Found conflicting filecon rules
by Henry Zhang
Vit,
I have met "Found conflicting filecon rules" at
(filecon "/usr/bin/sh" file (system_u object_r shell_exec_t ((s0) (s0))))
both cli files has same issue:
at .....image/var/lib/selinux/mcs/tmp/modules/100/fwmon/cil:528
at ...../image/var/lib/selinux/mcs/tmp/modules/100/base/cil:5864
How do I solve such an issue?
Would you please give me a hint?
---henry
4 months, 2 weeks
how to read cil file in selinux
by Henry Zhang
Folks,
I got error:
| Failed to resolve permission remove_name
| Failed to resolve allow statement at
build/tmp/work/fsl-linux/refpolicy-mcs/2/image/var/lib/selinux/mcs/tmp/modules/100/cert_manager/cil:342
| Failed to resolve AST
| semodule: Failed!
| WARNING:
build/tmp/work/fsl-linux/refpolicy-mcs/2/temp/run.do_install.21106:247 exit
1 from 'semodule -p build/tmp/work/fsl-linux/refpolicy-mcs/2/image -s mcs
-n -B -D'
How can I read the cil file?
Thanks.
---henry
4 months, 3 weeks
Re: [CentOS-devel] Making the redhat selinux-policy repository
publicly available
by Zdenek Pytela
On Tue, Jul 11, 2023 at 10:37 PM Troy Dawson <tdawson(a)redhat.com> wrote:
> On Tue, Jul 11, 2023 at 12:50 PM Neal Gompa <ngompa13(a)gmail.com> wrote:
>
>> On Tue, Jul 11, 2023 at 9:31 AM Troy Dawson <tdawson(a)redhat.com> wrote:
>> >
>> > On Tue, Jul 11, 2023 at 4:28 AM Daan De Meyer <daan.j.demeyer(a)gmail.com>
>> wrote:
>> >>
>> >> Hi,
>> >>
>> >> It seems that the selinux-policy rpm is built from
>> >> git@gitlab.cee.redhat.com:SELinux/selinux-policy.git which seems to be
>> >> a redhat internal repository. More specifically, if I try to checkout
>> >> the commit listed in the selinux-policy spec
>> >> (
>> https://gitlab.com/redhat/centos-stream/rpms/selinux-policy/-/blob/c9s/se...
>> )
>> >> in the fedora-selinux repository cloned from github, I get an error
>> >> saying that the commit does not exist. It would be great if the
>> >> repository containing this commit was publicly available and open for
>> >> external contributors just like all the other packages in CentOS
>> >> Stream. Is it possible to make this happen?
>> >
>> >
>> > I'm not the selinux-policy maintainer, so I can't comment on where they
>> work on the selinux-policy source code.
>> >
>> > But this is how I get the sources, if that is what you are ultimately
>> looking for.
>> >
>> > centpkg clone selinux-policy
>> > cd selinux-policy
>> > centpkg sources
>> > or if you want to know where they really are
>> > centpkg -v sources
>> > This shows it to be coming from
>> >
>> https://sources.stream.centos.org/sources/rpms/selinux-policy/selinux-pol...
>> >
>> > The sources information is found in the sources file
>> >
>> https://gitlab.com/redhat/centos-stream/rpms/selinux-policy/-/blob/c9s/so...
>> >
>> > I know this isn't exactly what you asked for, but I hope it still helps.
>> >
>>
>> I think the idea is that having the Git repository in a public
>> location would allow the CentOS Hyperscale SIG to contribute to the
>> SELinux policy in a meaningful way.
>>
>
> Ah, ok. That makes sense.
> As I said, I'm not the maintainer so I don't know why it's where it is.
> So I'll step out of the conversation.
>
Hi,
I am one of the selinux-policy maintainers. Currently, repository for
Fedora is at github.com and RHEL sources are in an internal repo. We have
already discussed moving centos stream sources to some of the public
repositories, but it did not happen. Currently we are discussing it again,
there are a few options how to do so.
To get just the latest repository content, steps described by Troy should
work. Additionally, most of the upstream work is done in Fedora and anyway
every new commit should go to Fedora first, RHEL content is mostly a subset
of Fedora, there are very few differences.
--
Zdenek Pytela
Security SELinux team
4 months, 4 weeks
Re: [CentOS-devel] Making the redhat selinux-policy repository
publicly available
by Neal Gompa
On Tue, Jul 11, 2023 at 9:31 AM Troy Dawson <tdawson(a)redhat.com> wrote:
>
> On Tue, Jul 11, 2023 at 4:28 AM Daan De Meyer <daan.j.demeyer(a)gmail.com> wrote:
>>
>> Hi,
>>
>> It seems that the selinux-policy rpm is built from
>> git@gitlab.cee.redhat.com:SELinux/selinux-policy.git which seems to be
>> a redhat internal repository. More specifically, if I try to checkout
>> the commit listed in the selinux-policy spec
>> (https://gitlab.com/redhat/centos-stream/rpms/selinux-policy/-/blob/c9s/se...)
>> in the fedora-selinux repository cloned from github, I get an error
>> saying that the commit does not exist. It would be great if the
>> repository containing this commit was publicly available and open for
>> external contributors just like all the other packages in CentOS
>> Stream. Is it possible to make this happen?
>
>
> I'm not the selinux-policy maintainer, so I can't comment on where they work on the selinux-policy source code.
>
> But this is how I get the sources, if that is what you are ultimately looking for.
>
> centpkg clone selinux-policy
> cd selinux-policy
> centpkg sources
> or if you want to know where they really are
> centpkg -v sources
> This shows it to be coming from
> https://sources.stream.centos.org/sources/rpms/selinux-policy/selinux-pol...
>
> The sources information is found in the sources file
> https://gitlab.com/redhat/centos-stream/rpms/selinux-policy/-/blob/c9s/so...
>
> I know this isn't exactly what you asked for, but I hope it still helps.
>
I think the idea is that having the Git repository in a public
location would allow the CentOS Hyperscale SIG to contribute to the
SELinux policy in a meaningful way.
--
真実はいつも一つ!/ Always, there's only one truth!
5 months
Making the redhat selinux-policy repository publicly available
by Daan De Meyer
Hi,
It seems that the selinux-policy rpm is built from
git@gitlab.cee.redhat.com:SELinux/selinux-policy.git which seems to be
a redhat internal repository. More specifically, if I try to checkout
the commit listed in the selinux-policy spec
(https://gitlab.com/redhat/centos-stream/rpms/selinux-policy/-/blob/c9s/se...)
in the fedora-selinux repository cloned from github, I get an error
saying that the commit does not exist. It would be great if the
repository containing this commit was publicly available and open for
external contributors just like all the other packages in CentOS
Stream. Is it possible to make this happen?
Cheers,
Daan De Meyer
5 months
