Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 444516 - =sec-policy/selinux-nginx-2.20120725-r8 doesn't load correctly
Summary: =sec-policy/selinux-nginx-2.20120725-r8 doesn't load correctly
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r8
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-23 23:34 UTC by Alex Brandt (RETIRED)
Modified: 2012-12-13 10:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Brandt (RETIRED) gentoo-dev 2012-11-23 23:34:29 UTC
The current 9999 nginx policy fails to load due to an unresolved dependency:

libsepol.print_missing_requirements: nginx's global requirements were not met: bool gentoo_nginx_enable_http_server (No such file or directory).

Full output inline as it's semi-short:

>>> Emerging (15 of 15) sec-policy/selinux-nginx-9999
>>> Unpacking source...
GIT update -->
   repository:               git://git.overlays.gentoo.org/proj/hardened-refpolicy.git
   at the commit:            d7bd32677c917e760f4df2bdbd0ebf6c3db633fa
   branch:                   master
   storage directory:        "/usr/portage/distfiles/egit-src/hardened-refpolicy.git"
   checkout type:            bare repository
Cloning into '/var/tmp/portage/sec-policy/selinux-nginx-9999/work/refpolicy'...
done.
Branch branch-master set up to track remote branch master from origin.
Switched to a new branch 'branch-master'
>>> Unpacked to /var/tmp/portage/sec-policy/selinux-nginx-9999/work/refpolicy
>>> Source unpacked in /var/tmp/portage/sec-policy/selinux-nginx-9999/work
>>> Preparing source in /var/tmp/portage/sec-policy/selinux-nginx-9999/work ...
>>> Source prepared.
>>> Configuring source in /var/tmp/portage/sec-policy/selinux-nginx-9999/work ...
>>> Source configured.
>>> Compiling source in /var/tmp/portage/sec-policy/selinux-nginx-9999/work ...
make -j5 -j1 NAME=strict -C /var/tmp/portage/sec-policy/selinux-nginx-9999/work//strict 
make: Entering directory `/var/tmp/portage/sec-policy/selinux-nginx-9999/work/strict'
Compiling strict nginx module
/usr/bin/checkmodule:  loading policy configuration from tmp/nginx.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 15) to tmp/nginx.mod
Creating strict nginx.pp policy package
rm tmp/nginx.mod.fc tmp/nginx.mod
make: Leaving directory `/var/tmp/portage/sec-policy/selinux-nginx-9999/work/strict'
>>> Source compiled.
>>> Test phase [not enabled]: sec-policy/selinux-nginx-9999

>>> Install selinux-nginx-9999 into /var/tmp/portage/sec-policy/selinux-nginx-9999/image/ category sec-policy
 * Installing strict nginx policy package
>>> Completed installing selinux-nginx-9999 into /var/tmp/portage/sec-policy/selinux-nginx-9999/image/


>>> Installing (15 of 15) sec-policy/selinux-nginx-9999
>>> Setting SELinux security labels
 * Inserting the following modules into the strict module store: nginx
libsepol.print_missing_requirements: nginx's global requirements were not met: bool gentoo_nginx_enable_http_server (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
 * SELinux module load failed. Trying full reload...
libsepol.print_missing_requirements: nginx's global requirements were not met: bool gentoo_nginx_enable_http_server (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
 * Failed to reload SELinux policies.
 * 
 * If this is *not* the last SELinux module package being installed,
 * then you can safely ignore this as the reloads will be retried
 * with other, recent modules.
 * 
 * If it is the last SELinux module package being installed however,
 * then it is advised to look at the error above and take appropriate
 * action since the new SELinux policies are not loaded until the
 * command finished succesfully.
 * 
 * To reload, run the following command from within /usr/share/selinux/strict:
 *   semodule -b base.pp -i $(ls *.pp | grep -v base.pp)
 * or
 *   semodule -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp)
 * depending on if you need the unconfined domain loaded as well or not.
>>> Auto-cleaning packages...

>>> No outdated packages were found on your system.

 * GNU info directory index is up-to-date.


Reproducible: Always
Comment 1 Vincent Brillault 2012-11-24 09:12:36 UTC
Same with the 2.20120725-r8.

The problem come from commit d7bd32677c917e760f4df2bdbd0ebf6c3db633fa: gen_tunable definitions where altered but not the tunable_policy ones resulting in unmet requirement for those tunable_policy
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-24 19:06:27 UTC
Thanks; fixed in repo, I'll bring the fix in for the selinux-nginx-2.20120725-r8 as well (unless I notice breakages on other places too that warrant a faster r9 release).
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-25 21:24:42 UTC
Okay, fixed in repo and also moved fix into 2.20120725-r8 (so no revbump - just resync and re-emerge).
Comment 4 Alex Brandt (RETIRED) gentoo-dev 2012-11-25 22:50:18 UTC
Working for me.  

Can we get a message in nginx about selinux for http being disabled by default?  That's unexpected behavior in my opinion.  Better yet, is it possible to flip the boolean to be true by default for nginx_enable_http_server?  The argument is that this is more than likely the cause for them to install nginx in the first place (not always but generally).  If that doesn't make sense; disregard.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-03 09:36:19 UTC
r8 is now in main tree, ~arch
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-13 10:09:30 UTC
r8 is now stable