This package fails to install properly (see attached build log). Can't figure out why. Reproducible: Always Steps to Reproduce: 1. emerge sec-policy/selinux-apache 2. 3.
Created attachment 355694 [details] build log
Can you try and run the following, just to confirm if the base module does or doesn't provide the gds_db_port_t definition? ~$ strings /usr/share/selinux/strict/base.pp | grep gds_db_port_t
odyssey cat # strings /usr/share/selinux/strict/base.pp | grep gds_db_port_t odyssey cat # strings /usr/share/selinux/targeted/base.pp | grep gds_db_port_t Seems like it's not there.
Can you (re)build selinux-base and provide the build output of it? I would like to see if it gives any (non-fatal) failures related to the gds_db definitions.
Created attachment 355794 [details] selinux-base build log Is this the right one? Or do you need the log from selinux-base-policy ?
Created attachment 355796 [details] selinux-base-policy build log
Created attachment 355798 [details, diff] selinux-base build log diff Ooookay, and here comes the X-factor part... after rebuilding selinux-base just now, the gds things are there. Didn't change a thing, just recompiled that package for the 10th time or so. So I did a diff of the 2 build logs... looks like corenetwork was left out before... Can provide additional informations, but for the time being the problem fixed itself. I was able to build selinux-apache without problems. Seems like the problem originated from the package "selinux-base"...
Ah the issue is probably that the .te (which is generated) is more recent (edit-wise) than the .te.in. I don't see why this would be, perhaps due to packaging? I'm now trying with a "make bare" before building the base policy to see if that suffices (make bare removes the generated ones so they are regenerated). Seems to work well, just going to wait a bit and see if it doesn't break (by missing some things) anything.
For those interested, a possible approach to work around it right now is to build selinux-base, but interrupt (Ctrl-Z) it right after it patched the data. Then go to the working dir (like /var/tmp/portage/sec-policy/selinux-base-2.20130424-r2/work) and remove all corenetwork.te and corenetwork.if files (don't touch the corenetwork.te.in and corenetwork.if.in files though) find . -type f -name 'corenetwork.te' -exec rm '{}' \; find . -type f -name 'corenetwork.if' -exec rm '{}' \; The build system should regenerate those files then, which should include the port definitions.
The "make bare" approach seem to work just fine. I'll incorporate this into the r3 policy release.
r3 is now in the tree, ~arch'ed
Just tried out -r3. I did a emerge -1 sec-policy/selinux-apache and got the error below. * Inserting the following modules into the strict module store: apache libsepol.context_from_record: type httpd_keytab_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:httpd_keytab_t to sid invalid context system_u:object_r:httpd_keytab_t libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed!
Thanks; I'm going to treat that as a different bug for now, see bug #480628.
r4 is now stable in the tree