Hi,
I'll push builds with updated SELinux Userspace and SETools in to Rawhide soon.
In the mean time, you can test it from my COPR plautrba/selinux-2.6 repository [1].
SELinux userspace Release 2016-10-14 2.6
- sepolicy was converted to SETools 4 - lot of genhomedircon enhancements
For more information about this release see [2]
SETools 4.0.0 and 4.1.0
- this update is needed for policycoreutils-2.6 - tools were reimplemented in Python - added new tools sedta and seinfoflow - implemented v30 policy support - apol - PyQt5 was chosen for the GUI library for SETools
For more information about this releases see [3],[4]
[1] https://copr.fedorainfracloud.org/coprs/plautrba/selinux-2.6/ [2] https://marc.info/?l=selinux&m=147646050027049&w=2 [3] https://marc.info/?l=selinux&m=146237109422331&w=2 [4] https://marc.info/?l=selinux&m=148521504308304&w=2
Petr
Hi Petr
Am 16.02.2017 um 12:27 schrieb Petr Lautrbach:
I'll push builds with updated SELinux Userspace and SETools in to Rawhide soon.
In the mean time, you can test it from my COPR plautrba/selinux-2.6 repository [1].
enabled it on F25 and ran the puppet-selinux modules acceptance tests (uses semanage/semanage/seboolean to build and add modules, enabling booleans, manages ports, manages a permissive domain, sets some fcontexts) [0] . It detected a problem in a test policy I wrote. "domtrans_pattern($1, puppet_test_a_exec_t, usr_t)" fails now with:
... Exec[install-module-puppet_test_b]/returns: neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:4528 Exec[install-module-puppet_test_b]/returns: (neverallow base_typeattr_7 base_typeattr_8 (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate))) Exec[install-module-puppet_test_b]/returns: <root> Exec[install-module-puppet_test_b]/returns: allow at /var/lib/selinux/targeted/tmp/modules/400/puppet_test_b/cil:22 Exec[install-module-puppet_test_b]/returns: (allow usr_t puppet_test_b_t (process (sigchld))) Exec[install-module-puppet_test_b]/returns: ...
Fixed it to use puppet_test_a_t instead of usr_t. :) All checks green now.
- Thomas
On 02/17/2017 08:30 AM, Thomas Mueller wrote:
Hi Petr
Am 16.02.2017 um 12:27 schrieb Petr Lautrbach:
I'll push builds with updated SELinux Userspace and SETools in to Rawhide soon.
In the mean time, you can test it from my COPR plautrba/selinux-2.6 repository [1].
enabled it on F25 and ran the puppet-selinux modules acceptance tests (uses semanage/semanage/seboolean to build and add modules, enabling booleans, manages ports, manages a permissive domain, sets some fcontexts) [0] .
Thanks for the tests!
It detected a problem in a test policy I wrote. "domtrans_pattern($1, puppet_test_a_exec_t, usr_t)" fails now with:
... Exec[install-module-puppet_test_b]/returns: neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:4528 Exec[install-module-puppet_test_b]/returns: (neverallow base_typeattr_7 base_typeattr_8 (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate))) Exec[install-module-puppet_test_b]/returns: <root> Exec[install-module-puppet_test_b]/returns: allow at /var/lib/selinux/targeted/tmp/modules/400/puppet_test_b/cil:22 Exec[install-module-puppet_test_b]/returns: (allow usr_t puppet_test_b_t (process (sigchld))) Exec[install-module-puppet_test_b]/returns: ...
It's not directly related to the 2.6 userspace.
In Rawhide we have "expand-check = 1" in /etc/selinux/semanage.conf. It means that neverallow rules are checked when executing all semanage commands, see semanage.conf(5)
In stable releases expand-check is set to 0 due some concerns, see bug https://bugzilla.redhat.com/show_bug.cgi?id=1319652
But if and when you do policy development and testing it's useful to enable it on your own.
Fixed it to use puppet_test_a_t instead of usr_t. :) All checks green now.
Great :)
Petr
selinux@lists.fedoraproject.org