On 02/17/2017 08:30 AM, Thomas Mueller wrote: > Hi Petr > > > Am 16.02.2017 um 12:27 schrieb Petr Lautrbach: >> I'll push builds with updated SELinux Userspace and SETools in to >> Rawhide soon. >> >> In the mean time, you can test it from my COPR plautrba/selinux-2.6 >> repository [1]. > > enabled it on F25 and ran the puppet-selinux modules acceptance tests > (uses semanage/semanage/seboolean to build and add modules, enabling > booleans, manages ports, manages a permissive domain, sets some > fcontexts) [0] . Thanks for the tests! > It detected a problem in a test policy I wrote. > "domtrans_pattern($1, puppet_test_a_exec_t, usr_t)" fails now with: > > ... > Exec[install-module-puppet_test_b]/returns: neverallow check failed at > /var/lib/selinux/targeted/tmp/modules/100/base/cil:4528 > Exec[install-module-puppet_test_b]/returns: (neverallow > base_typeattr_7 base_typeattr_8 (process (fork transition sigchld > sigkill sigstop signull signal ptrace getsched setsched getsession > getpgid setpgid getcap setcap share getattr setexec setfscreate > noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem > execstack execheap setkeycreate setsockcreate))) > Exec[install-module-puppet_test_b]/returns: <root> > Exec[install-module-puppet_test_b]/returns: allow at > /var/lib/selinux/targeted/tmp/modules/400/puppet_test_b/cil:22 > Exec[install-module-puppet_test_b]/returns: (allow usr_t > puppet_test_b_t (process (sigchld))) > Exec[install-module-puppet_test_b]/returns: > ... It's not directly related to the 2.6 userspace. In Rawhide we have "expand-check = 1" in /etc/selinux/semanage.conf. It means that neverallow rules are checked when executing all semanage commands, see semanage.conf(5) In stable releases expand-check is set to 0 due some concerns, see bug https://bugzilla.redhat.com/show_bug.cgi?id=1319652 But if and when you do policy development and testing it's useful to enable it on your own. > Fixed it to use puppet_test_a_t instead of usr_t. :) All checks green now. > Great :) > [0] https://github.com/voxpupuli/puppet-selinux/ > Petr -- Petr Lautrbach
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
