Petr Lautrbach <lautrbach@xxxxxxxxxx> writes: > Vit Mojzis <vmojzis@xxxxxxxxxx> writes: > >> The following commit >> https://github.com/SELinuxProject/refpolicy/commit/330b0fc3331d3b836691464734c96f3da3044490 >> changed the userdom_base_user_template, which now requires a role >> corresponding to the user being created to be defined outside of the >> template. >> Similar change was also done to fedora-selinux/selinux-policy >> https://github.com/fedora-selinux/selinux-policy/commit/e1e216b25df1bdb4eb7dbb8f73f32927ad6f3d1f >> >> Although I believe the template should define the role (just as it >> defines the new user), that will require extensive changes to refpolicy. >> In the meantime the role needs to be defined separately. >> >> Fixes: >> \# sepolicy generate --term_user -n newuser >> Created the following files: >> /root/a/test/newuser.te # Type Enforcement file >> /root/a/test/newuser.if # Interface file >> /root/a/test/newuser.fc # File Contexts file >> /root/a/test/newuser_selinux.spec # Spec file >> /root/a/test/newuser.sh # Setup Script > > If you don't mind, I'd push it with indented text, i.e. > > Fixes: > # sepolicy generate --term_user -n newuser > Created the following files: > /root/a/test/newuser.te # Type Enforcement file > /root/a/test/newuser.if # Interface file > /root/a/test/newuser.fc # File Contexts file > /root/a/test/newuser_selinux.spec # Spec file > /root/a/test/newuser.sh # Setup Script > > > >> \# ./newuser.sh >> Building and Loading Policy >> + make -f /usr/share/selinux/devel/Makefile newuser.pp >> Compiling targeted newuser module >> Creating targeted newuser.pp policy package >> rm tmp/newuser.mod tmp/newuser.mod.fc >> + /usr/sbin/semodule -i newuser.pp >> Failed to resolve roleattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/newuser/cil:8 >> Failed to resolve AST >> /usr/sbin/semodule: Failed! >> >> Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx> > > Acked-by: Petr Lautrbach <lautrbach@xxxxxxxxxx> > Merged with reformatted commit message. Thanks! >> --- >> python/sepolicy/sepolicy/templates/user.py | 7 +++++++ >> 1 file changed, 7 insertions(+) >> >> diff --git a/python/sepolicy/sepolicy/templates/user.py b/python/sepolicy/sepolicy/templates/user.py >> index 1ff9d2ce..7081fbae 100644 >> --- a/python/sepolicy/sepolicy/templates/user.py >> +++ b/python/sepolicy/sepolicy/templates/user.py >> @@ -28,6 +28,8 @@ policy_module(TEMPLATETYPE, 1.0.0) >> # >> # Declarations >> # >> +role TEMPLATETYPE_r; >> + >> userdom_unpriv_user_template(TEMPLATETYPE) >> """ >> >> @@ -38,6 +40,8 @@ policy_module(TEMPLATETYPE, 1.0.0) >> # >> # Declarations >> # >> +role TEMPLATETYPE_r; >> + >> userdom_admin_user_template(TEMPLATETYPE) >> """ >> >> @@ -48,6 +52,7 @@ policy_module(TEMPLATETYPE, 1.0.0) >> # >> # Declarations >> # >> +role TEMPLATETYPE_r; >> >> userdom_restricted_user_template(TEMPLATETYPE) >> """ >> @@ -59,6 +64,7 @@ policy_module(TEMPLATETYPE, 1.0.0) >> # >> # Declarations >> # >> +role TEMPLATETYPE_r; >> >> userdom_restricted_xwindows_user_template(TEMPLATETYPE) >> """ >> @@ -89,6 +95,7 @@ gen_tunable(TEMPLATETYPE_manage_user_files, false) >> # >> # Declarations >> # >> +role TEMPLATETYPE_r; >> >> userdom_base_user_template(TEMPLATETYPE) >> """ >> -- >> 2.40.0
