On Sun, 2009-02-01 at 16:54 -0600, Serge E. Hallyn wrote: > Quoting Christopher J. PeBenito (pebenito@xxxxxxxx): > > On Fri, 2009-01-30 at 11:37 -0600, Serge E. Hallyn wrote: > > > Quoting Serge E. Hallyn (serue@xxxxxxxxxx): > > > > Quoting Stephen Smalley (sds@xxxxxxxxxxxxx): > > > > > On Thu, 2009-01-29 at 11:51 -0500, Christopher J. PeBenito wrote: > > > > > > On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote: > > > > > > > On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote: > > > > > > > > I'm trying to run the LTP SELinux tests using the latest CVS version of > > > > > > > > LTP and current Fedora development, and get the following policy > > > > > > > > compilation error: > > > > > > > > > > > > > > > > ---- > > > > > > > > Compiling targeted test_policy module > > > > > > > > > > > > > > > > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead. > > > > > > > > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead. > > > > > > > > [lots of warnings similar to the above] > > > > > > > > > > > > > > > > /usr/bin/checkmodule: loading policy configuration from > > > > > > > > tmp/test_policy.tmp > > > > > > > > test_policy.te":16:ERROR 'syntax error' at token > > > > > > > > 'userdom_use_sysadm_terms' on line 3198: > > > > > > > > userdom_use_sysadm_terms(testdomain) > > > > > > > > # This allows read and write sysadm ttys and ptys. > > > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > > > > > > make[1]: *** [tmp/test_policy.mod] Error 1 > > > > > > > > make[1]: Leaving directory `/usr/share/selinux/devel' > > > > > > > > make: *** [load] Error 2 > > > > > > > > Failed to build and load test_policy module, aborting test run. > > > > > > > > ---- > > > > > > > > > > > > > > > > Is this likely to be fixed soon, and/or any suggestions for a workaround? > > > > > > > > > > > > > > It won't compile with the current trunk refpolicy, since the current > > > > > > > release was a major, API breaking change. I'll try to get a patch out > > > > > > > shortly. > > > > > > > > > > > > I updated the policy since its fairly old, though I didn't convert its > > > > > > raw rules over to use interfaces. However this didn't completely fix > > > > > > it, as there is usage of a "unconfined_runs_test()", which isn't in the > > > > > > upstream refpolicy nor the fedora policy, as far as I can see. One of > > > > > > the updates includes use of sysadm_entry_spec_domtrans_to(), which is in > > > > > > the upstream refpolicy, but doesn't seem to have made its way downstream > > > > > > to the fedora policy. I have attached my work so someone familiar with > > > > > > sysadm_entry_spec_domtrans is in fedora 10's policy sources, at least, > > > in modules/roles/sysadm.if. (I don't have a fedora devel system > > > installed). > > > > That has the opposite transition direction (the specified domain > > transitions to sysadm). > > Just to make sure... > > You're saying that in upstream refpolicy sysadm_entry_spec_domtrans(foo) > means foo may transition to sysadm_t, while in fedora 10 policy > sysadm_entry_spec_domtrans(foo) means sysadm_t may transition to > foo? No. They have the same behavior. What happened is that the interface (the one you need to use, not the above ones) used to be called userdom_sysadm_entry_spec_domtrans_to(). Then I split all of the roles into individual policy modules, so that interface got renamed to sysadm_entry_spec_domtrans_to(), except the new interface was accidentally dropped. So I added it back in, and it just hasn't gotten downstream yet. -- Chris PeBenito <pebenito@xxxxxxxxxx> Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
Attachment:
signature.asc
Description: This is a digitally signed message part
