Summary: | sec-policy/selinux-mutt-2.20110726-r2 fails due to syntax error | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | J.C. Wren <jcwren> |
Component: | Hardened | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
Build log for sec-policy/selinux-mutt-2.20110726-r3
Build log for sec-policy/selinux-base-policy-2.20110726-r9 |
Description
J.C. Wren
2011-12-06 20:44:47 UTC
In hardened-dev overlay (In reply to comment #1) > In hardened-dev overlay Not being familiar with how to use overlays reliably, would you mind telling me what I need to do set up the overlay to test this? Thanks! Certainly. More elaborate information can be found on [1] but in general: ~# emerge layman --> This installs the overlay manager ~# vim /etc/make.conf --> Add "source /var/lib/layman/make.conf" on top of the file --> This ensures that portage is aware of the overlays ~# layman -a hardened-development --> This will add the hardened development overlay From that point onward, the packages managed within the hardened overlay are available to portage as well. If you run "emerge -uDN world" or so, these packages will be accounted for too. All packages in the overlay are marked as ~arch (in this case, ~amd64 and ~x86) not to push out changes as stable too prematurely of course. [1] http://www.gentoo.org/proj/en/overlays/userguide.xml Hrm, perhaps I'm doing something wrong? # layman -S (reports synchronized) # layman -l * hardened-development [Git ] (git://git.overlays.gentoo.org/proj/hardened-dev.git # head /etc/make.conf source /var/lib/layman/make.conf ACCEPT_KEYWORDS="~x86" ACCEPT_LICENSE="*" # emerge -q --sync # emerge -uDN world -p These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild N ] sec-policy/selinux-mutt-2.20110726-r2 [ebuild R ] mail-client/mutt-1.5.21-r7 USE="(selinux%*)" # emerge -uDN world -q After this point, it fails to compile as if it's not actually picking up the selinux-mutt from the overlay. I see the -r3 version in /var/lib/layman/hardened-development/sec-policy/selinux-mutt, so I'm unclear why it's not picking it up. I read through the layman book, and I think I've got it right. Weird... Check in your /etc/make.conf that you do not override PORTDIR_OVERLAY somewhere (if you do, then use something like PORTDIR_OVERLAY="${PORTDIR_OVERLAY} ..." instead). Also try "emerge -p =sec-policy/selinux-mutt-2.20110726-r3", what does Portage say then? It appears to compile (if that's the right word), although there was a failure in the postinst phase. The /var/tmp/portage/sec-policy isn't there so I can't look at the build log for an error source, but Googling for the error message seems to indicate that it comes from 'semodule' failing to install a module (an error check you added back in May, where otherwise it appears to have failed silently?)
# emerge -av sec-policy/selinux-mutt -q
[ebuild U ] sec-policy/selinux-base-policy-2.20110726-r8 [2.20110726-r7] USE="open_perms peer_perms ubac -doc"
[ebuild N ] sec-policy/selinux-mutt-2.20110726-r3
Would you like to merge these packages? [Yes/No] y
>>> Verifying ebuild manifests
>>> Starting parallel fetch
>>> Emerging (1 of 2) sec-policy/selinux-base-policy-2.20110726-r8 from hardened-dev
>>> Installing (1 of 2) sec-policy/selinux-base-policy-2.20110726-r8
>>> Emerging (2 of 2) sec-policy/selinux-mutt-2.20110726-r3 from hardened-dev
>>> Installing (2 of 2) sec-policy/selinux-mutt-2.20110726-r3
>>> Recording sec-policy/selinux-mutt in "world" favorites file...
>>> Jobs: 2 of 2 complete Load avg: 0.94, 0.45, 0.20
* Messages for package sec-policy/selinux-base-policy-2.20110726-r8:
* ERROR: sec-policy/selinux-base-policy-2.20110726-r8 failed (postinst phase):
* Could not load in new base policy
*
* Call stack:
* ebuild.sh, line 75: Called pkg_postinst
* environment, line 1988: Called die
* The specific snippet of code:
* semodule -s "${i}" -b base.pp || die "Could not load in new base policy";
*
* If you need support, post the output of 'emerge --info =sec-policy/selinux-base-policy-2.20110726-r8',
* the complete build log and the output of 'emerge -pqv =sec-policy/selinux-base-policy-2.20110726-r8'.
* This ebuild is from an overlay named 'hardened-dev': '/var/lib/layman/hardened-development/'
* The complete build log is located at '/var/tmp/portage/sec-policy/selinux-base-policy-2.20110726-r8/temp/build.log'.
