When updating my amd64 (stable) selinux server the selinux policy load failed. Many - or probably all - sec-policy/selinux-* ebuilds printed this warning: * SELinux module load failed. Trying full reload... * Failed to reload SELinux policies. ... * To reload, run the following command from within /usr/share/selinux/strict: * semodule -i base.pp -i $(ls *.pp | grep -v base.pp) * or * semodule -i base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp) * depending on if you need the unconfined domain loaded as well or not. Trying the reload also failed (The server is using mcs): owl /usr/share/selinux/mcs # semodule -i base.pp -i $(ls *.pp | grep -v base.pp) Failed to resolve selinuxuser statement at /var/lib/selinux/mcs/tmp/modules/400/base/cil:5557 Failed to resolve AST semodule: Failed! Looking at the reported file/line this statement is causing the problem: (selinuxuser sddm xdm ((s0) (s0))) After emerging sec-policy/selinux-xserver the updated base policy can be loaded. Remark: Another of my servers is running strict instead of mcs and has the same generic issue. For some reasons emerge itself did not report but reloading all selinux modules also fails over the same statment: deagol /usr/share/selinux/strict # semodule -i base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp) Failed to resolve selinuxuser statement at /var/lib/selinux/strict/tmp/modules/400/base/cil:4461 Failed to resolve AST semodule: Failed! After "emerge -1 sec-policy/selinux-xserver" the same command works as expected. Reproducible: Always Steps to Reproduce: 1. make sure sec-policy/selinux-xserver is not installed and "semodule -l | grep xserver" is empty. 2. Confirm that there is no /usr/share/*/xserver.pp file installed 3. update at least sec-policy/selinux-base (better all) selinux mudules to 2.20220106-r2 4. try reloading the selinux modules (cd /usr/share/selinux/<selinux-mode>; semodule -i base.pp Actual Results: For MCS, strict will have a different line number: Failed to resolve selinuxuser statement at /var/lib/selinux/mcs/tmp/modules/400/base/cil:5557 Failed to resolve AST semodule: Failed! Expected Results: <successful load of modules, no output> sec-policy/selinux-base-2.20220106-r2 should not depend on sec-policy/selinux-xserver
Created attachment 769844 [details] emere --info after update & workaround Output from emerge --info sec-policy/selinux-base (with sec-policy/selinux-xserver installed)
The problematic ebuild is sec-policy/selinux-base-policy-2.20220106-r2, not sec-policy/selinux-base-2.20220106-r2. The bug is in the patchbundle for 2.20220106-r2 and seems to be already reverted by the maintainer (perfinion) in 2.20220106-r3 for another reason: https://github.com/perfinion/hardened-refpolicy/commit/dada9b3defc6c44e73d56adf245a5812c3f08404?diff=unified Updating only sec-policy/selinux-base-policy to 2.20220106-r3 failed and I did not want to update all selinux policies to ~amd64. So I just ported the reverted commit manually into a crude portage patch and with the thus patched sec-policy/selinux-base-policy I could remove sec-policy/selinux-xserver again.
Created attachment 769859 [details, diff] gentoo portage patch for selinux-base-2.20220106-r2 First, looks like selinux-base-2.20220106-r2 is the problematic ebuild after all... This is the manual port of https://github.com/perfinion/hardened-refpolicy/commit/dada9b3defc6c44e73d56adf245a5812c3f08404 to gentoo portage patch. With this in /etc/portage/patches/sec-policy/selinux-base-2.20220106-r2 and a reinstall of selinux-base-2.20220106-r2 I was able to remove the xserver module and make reload all selinux modules. So I guess the correct solution will be making 2.20220106-r3 stable...
Upstream bug: https://github.com/SELinuxProject/refpolicy/issues/488
Stabilized -r3 in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4d7e98976dcb5420aa2b963ea90a744820dbcdd The main difference from -r2 is reverting the sddm commit so things should work again. I will discuss with upstream and figure out how to handle this best
