Oddity in evolution.if in selinux-policy-devel-2.4.6-23.fc6.noarch.rpm

Ted Rule ejtr at layer3.co.uk
Sat Jan 13 22:35:17 UTC 2007 

The recently released devel rpm,
selinux-policy-devel-2.4.6-23.fc6.noarch.rpm, appears to contain an odd
'corruption' in the evolution.if file, viz:

/usr/share/selinux/devel/include/apps/evolution.if

The end of the interface file contains this set of allow statements: 

allow staff_evolution_alarm_t staff_t:fifo_file { getattr write };
allow staff_evolution_alarm_t staff_t:unix_stream_socket connectto;
allow staff_evolution_alarm_t staff_tmp_t:dir { add_name getattr search
setattr write };
allow staff_evolution_alarm_t staff_tmp_t:file { getattr lock read
write };
allow staff_evolution_alarm_t staff_tmp_t:sock_file { create write };
allow staff_evolution_alarm_t tmp_t:dir read;

allow staff_evolution_exchange_t staff_t:fd use;
allow staff_evolution_exchange_t staff_t:fifo_file { getattr write };
allow staff_evolution_exchange_t staff_tmp_t:dir { add_name getattr
search setattr write };
allow staff_evolution_exchange_t staff_tmp_t:file { getattr lock read
write };
allow staff_evolution_exchange_t staff_tmp_t:sock_file { create write };

allow staff_evolution_server_t staff_t:fifo_file { getattr write };
allow staff_evolution_server_t staff_t:unix_stream_socket connectto;
allow staff_evolution_server_t staff_tmp_t:dir { add_name getattr search
setattr write };
allow staff_evolution_server_t staff_tmp_t:file { getattr lock read
write };
allow staff_evolution_server_t staff_tmp_t:sock_file { create write };
allow staff_evolution_server_t tmp_t:dir { getattr read search };

allow staff_evolution_t default_t:lnk_file read;


I had previously downloaded the .23 rpm from the testing area, but I
only noticed this today whilst I was trying to build a module to rebuild
my anacron module tweak against the .23 policy, and got this error
message:

[root selinux.local]# make localanacron.pp
Compiling strict localanacron module
/usr/bin/checkmodule:  loading policy configuration from
tmp/localanacron.tmp
tmp/all_interfaces.conf:7820:ERROR 'syntax error' at token 'allow' on
line 3871:

allow staff_evolution_alarm_t staff_t:fifo_file { getattr write };
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/localanacron.mod] Error 1
[root at topaz selinux.local]#

[root ~]#


The error message corresponds to the first rogue line in the interface
file; once I'd commented out all the lines, my new module compiled Ok. I
checked for any other rogue 'allow' lines in the other interface
definitions, but this appears to be the only set of oddities.

I made a cursory check elsewhere, and the 2.4.6-21.fc7 policy-devel
appears to have the same corruption, whilst the previous stable fc6 rpm,
2.4.6-17.fc6, doesn't.

I've also created BZ #222548 containing these notes.


-- 
Ted Rule

Director, Layer3 Systems Ltd

W: http://www.layer3.co.uk/

More information about the fedora-selinux-list mailing list