* The ebuild environment file is located at '/var/tmp/portage/sec-policy/selinux-base-policy-2.20110726-r8/temp/environment'.
* S: '/var/tmp/portage/sec-policy/selinux-base-policy-2.20110726-r8/work/'
* Messages for package sec-policy/selinux-mutt-2.20110726-r3:
* ERROR: sec-policy/selinux-mutt-2.20110726-r3 failed (postinst phase):
* Failed to load in modules mutt in the strict policy store
*
* Call stack:
* ebuild.sh, line 75: Called pkg_postinst
* environment, line 1988: Called selinux-policy-2_pkg_postinst
* environment, line 2052: Called die
* The specific snippet of code:
* semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store";
*
* If you need support, post the output of 'emerge --info =sec-policy/selinux-mutt-2.20110726-r3',
* the complete build log and the output of 'emerge -pqv =sec-policy/selinux-mutt-2.20110726-r3'.
* This ebuild is from an overlay named 'hardened-dev': '/var/lib/layman/hardened-development/'
* The complete build log is located at '/var/tmp/portage/sec-policy/selinux-mutt-2.20110726-r3/temp/build.log'.
* The ebuild environment file is located at '/var/tmp/portage/sec-policy/selinux-mutt-2.20110726-r3/temp/environment'.
* S: '/var/tmp/portage/sec-policy/selinux-mutt-2.20110726-r3/work/'
# emerge -uDN world -p
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] mail-client/mutt-1.5.21-r7 USE="(selinux%*)"
#
Can you provide the full build log of selinux-base-policy? I guess it has a collision with something, but without the full build log I won't be able to verify this Created attachment 297133 [details]
Build log for sec-policy/selinux-mutt-2.20110726-r3
Build log for sec-policy/selinux-mutt-2.20110726-r3
Can you provide the one for the base policy (in your earlier output, base policy rev 8 also failed during the postinstall)? If the base policy fails, we need to focus on that first before looking at specific modules. Created attachment 297169 [details]
Build log for sec-policy/selinux-base-policy-2.20110726-r9
Build log for sec-policy/selinux-base-policy-2.20110726-r9
Can you try https://wiki.gentoo.org/wiki/Knowledge_Base:Inserting_base_module_in_module_store_fails_with_duplicate_declaration ? # eselect profile show Current /etc/make.profile symlink: hardened/linux/x86/selinux # cd /etc/selinux/strict/modules/active/modules etb modules # for MOD in *.pp; do grep -H sysadm_screen_t ${MOD}; done Binary file screen.pp matches # Not sure what I'm supposed to do after this point, since there's only the one file. Make sure you don't run any screen sessions, remove the screen module: ~# semodule -r screen Then install the base policy: ~# semodule -b /usr/share/selinux/strict/base.pp If that works well, try to install the screen module: ~# semodule -i /usr/share/selinux/strict/screen.pp We need to make sure that the base policy loads in correctly. # semodule -r screen # semodule -b /usr/share/selinux/strict/base.pp libsepol.print_missing_requirements: ftp's global requirements were not met: type/attribute home_type (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! # semodule -i /usr/share/selinux/strict/screen.pp libsepol.permission_copy_callback: Module screen depends on permission nlmsg_tty_audit in class netlink_audit_socket, not satisfied (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! # (I ran the third command even though I did know the second failed). Looks like you're running quite old policy modules. Can you run "semodule -l | grep ftp" and see what version it returns? The one we offer is 1.13.0. Based on the version, I might even find out how old. You might need to switch to permissive mode, unload all modules that are currently running (which might mean that quite a few services that are running will need to be shut down as well), then update the base module, load back the modules (in /usr/share/selinux/strict since those should be the latest ones) and give your entire system a good try before going back to enforcing (and perhaps even relabel the entire system). # semodule -l | grep ftp ftp 1.7.1 tftp 1.7.1 # So it seems I'm down a few levels. But I regularly 'emerge -uDN world', so why would these not be updated as a matter of course? Because, although we do "load" the new modules, we do this in a postinst() phase of the ebuilds. That means that, if the loading fails, we don't fail the entire process (i.e. the package is still installed) even though it dies right there. If we move this up to the installation phase itself, we might be breaking the rules a bit (since doing this will change the system state beyond what Portage can control). ftp 1.7.1 is from somewhere first quarter of 2008... The resolution of this bug (selinux-mutt-...-r2 failure) was pushed to main tree (~arch) on december 17th, 2011 Stabilized |