On 06/16/2016 02:04 PM, Douglas Brown wrote:
> On 16/06/2016, 6:15 PM, "Miroslav Grepl" <mgrepl@xxxxxxxxxx> wrote:
>
>
>> On 06/14/2016 02:52 AM, Douglas Brown wrote:
>>> Hi all,
>>>
>>> In the process of porting policies from RHEL 6 to 7, I’m having an issue
>>> with the shutdown_run interface.
>>>
>>> The trivial te file below compiles and loads fine on RHEL 6.7:
>>>
>>> policy_module(test, 0.1)
>>>
>>> require {
>>> role staff_r;
>>> type staff_t;
>>> }
>>>
>>> shutdown_run(staff_t, staff_r)
>>>
>>> However, there appears to be a bug in RHEL 7.2, because loading with
>>> semodule gives the error: "libsepol.print_missing_requirements: test's
>>> global requirements were not met: role shutdown_roles (No such file or
>>> directory)"
>>>
>>> After looking into this, curiously the interface has moved from
>>> /usr/share/selinux/devel/include/admin/shutdown.if (selinux-policy rpm
>>> in RHEL 6) to /usr/share/selinux/devel/include/contrib/shutdown.if
>>> (selinux-policy-devel rpm in RHEL 7). Should it be in contrib?
>>>
>>> There’s also another issue in that shutdown_exec_t is used in the RHEL 7
>>> interface but it no longer exists because the shutdown binary has been
>>> replaced with a symlink to systemctl.
>>
>> Yes, the shutdown policy is no longer used. power_unit_file_t is being
>> used for /usr/lib/systemd/system/shutdown.target to handle it as a service.
>
> Thanks, the systemd_start_power_services interface works but produced these AVCs:
>
> allow staff_t init_var_run_t:dir write;
> allow staff_t power_unit_file_t:service status;
Thank you for testing.
Could you also attach raw AVC messages?
>
>
> Cheers,
> Doug
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
