full_user_role macro not working as expected

Stephen Smalley sds at tycho.nsa.gov
Fri Jun 10 12:39:28 UTC 2005 

On Thu, 2005-06-09 at 13:28 -0700, Jeremy Utley wrote:
> The current problem:
> According to the policy writing docs, a role should be created via the
> full_user_role() macro.  So, in domains/misc/custom_policy.te, I
> placed the following line (along with other custom rules that have
> already been compiled successfully and work):
> 
> full_user_role(privileged)

In order to support role changes via newrole, you need some further
rules.  These are defined in the role_tty_type_change() macro defined in
domains/user.te, which means that you presently have to add rules to
domains/user.te; that macro definition should likely be moved to
base_user_macros.te or user_macros.te so that it can be used elsewhere.

If you want the role to be able to use userhelper, sudo, or su, you also
need to include reach_sysadm(privileged); that macro is also presently
defined in domains/user.te and should likely be moved to user_macros.te
or base_user_macros.te.

> Now, when trying to compile the policy after that, I get the following error:
> 
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> domains/misc/custom_policy.te:13:ERROR 'unknown type
> privileged_userhelper_t' at token ';' on line 115000:
> #line 13
> allow privileged_mozilla_t privileged_userhelper_t:process transition;
> /usr/bin/checkpolicy:  error(s) encountered while parsing configuration
> make: *** [/etc/selinux/strict/policy/policy.18] Error 1

That's a bug in mozilla_macros.te, already removed in the
FC4/development strict policy.  Remove the userhelper transition from
it:

--- macros/program/mozilla_macros.te.orig	2005-06-10 08:37:54.636627280 -0400
+++ macros/program/mozilla_macros.te	2005-06-10 08:38:11.886004976 -0400
@@ -116,9 +116,6 @@
 dontaudit $1_mozilla_t file_type:dir getattr;
 allow $1_mozilla_t self:sem create_sem_perms;
 
-ifdef(`userhelper.te', `
-domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
-')
 dontaudit $1_mozilla_t selinux_config_t:dir search;
 
 #


-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list