Bug 414599

Summary:	sec-policy/selinux-base-policy-2.20120215-r7 failed to emerge (postinst)
Product:	Gentoo Linux	Reporter:	Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component:	Hardened	Assignee:	SE Linux Bugs <selinux>
Status:	RESOLVED FIXED
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	build.log

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2012-05-04 14:07:08 UTC

>>> Original instance of package unmerged safely.
 * Inserting the following modules, with base, into the strict module store: application authlogin b
ootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locall
ogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil ssh staff
 storage su sysadm sysnetwork udev userdomain usermanage unprivuser xdg
 * Inserting the following modules, with base, into the targeted module store: application authlogin
 bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries loca
llogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil ssh sta
ff storage su sysadm sysnetwork udev userdomain usermanage unprivuser xdg unconfined
libsepol.check_assertion_helper: neverallow violated by allow mono_t mono_t:capability { sys_module 
};
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!
 * ERROR: sec-policy/selinux-base-policy-2.20120215-r7 failed (postinst phase):
 *   Failed to load in base and modules application authlogin bootloader clock consoletype cron dmes
g fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils m
ount mta netutils nscd portage raid rsync selinuxutil ssh staff storage su sysadm sysnetwork udev us
erdomain usermanage unprivuser xdg unconfined in the targeted policy store
 * 
 * Call stack:
 *     ebuild.sh, line  85:  Called pkg_postinst
 *   environment, line 1806:  Called die
 * The specific snippet of code:
 *           semodule -s ${i} -b base.pp ${LOCCOMMAND} || die "Failed to load in base and modules ${
LOCMODS} in the $i policy store";


Note the error:

libsepol.check_assertion_helper: neverallow violated by allow mono_t mono_t:capability { sys_module };


I guess it might be possible to work around the issue by maybe re-emerging mono policy, but I consider it a bug - all the policies should emerge cleanly.


# emerge -pv $(qlist -IC sec-policy)

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] sec-policy/selinux-base-2.20120215-r7  USE="open_perms peer_perms ubac -doc" 0 kB
[ebuild   R    ] sec-policy/selinux-base-policy-2.20120215-r7  0 kB
[ebuild   R    ] sec-policy/selinux-dbus-2.20120215  0 kB
[ebuild   R    ] sec-policy/selinux-gpg-2.20120215  0 kB
[ebuild     U  ] sec-policy/selinux-java-2.20120215 [2.20110726] 0 kB
[ebuild     U  ] sec-policy/selinux-mono-2.20120215 [2.20110726] 0 kB
[ebuild     U  ] sec-policy/selinux-mplayer-2.20120215 [2.20110726] 0 kB
[ebuild     U  ] sec-policy/selinux-wine-2.20120215 [2.20110726] 0 kB
[ebuild     U  ] sec-policy/selinux-xfs-2.20120215 [2.20110726] 0 kB
[ebuild   R    ] sec-policy/selinux-xserver-2.20120215  0 kB
[ebuild   R    ] sec-policy/selinux-consolekit-2.20120215  0 kB
[ebuild   R    ] sec-policy/selinux-dhcp-2.20120215-r5  0 kB
[ebuild   R    ] sec-policy/selinux-ntp-2.20120215  0 kB
[ebuild   R    ] sec-policy/selinux-policykit-2.20120215  0 kB
[ebuild   R    ] sec-policy/selinux-vmware-2.20120215  0 kB
[ebuild   R    ] sec-policy/selinux-wm-2.20120215  0 kB
[ebuild   R    ] sec-policy/selinux-gnupg-2.20101213-r2  0 kB
[ebuild   R    ] sec-policy/selinux-desktop-2.20110726  USE="crypt dbus -acpi -apm -avahi -bluetooth -pcmcia" 0 kB

Total: 18 packages (5 upgrades, 13 reinstalls), Size of downloads: 0 kB


# emerge --info =sec-policy/selinux-base-policy-2.20120215-r7 
Portage 2.1.10.49 (hardened/linux/amd64/selinux, gcc-4.5.3, glibc-2.13-r4, 3.2.2-hardened-r1 x86_64)
=================================================================
                        System Settings
=================================================================
System uname: Linux-3.2.2-hardened-r1-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P8700_@_2.53GHz-with-gentoo-2.0.3
Timestamp of tree: Fri, 04 May 2012 10:30:01 +0000
app-shells/bash:          4.2_p20
dev-lang/python:          2.7.2-r3, 3.2.2
dev-util/cmake:           2.8.6-r4
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.0.3
sys-apps/openrc:          0.9.8.4
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.11.1
sys-devel/binutils:       2.21.1-r1
sys-devel/gcc:            4.5.3-r2
sys-devel/gcc-config:     1.5-r2
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r1
sys-kernel/linux-headers: 3.1 (virtual/os-headers)
sys-libs/glibc:           2.13-r4
Repositories: gentoo x-portage
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X alsa amd64 berkdb bzip2 cli consolekit cracklib crypt cups cxx dbus dri gdbm gdu gudev hardened iconv icu jpeg justify libkms mmx modules mudflap multilib ncurses nls nptl nptlonly open_perms openmp pam pax_kernel pcre policykit pppd python readline selinux session sse sse2 ssl startup-notification sysfs tcpd thunar udev unicode urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel vesa vmware" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

=================================================================
                        Package Settings
=================================================================

sec-policy/selinux-base-policy-2.20120215-r7 was built with the following:
USE="(multilib) (selinux)"

Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2012-05-04 14:08:22 UTC

Created attachment 310787 [details]
build.log

Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2012-05-04 14:37:30 UTC

(In reply to comment #0)
> Note the error:
> 
> libsepol.check_assertion_helper: neverallow violated by allow mono_t
> mono_t:capability { sys_module };
> 
> 
> I guess it might be possible to work around the issue by maybe re-emerging
> mono policy, but I consider it a bug - all the policies should emerge
> cleanly.

Confirmed: after updating selinux-mono, selinux-base-policy also emerged fine.

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2012-05-04 20:12:09 UTC

It's indeed a bug, but it might be one we will "fix" when the next major release is made. To fix it properly, we either need to use an upgrade guide, or have each major bump install all modules in one go, which is a fairly big change on the ebuild.

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2012-05-20 18:59:55 UTC

Being tackled as part of eclass development.

Comment 5 Sven Vermeulen (RETIRED) gentoo-dev

2012-05-26 14:49:14 UTC

New eclass is in the main tree.