Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 480628 - sec-policy/selinux-apache-2.20130424-r2 apache's global requirements were not met
Summary: sec-policy/selinux-apache-2.20130424-r2 apache's global requirements were not...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: AMD64 Linux
: Normal major (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r3
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-11 14:44 UTC by Dennis Freise
Modified: 2014-01-12 20:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
build log (sec-policy-selinux-apache-2.20130424-r2-20130811-124847.log,5.35 KB, text/plain)
2013-08-11 14:45 UTC, Dennis Freise
Details
selinux-base build log (sec-policy-selinux-base-2.20130424-r2-20130812-175251.log,17.50 KB, text/plain)
2013-08-12 17:59 UTC, Dennis Freise
Details
selinux-base-policy build log (sec-policy-selinux-base-policy-2.20130424-r2-20130812-180041.log,30.52 KB, text/plain)
2013-08-12 18:07 UTC, Dennis Freise
Details
selinux-base build log diff (build_log_diff,1.12 KB, patch)
2013-08-12 18:24 UTC, Dennis Freise
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dennis Freise 2013-08-11 14:44:45 UTC
This package fails to install properly (see attached build log). Can't figure out why.

Reproducible: Always

Steps to Reproduce:
1. emerge sec-policy/selinux-apache
2.
3.
Comment 1 Dennis Freise 2013-08-11 14:45:50 UTC
Created attachment 355694 [details]
build log
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2013-08-12 08:56:52 UTC
Can you try and run the following, just to confirm if the base module does or doesn't provide the gds_db_port_t definition?

~$ strings /usr/share/selinux/strict/base.pp | grep gds_db_port_t
Comment 3 Dennis Freise 2013-08-12 14:44:08 UTC
odyssey cat # strings /usr/share/selinux/strict/base.pp | grep gds_db_port_t
odyssey cat # strings /usr/share/selinux/targeted/base.pp | grep gds_db_port_t

Seems like it's not there.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2013-08-12 17:36:14 UTC
Can you (re)build selinux-base and provide the build output of it? I would like to see if it gives any (non-fatal) failures related to the gds_db definitions.
Comment 5 Dennis Freise 2013-08-12 17:59:47 UTC
Created attachment 355794 [details]
selinux-base build log

Is this the right one? Or do you need the log from selinux-base-policy ?
Comment 6 Dennis Freise 2013-08-12 18:07:44 UTC
Created attachment 355796 [details]
selinux-base-policy build log
Comment 7 Dennis Freise 2013-08-12 18:24:10 UTC
Created attachment 355798 [details, diff]
selinux-base build log diff

Ooookay, and here comes the X-factor part... after rebuilding selinux-base just now, the gds things are there. Didn't change a thing, just recompiled that package for the 10th time or so.

So I did a diff of the 2 build logs... looks like corenetwork was left out before...

Can provide additional informations, but for the time being the problem fixed itself. I was able to build selinux-apache without problems. Seems like the problem originated from the package "selinux-base"...
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2013-08-15 11:15:09 UTC
Ah the issue is probably that the .te (which is generated) is more recent (edit-wise) than the .te.in. I don't see why this would be, perhaps due to packaging?

I'm now trying with a "make bare" before building the base policy to see if that suffices (make bare removes the generated ones so they are regenerated). Seems to work well, just going to wait a bit and see if it doesn't break (by missing some things) anything.
Comment 9 Sven Vermeulen (RETIRED) gentoo-dev 2013-08-16 05:45:51 UTC
For those interested, a possible approach to work around it right now is to build selinux-base, but interrupt (Ctrl-Z) it right after it patched the data. Then go to the working dir (like /var/tmp/portage/sec-policy/selinux-base-2.20130424-r2/work) and remove all corenetwork.te and corenetwork.if files (don't touch the corenetwork.te.in and corenetwork.if.in files though)

find . -type f -name 'corenetwork.te' -exec rm '{}' \;
find . -type f -name 'corenetwork.if' -exec rm '{}' \;

The build system should regenerate those files then, which should include the port definitions.
Comment 10 Sven Vermeulen (RETIRED) gentoo-dev 2013-08-16 05:56:14 UTC
The "make bare" approach seem to work just fine. I'll incorporate this into the r3 policy release.
Comment 11 Sven Vermeulen (RETIRED) gentoo-dev 2013-09-26 17:32:05 UTC
r3 is now in the tree, ~arch'ed
Comment 12 zacharyw09264 2013-09-28 10:15:42 UTC
Just tried out -r3.
I did a emerge -1 sec-policy/selinux-apache and got the error below.
 * Inserting the following modules into the strict module store: apache
libsepol.context_from_record: type httpd_keytab_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:httpd_keytab_t to sid
invalid context system_u:object_r:httpd_keytab_t
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!
Comment 13 Sven Vermeulen (RETIRED) gentoo-dev 2013-09-30 19:21:04 UTC
Thanks; I'm going to treat that as a different bug for now, see bug #480628.
Comment 14 Sven Vermeulen (RETIRED) gentoo-dev 2014-01-12 20:53:04 UTC
r4 is now stable in the tree