .sh
scripts created by sepolgen, I always end up with missing required
types, e.g.,:


----
[proxyuser@lime selinux]$ sudo ./CZwd.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
+ /usr/sbin/semodule -i CZwd.pp
libsepol.print_missing_requirements: CZwd's global requirements were
not met: type/attribute CZfwa_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file
or directory).

/usr/sbin/semodule: Failed!
----

Presumably, one can break these cycles by defining all required types
first.

Is there a manual way to do this using the SELinux tools?

Thanks
Michael


You should use "optional_policy" statement in your policies to prevent
this issue. I wrote a blog about this


http://mgrepl.wordpress.com/2011/12/04/troubles-with-policy-development-part-1/

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-11-2012, 11:21 AM
Michael Atighetchi
 
Default circular policy references generated by sepolgen

On 1/11/2012 11:16 AM, Miroslav Grepl wrote:

On 01/10/2012 10:59 PM, Michael Atighetchi wrote:

All,

I have a number of custom policies that I developed on a Fedora 14
system by using sepolgen and iterating over the policies up to a
point where they are violation free.


When trying to install those policies on another system, I've run
into a circular dependency issue. No matter what order I call the 6
.sh scripts created by sepolgen, I always end up with missing
required types, e.g.,:


----
[proxyuser@lime selinux]$ sudo ./CZwd.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
+ /usr/sbin/semodule -i CZwd.pp
libsepol.print_missing_requirements: CZwd's global requirements were
not met: type/attribute CZfwa_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file
or directory).

/usr/sbin/semodule: Failed!
----

Presumably, one can break these cycles by defining all required types
first.

Is there a manual way to do this using the SELinux tools?

Thanks
Michael


You should use "optional_policy" statement in your policies to prevent
this issue. I wrote a blog about this


http://mgrepl.wordpress.com/2011/12/04/troubles-with-policy-development-part-1/



Thanks for the pointer. Turns out that somehow the policies I had
previously iterated over had a lot of junk in them, for instance, rules
for types that are not really supposed to be declared by the specific
policy module. After manually cleaning up the policies, I was able to
get them to load and work properly.


Will keep the optional_policy in mind though.

Michael


--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@bbn.com

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-11-2012, 12:25 PM
Daniel J Walsh
 
Default circular policy references generated by sepolgen

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/10/2012 04:59 PM, Michael Atighetchi wrote:
> All,
>
> I have a number of custom policies that I developed on a Fedora 14
> system by using sepolgen and iterating over the policies up to a
> point where they are violation free.
>
> When trying to install those policies on another system, I've run
> into a circular dependency issue. No matter what order I call the
> 6 .sh scripts created by sepolgen, I always end up with missing
> required types, e.g.,:
>
> ---- [proxyuser@lime selinux]$ sudo ./CZwd.sh Building and Loading
> Policy + make -f /usr/share/selinux/devel/Makefile make: Nothing to
> be done for `all'. + /usr/sbin/semodule -i CZwd.pp
> libsepol.print_missing_requirements: CZwd's global requirements
> were not met: type/attribute CZfwa_t (No such file or directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No such
> file or directory). /usr/sbin/semodule: Failed! ----
>
> Presumably, one can break these cycles by defining all required
> types first. Is there a manual way to do this using the SELinux
> tools?
>
> Thanks Michael
>
>

Without seeing the policy I would figure you did not define CZfwa_t
within this module but used without out a optional_policy block around
it. You have a couple of choices either add the optional_policy block
or install both pp files with the same semodule command.

semodule -i CZwd.pp CZfwa.pp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8NjbAACgkQrlYvE4MpobOKeQCeOZdRV0yyTz rP8ZuHNl0YjBmq
qRQAnjtmVaDpe9V4bJObY9fP+T+V2kvy
=SKZ4
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 01:31 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org