Compile error: ERROR 'syntax error' at token 'attribute_role'
by JeeHyun Hwang
Hello, all,
I downladed source file of selinux. I made policy.conf using make conf. I
try to use apol to analyze policy.conf and found the error below. It seems
that, attribute_role cannot parsed in libqpol.
ERROR 'syntax error' at token 'attribute_role' on line 1299:
attribute zarafa_domain;
attribute_role bootleader_roles; <-- This is first shown attribute_role
in policy.conf
I also try to compile using checkpolicy using make policy. But, it hangs
all day. I think that it's the same problem.
Could you please let me know how to parse 'attribute_role'? Do I miss
anything.
Thank you in advance.
--
Best wishes,
J Hwang
10 years, 5 months
[PATCH 4/5] Adding seadmin manpage info into sepolicy.8
by Leonidas Da Silva Barbosa
Signed-off-by: Leonidas Da Silva Barbosa <leosilva(a)linux.vnet.ibm.com>
---
policycoreutils/sepolicy/sepolicy.8 | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policycoreutils/sepolicy/sepolicy.8 b/policycoreutils/sepolicy/sepolicy.8
index 7900586..5429234 100644
--- a/policycoreutils/sepolicy/sepolicy.8
+++ b/policycoreutils/sepolicy/sepolicy.8
@@ -56,6 +56,11 @@ Query SELinux policy network information
Query SELinux Policy to see how a source process domain can transition to the target process domain
.B sepolicy-transition(8)
+.B admin
+.br
+Generate a SELinux user admin linked with an UNIX LOGIN
+.B sepolicy-admin(8)
+
.SH "DESCRIPTION"
sepolicy is a tools set that will query the installed SELinux policy and generate useful reports, man pages, or even new policy modules.
See the argument specific man pages for options and descriptions.
--
1.8.3.1
10 years, 5 months
[PATCH 2/5] adding changes to sepolicy argparse, seadmin option
by Leonidas Da Silva Barbosa
Signed-off-by: Leonidas Da Silva Barbosa <leosilva(a)linux.vnet.ibm.com>
---
policycoreutils/sepolicy/sepolicy.py | 52 ++++++++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
index 74fb347..abc6341 100755
--- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py
@@ -620,6 +620,57 @@ def gen_generate_args(parser):
help=_("executable to confine"))
pol.set_defaults(func=generate)
+
+def admin(args):
+ from sepolicy import seadmin
+
+ if args.add and args.adminrole and args.login:
+ seisolate.create_user(args.adminrole, args.login, args.user)
+ seisolate.link(args.adminrole, args.login, args.commands)
+ elif args.add and not args.adminrole or args.login:
+ print("Role and LOGIN must be specified")
+ sys.exit(1)
+
+ if args.modify and args.adminrole and args.user:
+ seisolate.modify(args.user, args.adminrole)
+ elif args.modify and not args.adminrole or not args.user:
+ print("A user and a role must be specified")
+ sys.exit(1)
+
+ if args.delete and args.user and args.login:
+ seisolate.delete(args.user, args.login)
+ elif args.delete and not args.user or not args.login:
+ print("An user and a LOGIN must the specified")
+ sys.exit(1)
+
+
+def gen_admin_args(parser):
+ admin = parser.add_parser("admin",
+ help=_("Create a link between LOGIN and admin user"))
+ admin.add_argument("-a", "--add", dest="add",
+ action="store_true", default=False,
+ help=_("Add a new admin user"))
+ admin.add_argument("-u", "--user", dest="user",
+ action="store",
+ help=_("Receive an admin user if passed"))
+ admin.add_argument("-r", "--role", dest="adminrole",
+ action=CheckRole,
+ help=_("Receive an admin role name"))
+ admin.add_argument("-l", "--login", dest="login",
+ action="store",
+ help=_("Receive a LOGIN to create the admin user"))
+ admin.add_argument("-m", "--modify", dest="modify",
+ action="store_true", default=False,
+ help=_("Modify a given admin user"))
+ admin.add_argument("-d", "--delete", dest="delete",
+ action="store_true", default=False,
+ help=_("Delete a given admin user and a LOGIN"))
+ admin.add_argument("-e", "--extend", dest="commands",
+ actions="store", default="ALL",
+ help=_("Receive commands to set in sudoers file"))
+ admin.set_defaults(func=admin)
+
+
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='SELinux Policy Inspection Tool')
subparsers = parser.add_subparsers(help=_("commands"))
@@ -634,6 +685,7 @@ if __name__ == '__main__':
gen_manpage_args(subparsers)
gen_network_args(subparsers)
gen_transition_args(subparsers)
+ gen_admin_args(subparsers)
try:
if os.path.basename(sys.argv[0]) == "sepolgen":
--
1.8.3.1
10 years, 5 months
issue on deleting a SELinux costumized user
by Leonidas Da Silva Barbosa
I was trying to delete an user with seobject.seluserRecords.delete,
but I realized that once I have a SELinux user created with
seobject.seluserRecords.add method deleted when I try to use
.add again to creates another one I grab the follow
error message:
libsemanage.validate_handler: selinux user se_auditadm_u does not exist (No
such file or directory).
libsemanage.validate_handler: seuser mapping [se_auditadm_u -> (se_auditadm_u,
s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such
file or directory).
The only way I found to fix it was deleting some lines related to
the user was deleted in :
/etc/selinux/targeted/modules/active/seusers and seusers.final.
I'm wondering if I'm doing something wrong or if has a better way to do
that.
Thanks in advance.
Leonidas.
