Updating from the last stable selinux policy set (2.20161023-r3)to the current one (2.20170204-r2) failed on my system for sec-policy/selinux-apache. The short story is, that type "nfsd_rw_t" is needed but the definition for this type is in sec-policy/selinux-rpc, which is not being pulled in by any dependency on my system. Here some more information: The console output below is after testing 2.20170204-r3 and downgrading again to stable. (Btw, 2.20170204-r3 has the same issue.) The error text was the same for the initial update: >>> Installing (3 of 3) sec-policy/selinux-apache-2.20170204-r2::gentoo >>> Setting SELinux security labels ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored. * Inserting the following modules into the strict module store: apache Failed to resolve typeattributeset statement at /var/lib/selinux/strict/tmp/modules/400/apache/cil:350 semodule: Failed! * SELinux module load failed. Trying full reload... Failed to resolve typeattributeset statement at /var/lib/selinux/strict/tmp/modules/400/apache/cil:350 semodule: Failed! * Failed to reload SELinux policies. * * If this is *not* the last SELinux module package being installed, * then you can safely ignore this as the reloads will be retried * with other, recent modules. * * If it is the last SELinux module package being installed however, * then it is advised to look at the error above and take appropriate * action since the new SELinux policies are not loaded until the * command finished succesfully. * * To reload, run the following command from within /usr/share/selinux/strict: * semodule -i base.pp -i $(ls *.pp | grep -v base.pp) * or * semodule -i base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp) * depending on if you need the unconfined domain loaded as well or not. calling "semodule -i base.pp -i $(ls *.pp | grep -v base.pp)" in /usr/share/selinux/strict is only producing the same error message again: Failed to resolve typeattributeset statement at /var/lib/selinux/strict/tmp/modules/400/apache/cil:350 semodule: Failed! With "/usr/libexec/selinux/hll/pp /usr/share/selinux/strict/apache.pp >/tmp/cli" we can see line 350: (typeattributeset cil_gen_require nfsd_rw_t) "seinfo -t | grep nfsd_rw_t" confirmed, that this type definition is missing. After installing "sec-policy/selinux-rpc" the apache module can be loaded.
I've submitted following patch to upstream: http://oss.tresys.com/pipermail/refpolicy/2017-April/009374.html If accepted, we'll pull this back in. In the mean time, install selinux-rpc to work around the dependency issue.
this was fixed in -r4