Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 504832 (jokleinn) - semanage always dies, gives stacktrace about audit2why.so and sepol_set_policydb (~amd64)
Summary: semanage always dies, gives stacktrace about audit2why.so and sepol_set_polic...
Status: RESOLVED FIXED
Alias: jokleinn
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: selinux-utils
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-16 20:12 UTC by Ethan Carr
Modified: 2014-04-21 18:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
http://bpaste.net/raw/189633/ (file_504832.txt,6.93 KB, text/plain)
2014-03-16 20:22 UTC, Johannes Buchner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ethan Carr 2014-03-16 20:12:16 UTC
I am awful at bug reporting and I apologize if I violated some sort of guidelines doing this, I didn't get a chance to read them as I'm using links and am quite disoriented

http://bpaste.net/show/189633/ IS AN EXACT CLONE OF THE ATTACHMENT.
Only look at that bpaste if I'm too silly to make the attachment work appropriately, as I'm aware bpastes are temporary.
If my attachment is butt, please somebody reply to this bug report with the contents of the bpaste for a more permanent report :)

Running semanage on this machine (semanage, semanage --help, semanage login) with any arguments or no arguments will always output a stacktrace, stacktrace is included in attachment. emerge --info was deemed irrelevant and is NOT in the attachment, however more basic information is.
Comment 1 Johannes Buchner 2014-03-16 20:22:39 UTC
Created attachment 372828 [details]
http://bpaste.net/raw/189633/

copy of referenced paste
Comment 2 Johannes Buchner 2014-03-16 20:26:21 UTC
Try to re-merge the relevant packages (libsemanage/policycoreutils/libsepol)?
Use nm (or similar) to check if the libsepol library file has the symbol sepol_set_policydb.
Comment 3 Ethan Carr 2014-03-16 20:36:37 UTC
0000000000002dd0 T sepol_set_policydb
It is there. On IRC I was informed it was hidden, that might uh... Be an issue.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2014-03-21 19:44:48 UTC
This is what I have:

~$ nm -D /lib64/libsepol.so.1 | grep sepol_set_policydb
000000000002b8f0 T sepol_set_policydb_from_file

~$ nm -D /usr/lib64/python2.7/site-packages/selinux/audit2why.so | grep sepol_set_policydb
000000000000d4c0 T sepol_set_policydb
000000000000d500 T sepol_set_policydb_from_file

In libsepol-2.2, the sepol_set_policydb function is hidden:

int hidden sepol_set_policydb(policydb_t * p)
{
        policydb = p;
        return 0;
}

In libselinux' audit2why.c however, there is still a reference to sepol_set_policydb(). From my understanding, this shouldn't be happening anymore. I'll ask upstream for more info.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2014-03-22 06:43:10 UTC
Upstream mail discussion: http://thread.gmane.org/gmane.comp.security.selinux/20327
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2014-03-22 06:53:54 UTC
So it seems that audit2why links statically with libsepol; can you check the age difference as well as symbols in libsepol.a?

~$ ls -l /usr/lib64/libsepol.a /lib64/libsepol.so.1 
-rwxr-xr-x. 1 root root 305928 Dec  4 17:32 /lib64/libsepol.so.1
-rw-r--r--. 1 root root 574256 Dec  4 17:32 /usr/lib64/libsepol.a

~$ nm /usr/lib64/libsepol.a | grep sepol_set_policydb
0000000000002c40 T sepol_set_policydb
0000000000002c80 T sepol_set_policydb_from_file

~$ ls -l /usr/lib64/python2.7/site-packages/selinux/audit2why.so 
-rwxr-xr-x. 1 root root 232336 Mar  4 20:05 /usr/lib64/python2.7/site-packages/selinux/audit2why.so

So in my case, audit2why.so is built after libsepol.a (see dates) and libsepol.a contains the sepol_set_policydb symbol (as the symbol is available for static linking).
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2014-03-23 19:21:59 UTC
The cause is the fix through bug 500674 where static linking of libsepol was removed in favor of dynamic linking, but the static linking is by design.

Check if audit2why.so is dynamically linking with libsepol or not. It shouldn't.

I've reverted this fix through libselinux-2.2.2-r4.
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2014-04-21 18:38:39 UTC
libselinux-2.2.2-r4 is now stable