615552 – sec-policy/selinux-apache-2.20170204-r[2-3]: missing dependency on rpc

Bug 615552 - sec-policy/selinux-apache-2.20170204-r[2-3]: missing dependency on rpc

Summary: sec-policy/selinux-apache-2.20170204-r[2-3]: missing dependency on rpc

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-04-14 16:01 UTC by Alexander Wetzel
Modified:	2017-09-23 02:33 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Wetzel 2017-04-14 16:01:47 UTC

Updating from the last stable selinux policy set (2.20161023-r3)to the current one (2.20170204-r2) failed on my system for sec-policy/selinux-apache.

The short story is, that type "nfsd_rw_t" is needed but the definition for this type is in sec-policy/selinux-rpc, which is not being pulled in by any dependency on my system.

Here some more information:
The console output below is after testing 2.20170204-r3 and downgrading again to stable. (Btw, 2.20170204-r3 has the same issue.) The error text was the same for the initial update:

>>> Installing (3 of 3) sec-policy/selinux-apache-2.20170204-r2::gentoo
>>> Setting SELinux security labels
ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.
 * Inserting the following modules into the strict module store: apache
Failed to resolve typeattributeset statement at /var/lib/selinux/strict/tmp/modules/400/apache/cil:350
semodule:  Failed!
 * SELinux module load failed. Trying full reload...
Failed to resolve typeattributeset statement at /var/lib/selinux/strict/tmp/modules/400/apache/cil:350
semodule:  Failed!
 * Failed to reload SELinux policies.
 * 
 * If this is *not* the last SELinux module package being installed,
 * then you can safely ignore this as the reloads will be retried
 * with other, recent modules.
 * 
 * If it is the last SELinux module package being installed however,
 * then it is advised to look at the error above and take appropriate
 * action since the new SELinux policies are not loaded until the
 * command finished succesfully.
 * 
 * To reload, run the following command from within /usr/share/selinux/strict:
 *   semodule -i base.pp -i $(ls *.pp | grep -v base.pp)
 * or
 *   semodule -i base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp)
 * depending on if you need the unconfined domain loaded as well or not.

calling "semodule -i base.pp -i $(ls *.pp | grep -v base.pp)" in /usr/share/selinux/strict is only producing the same error message again:
Failed to resolve typeattributeset statement at /var/lib/selinux/strict/tmp/modules/400/apache/cil:350
semodule:  Failed!


With "/usr/libexec/selinux/hll/pp /usr/share/selinux/strict/apache.pp >/tmp/cli" we can see line 350:
(typeattributeset cil_gen_require nfsd_rw_t)

"seinfo -t | grep nfsd_rw_t" confirmed, that this type definition is missing.
After installing "sec-policy/selinux-rpc" the apache module can be loaded.

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2017-04-20 15:08:50 UTC

I've submitted following patch to upstream:

http://oss.tresys.com/pipermail/refpolicy/2017-April/009374.html

If accepted, we'll pull this back in. In the mean time, install selinux-rpc to work around the dependency issue.

Comment 2 Jason Zaman gentoo-dev

2017-09-23 02:33:24 UTC

this was fixed in -r4