Updating from selinux policy from 2.20170204-r3 to 2.20170204-r4 fails. It's not possible to load the new modules. F ollowing the instructions and calling "semodule -i base.pp -i $(ls *.pp | grep -v base.pp)" will fail again end generate the same error message seen during install: Bad type declaration at /var/lib/selinux/mcs/tmp/modules/100/apm/cil:17 The reason for that seems to be, that the policy module has been renamed from apm.pp to acpi.pp but old files are nor removed from the file system: Building selinux-apm-2.20170204-r4 is definitely merging acpi.pp to the file system, while selinux-apm-2.20170204-r3 still merged apm.pp. Finding that out I was able to fix reloading the modules by deleting "/var/lib/selinux/mcs/active/modules/100/apm" If you also are affected by the bug, you should be able to fix it with that command: find /var/lib/selinux/ -type d -name apm -exec echo rm {} \; (There may be better ways I'm not aware of... This is just works for me after "semodule -r apm" and variants failed.) Here the relevant part from the console log with the interesting hints: >>> Installing (16 of 26) sec-policy/selinux-apm-2.20170204-r4::gentoo >>> Setting SELinux security labels ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored. libsemanage.semanage_direct_remove_key: apm module at priority 100 is now active. libsemanage.semanage_direct_remove_key: Removing last apm module (no other apm module exists at another priority). * Inserting the following modules into the mcs module store: acpi Re-declaration of type apmd_t Failed to create node Bad type declaration at /var/lib/selinux/mcs/tmp/modules/100/apm/cil:17 semodule: Failed! * SELinux module load failed. Trying full reload... libsemanage.semanage_direct_install_info: gpg module will be disabled after install due to default enabled status. Re-declaration of type apmd_t Failed to create node Bad type declaration at /var/lib/selinux/mcs/tmp/modules/100/apm/cil:17 semodule: Failed! * Failed to reload SELinux policies. * * If this is *not* the last SELinux module package being installed, * then you can safely ignore this as the reloads will be retried * with other, recent modules. * * If it is the last SELinux module package being installed however, * then it is advised to look at the error above and take appropriate * action since the new SELinux policies are not loaded until the * command finished succesfully. * * To reload, run the following command from within /usr/share/selinux/mcs: * semodule -i base.pp -i $(ls *.pp | grep -v base.pp) * or * semodule -i base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp) * depending on if you need the unconfined domain loaded as well or not. * Inserting the following modules into the strict module store: acpi Failed to resolve typeattributeset statement at /var/lib/selinux/strict/tmp/modules/400/acpi/cil:97 semodule: Failed! * SELinux module load failed. Trying full reload... * SELinux modules reloaded succesfully. Relabeling: sys-power/acpid-2.0.28
Correction for the command to fix the problem: find /var/lib/selinux/ -type d -name apm -exec rm -r {} \;
