[refpolicy] new svn refpolicy difficuties:
justinmattock at gmail.com
Tue Dec 2 18:03:34 CST 2008
On Tue, Dec 2, 2008 at 10:53 AM, Christopher J. PeBenito
<cpebenito at tresys.com> wrote:
> On Tue, 2008-12-02 at 07:57 -0800, Justin P. Mattock wrote:
>> On Tue, 2008-12-02 at 08:13 -0500, Christopher J. PeBenito wrote:
>> > On Sun, 2008-11-30 at 22:19 -0800, Justin P. Mattock wrote:
>> > > With the latest refpolicy, I'm
>> > > able to have all of the allow rules
>> > > during the boot process applied to the policy,
>> > > but as soon as I add any of the allow rules
>> > > after startx, with any role I'm denied
>> > > with building the policy i.g.
>> > >
>> > > :ERROR 'type staff_dbusd_t is not within scope' at token ';' on line
>> > > 2581459:
>> > >
>> > > I think this has to do with my policy/users
>> > > file.(where can I find info on setting a prefix?)
>> > I suspect it is actually related to this:
>> > http://marc.info/?l=selinux&m=122477138927253&w=2
>> > What changes have you made (if any) to the policy? Also the
>> > policy/modules.conf and build.conf?
>> This is the same issue from a few weeks ago
>> (just never got around to working it);
>> as for changes to the modules.conf, I sent
>> you that a few weeks ago, which basically has nothing modified
>> (my goal is to keep the policy as generic as possible
>> no tweaking of any kind); I do modify the build.conf
>> and policy/users.
>> as for the users I set
>> gen_user(user,system_u, sysadm_r staff_r user_r, s0, s0 -mls_systemhigh,
>> and the build.conf I change the policy number setting
>> debian, monolithic=y deny unkown=y not much stuff..
>> I'm not sure but after reading the users file it say's
>> Note: Identities without a prefix wil not be listed
>> in the users_extra file used by genhomedircon.
>> (BTW there a typo in there "will")
>> This here tells me that If I don't have this set
>> correctly(prefix), I won't be able to build the policy
>> accordingly with my user name and roles? hence the always
>> an error during compiling when I add something like
>> If I have this correct will
>> staff_dbus_t change to staff_t? or something to satisfy
>> the compiling of the policy...
> No. This is error is not related to this. The users_extra content is
> used for genhomedircon, and is in fact no longer used now that there is
> UBAC. It has to do with issues with scoping in the compiler. I can't
> reproduce this, where did you put the rules?
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
O.K. well, after throwing away the
intrepid system, and loading hardy
it seems the problem is still
there. If you have any ideas I'm up
to listening, or trying any paches.
until then I'm just going to use the stable
release.(was hoping to tackle this since,
but seems to be too intricate for me.);
Justin P. Mattock
More information about the refpolicy