10 years, 5 months
selinux Digest, Vol 117, Issue 1
by selinux-request@lists.fedoraproject.org
Send selinux mailing list submissions to
selinux(a)lists.fedoraproject.org
To subscribe or unsubscribe via the World Wide Web, visit
https://admin.fedoraproject.org/mailman/listinfo/selinux
or, via email, send a message with subject or body 'help' to
selinux-request(a)lists.fedoraproject.org
You can reach the person managing the list at
selinux-owner(a)lists.fedoraproject.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of selinux digest..."
Today's Topics:
1. issue on deleting a SELinux costumized user (Leonidas S. Barbosa)
2. Re: what do we do with user_home_t, and what more could we do
with it? (Miroslav Grepl)
3. Re: what do we do with user_home_t, and what more could we do
with it? (Dominick Grift)
----------------------------------------------------------------------
Message: 1
Date: Thu, 31 Oct 2013 17:46:14 -0200
From: "Leonidas S. Barbosa" <leosilva(a)linux.vnet.ibm.com>
To: selinux(a)lists.fedoraproject.org
Cc: Daniel J Walsh <dwalsh(a)redhat.com>
Subject: issue on deleting a SELinux costumized user
Message-ID: <20131031194612.GA26741(a)bluepex.com>
Content-Type: text/plain; charset=utf-8
I was trying to delete an user with seobject.seluserRecords.delete,
but I realized that once I have a SELinux user created with
seobject.seluserRecords.add method deleted when I try to use
.add again to creates another one I grab the follow
error message:
libsemanage.validate_handler: selinux user se_auditadm_u does not exist (No
such file or directory).
libsemanage.validate_handler: seuser mapping [se_auditadm_u -> (se_auditadm_u,
s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such
file or directory).
The only way I found to fix it was deleting some lines related to
the user was deleted in :
/etc/selinux/targeted/modules/active/seusers and seusers.final.
I'm wondering if I'm doing something wrong or if has a better way to do
that.
Thanks in advance.
Leonidas.
------------------------------
Message: 2
Date: Fri, 01 Nov 2013 10:41:34 +0100
From: Miroslav Grepl <mgrepl(a)redhat.com>
To: Dominick Grift <dominick.grift(a)gmail.com>
Cc: Daniel J Walsh <dwalsh(a)redhat.com>,
selinux(a)lists.fedoraproject.org
Subject: Re: what do we do with user_home_t, and what more could we do
with it?
Message-ID: <5273774E.4030001(a)redhat.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 10/30/2013 05:07 PM, Dominick Grift wrote:
> On Wed, 2013-10-30 at 11:53 -0400, Daniel J Walsh wrote:
>
>> Well in this case I would like to potentially run these container/apps with
>> Types like firefox_t and ooffice_t, but more generically with app_t where
>> app_t is not allowed to touch user_home_t.
>>
>> But we are going far a field of this email chain, and we can revisit this when
>> we actually have applications containers.
>>
>>
> Sure, we will see, and yes i guess containers in Gnome are inevitable
> anyways (what about other DE's). I think, but you probably already know
> that, that we should not try to prevent access to the generic user home
> content type user_home_t, but instead classify everything that is not
> generic.
And do you think it is really possible?
>
> Anyways the difference is that i have integrity enforcement on the
> desktop currently implemented (albeit somewhat limited), and what you
> are suggesting is something that might work in a distant future.
>
> </thread>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
------------------------------
Message: 3
Date: Fri, 01 Nov 2013 11:52:12 +0100
From: Dominick Grift <dominick.grift(a)gmail.com>
To: Miroslav Grepl <mgrepl(a)redhat.com>
Cc: Daniel J Walsh <dwalsh(a)redhat.com>,
selinux(a)lists.fedoraproject.org
Subject: Re: what do we do with user_home_t, and what more could we do
with it?
Message-ID: <1383303132.2922.12.camel@d30>
Content-Type: text/plain; charset="UTF-8"
On Fri, 2013-11-01 at 10:41 +0100, Miroslav Grepl wrote:
> On 10/30/2013 05:07 PM, Dominick Grift wrote:
>> On Wed, 2013-10-30 at 11:53 -0400, Daniel J Walsh wrote:
>>
>>> Well in this case I would like to potentially run these container/apps with
>>> Types like firefox_t and ooffice_t, but more generically with app_t where
>>> app_t is not allowed to touch user_home_t.
>>>
>>> But we are going far a field of this email chain, and we can revisit this when
>>> we actually have applications containers.
>>>
>>>
>> Sure, we will see, and yes i guess containers in Gnome are inevitable
>> anyways (what about other DE's). I think, but you probably already know
>> that, that we should not try to prevent access to the generic user home
>> content type user_home_t, but instead classify everything that is not
>> generic.
> And do you think it is really possible?
>>
"I have proof that it is possible, if one sets clear goals, boundaries,
and realistic expectations."
Confining the user space not that different from confining the system
space. Its just a lot more work to maintain and more error prone,
because there is more interactivity, and things change more frequently
in the the user space
But if you set clear goals, and clear boundaries (as to what you support
and what not), then yes, i know its possible because i implemented it
The same goes for the system space, we also set boundaries there. "This
we can, and will support, and anything else not"
------------------------------
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
End of selinux Digest, Vol 117, Issue 1
***************************************
10 years, 5 months
what do we do with user_home_t, and what more could we do with it?
by Matthew Miller
There is some concern on the devel mailing list about user-writable
directories in the default $PATH -- initially discussion about ~/.local/bin
as a hidden file, but now also out to ~/bin as well. I notice that these are
home_bin_t. What does this do with the current policy, and what more could
we do? (Particularly, a compromised application shouldn't be able to put
binaries there, but a shell script or something like `pip install` probably
_should_ be able to.)
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm(a)fedoraproject.org>
10 years, 5 months
