RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-01-02 03:32:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

python/sepolicy: Fix template for confined user policy modules

Browse Source 
The following commit
330b0fc333
changed the userdom_base_user_template, which now requires a role
corresponding to the user being created to be defined outside of the
template.
Similar change was also done to fedora-selinux/selinux-policy
e1e216b25d

Although I believe the template should define the role (just as it
defines the new user), that will require extensive changes to refpolicy.
In the meantime the role needs to be defined separately.

Fixes:
    # sepolicy generate --term_user -n newuser
    Created the following files:
    /root/a/test/newuser.te # Type Enforcement file
    /root/a/test/newuser.if # Interface file
    /root/a/test/newuser.fc # File Contexts file
    /root/a/test/newuser_selinux.spec # Spec file
    /root/a/test/newuser.sh # Setup Script

    # ./newuser.sh
    Building and Loading Policy
    + make -f /usr/share/selinux/devel/Makefile newuser.pp
    Compiling targeted newuser module
    Creating targeted newuser.pp policy package
    rm tmp/newuser.mod tmp/newuser.mod.fc
    + /usr/sbin/semodule -i newuser.pp
    Failed to resolve roleattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/newuser/cil:8
    Failed to resolve AST
    /usr/sbin/semodule:  Failed!

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
This commit is contained in:
Vit Mojzis 2023-06-01 18:34:30 +02:00 committed by Petr Lautrbach
parent 666a7dfdc8
commit 391cf12600
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
python/sepolicy/sepolicy/templates/user.py
View File

@ -28,6 +28,8 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
role TEMPLATETYPE_r;
userdom_unpriv_user_template(TEMPLATETYPE)
"""
@ -38,6 +40,8 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
role TEMPLATETYPE_r;
userdom_admin_user_template(TEMPLATETYPE)
"""
@ -48,6 +52,7 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
role TEMPLATETYPE_r;
userdom_restricted_user_template(TEMPLATETYPE)
"""
@ -59,6 +64,7 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
role TEMPLATETYPE_r;
userdom_restricted_xwindows_user_template(TEMPLATETYPE)
"""
@ -89,6 +95,7 @@ gen_tunable(TEMPLATETYPE_manage_user_files, false)
#
# Declarations
#
role TEMPLATETYPE_r;
userdom_base_user_template(TEMPLATETYPE)
"""