The current 9999 nginx policy fails to load due to an unresolved dependency: libsepol.print_missing_requirements: nginx's global requirements were not met: bool gentoo_nginx_enable_http_server (No such file or directory). Full output inline as it's semi-short: >>> Emerging (15 of 15) sec-policy/selinux-nginx-9999 >>> Unpacking source... GIT update --> repository: git://git.overlays.gentoo.org/proj/hardened-refpolicy.git at the commit: d7bd32677c917e760f4df2bdbd0ebf6c3db633fa branch: master storage directory: "/usr/portage/distfiles/egit-src/hardened-refpolicy.git" checkout type: bare repository Cloning into '/var/tmp/portage/sec-policy/selinux-nginx-9999/work/refpolicy'... done. Branch branch-master set up to track remote branch master from origin. Switched to a new branch 'branch-master' >>> Unpacked to /var/tmp/portage/sec-policy/selinux-nginx-9999/work/refpolicy >>> Source unpacked in /var/tmp/portage/sec-policy/selinux-nginx-9999/work >>> Preparing source in /var/tmp/portage/sec-policy/selinux-nginx-9999/work ... >>> Source prepared. >>> Configuring source in /var/tmp/portage/sec-policy/selinux-nginx-9999/work ... >>> Source configured. >>> Compiling source in /var/tmp/portage/sec-policy/selinux-nginx-9999/work ... make -j5 -j1 NAME=strict -C /var/tmp/portage/sec-policy/selinux-nginx-9999/work//strict make: Entering directory `/var/tmp/portage/sec-policy/selinux-nginx-9999/work/strict' Compiling strict nginx module /usr/bin/checkmodule: loading policy configuration from tmp/nginx.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 15) to tmp/nginx.mod Creating strict nginx.pp policy package rm tmp/nginx.mod.fc tmp/nginx.mod make: Leaving directory `/var/tmp/portage/sec-policy/selinux-nginx-9999/work/strict' >>> Source compiled. >>> Test phase [not enabled]: sec-policy/selinux-nginx-9999 >>> Install selinux-nginx-9999 into /var/tmp/portage/sec-policy/selinux-nginx-9999/image/ category sec-policy * Installing strict nginx policy package >>> Completed installing selinux-nginx-9999 into /var/tmp/portage/sec-policy/selinux-nginx-9999/image/ >>> Installing (15 of 15) sec-policy/selinux-nginx-9999 >>> Setting SELinux security labels * Inserting the following modules into the strict module store: nginx libsepol.print_missing_requirements: nginx's global requirements were not met: bool gentoo_nginx_enable_http_server (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! * SELinux module load failed. Trying full reload... libsepol.print_missing_requirements: nginx's global requirements were not met: bool gentoo_nginx_enable_http_server (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! * Failed to reload SELinux policies. * * If this is *not* the last SELinux module package being installed, * then you can safely ignore this as the reloads will be retried * with other, recent modules. * * If it is the last SELinux module package being installed however, * then it is advised to look at the error above and take appropriate * action since the new SELinux policies are not loaded until the * command finished succesfully. * * To reload, run the following command from within /usr/share/selinux/strict: * semodule -b base.pp -i $(ls *.pp | grep -v base.pp) * or * semodule -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp) * depending on if you need the unconfined domain loaded as well or not. >>> Auto-cleaning packages... >>> No outdated packages were found on your system. * GNU info directory index is up-to-date. Reproducible: Always
Same with the 2.20120725-r8. The problem come from commit d7bd32677c917e760f4df2bdbd0ebf6c3db633fa: gen_tunable definitions where altered but not the tunable_policy ones resulting in unmet requirement for those tunable_policy
Thanks; fixed in repo, I'll bring the fix in for the selinux-nginx-2.20120725-r8 as well (unless I notice breakages on other places too that warrant a faster r9 release).
Okay, fixed in repo and also moved fix into 2.20120725-r8 (so no revbump - just resync and re-emerge).
Working for me. Can we get a message in nginx about selinux for http being disabled by default? That's unexpected behavior in my opinion. Better yet, is it possible to flip the boolean to be true by default for nginx_enable_http_server? The argument is that this is more than likely the cause for them to install nginx in the first place (not always but generally). If that doesn't make sense; disregard.
r8 is now in main tree, ~arch
r8 is now stable
