Summary: | selinux-base-policy[systemd] fails to load modules | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Xake <kanelxake> |
Component: | SELinux | Assignee: | Jason Zaman <perfinion> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dschridde+gentoobugs, jj, selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r3 | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 528674 | ||
Attachments: |
Build log
Output from pp init.pp init.cil subsonic.cil |
Description
Xake
2015-12-19 11:43:23 UTC
you're doing this upgrade in permissive mode still right? What happens if you do: cd /usr/share/selinux/targeted/ semodule -i *.pp (In reply to Jason Zaman from comment #1) > you're doing this upgrade in permissive mode still right? > > What happens if you do: > cd /usr/share/selinux/targeted/ > semodule -i *.pp As commented: permissive, targeted. liten xake # cd /usr/share/selinux/targeted/ liten targeted # semodule -i *.pp Failed to resolve typeattributeset statement at 181 of /var/lib/selinux/targeted/tmp/modules/400/init/cil Failed to resolve ast semodule: Failed! (In reply to Xake from comment #2) > liten xake # cd /usr/share/selinux/targeted/ > liten targeted # semodule -i *.pp > Failed to resolve typeattributeset statement at 181 of > /var/lib/selinux/targeted/tmp/modules/400/init/cil > Failed to resolve ast > semodule: Failed! What is on line 181? /var/lib/selinux/targeted/tmp/modules/400/init/cil will probably be gone so you can re-generate it with: /usr/libexec/selinux/hll/pp init.pp Created attachment 420198 [details]
Output from pp init.pp
(typeattributeset cil_gen_require systemd_kmod_conf_t)
If I read the output (attached) correctly.
It turned out to be a missing ebuild. After I created sec-policy/selinux-systemd and merged that all the error messages went away. So please add that ebuild to portage and make systemd depend on it when selinux is enabled. (In reply to Xake from comment #5) > It turned out to be a missing ebuild. > After I created sec-policy/selinux-systemd and merged that all the error > messages went away. > > So please add that ebuild to portage and make systemd depend on it when > selinux is enabled. I tried this, but still get the following error: * Inserting the following modules into the strict module store: systemd Failed to resolve typeattributeset statement at 173 of /var/lib/selinux/strict/tmp/modules/400/systemd/cil Failed to resolve ast semodule: Failed! * SELinux module load failed. Trying full reload... The --base option is deprecated. Use --install instead. Failed to resolve typeattributeset statement at 39 of /var/lib/selinux/strict/tmp/modules/400/subsonic/cil Failed to resolve ast semodule: Failed! I created a simple selinux-systemd ebuild: # cat local/sec-policy/selinux-systemd/selinux-systemd-2.20141203-r10.ebuild # Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Id$ EAPI="5" IUSE="" MODS="systemd" inherit selinux-policy-2 DESCRIPTION="SELinux policy for systemd" if [[ $PV == 9999* ]] ; then KEYWORDS="" else KEYWORDS="amd64 x86" fi And modified the systemd ebuild: # diff -u gentoo/sys-apps/systemd/systemd-226-r2.ebuild local/sys-apps/systemd/systemd-226-r2.ebuild --- gentoo/sys-apps/systemd/systemd-226-r2.ebuild 2016-01-10 12:31:02.000000000 +0100 +++ local/sys-apps/systemd/systemd-226-r2.ebuild 2016-01-11 17:32:10.350851484 +0100 @@ -54,7 +54,11 @@ pam? ( virtual/pam:= ) qrcode? ( media-gfx/qrencode:0= ) seccomp? ( sys-libs/libseccomp:0= ) - selinux? ( sys-libs/libselinux:0= ) + selinux? ( + sys-libs/libselinux:0= + sys-libs/libsepol:0= + sec-policy/selinux-systemd + ) sysv-utils? ( !sys-apps/systemd-sysv-utils !sys-apps/sysvinit ) Xake: How did you do this? $ cat sec-policy/selinux-systemd/selinux-systemd-2.20141203-r10.ebuild # Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Id$ EAPI="5" IUSE="" MODS="systemd" inherit selinux-policy-2 DESCRIPTION="SELinux policy for openrc" if [[ $PV == 9999* ]] ; then KEYWORDS="" else KEYWORDS="amd64 x86" fi ----------------------- After merging that and all other updates for sec-policy everything just started to work. $ qlist selinux-systemd /usr/share/selinux/strict/systemd.pp /usr/share/selinux/targeted/systemd.pp What do you get? (In reply to Xake from comment #7) > $ qlist selinux-systemd > /usr/share/selinux/strict/systemd.pp > /usr/share/selinux/targeted/systemd.pp > > What do you get? # q list selinux-systemd /usr/share/selinux/strict/systemd.pp /usr/share/selinux/targeted/systemd.pp I did as the selinux-policy-2.eclass einfo told me and ran: # semodule -b base.pp -i $(ls *.pp | grep -v base.pp) The --base option is deprecated. Use --install instead. Failed to resolve typeattributeset statement at 39 of /var/lib/selinux/strict/tmp/modules/400/subsonic/cil Failed to resolve ast semodule: Failed! Since /var/lib/selinux/strict/tmp/modules/400/subsonic/cil does not exist, I did as suggested in comment #3 and ran: # /usr/libexec/selinux/hll/pp init.pp Line 39 of that is: (typeattributeset init_script_domain_type (initrc_t )) Random guess: Xake, do you have sec-policy/selinux-openrc installed? (In reply to Dennis Schridde from comment #8) > Random guess: Xake, do you have sec-policy/selinux-openrc installed? Yes. I have not blocked out openrc, but let it install as the default says, and it also installs that policy. Created attachment 422754 [details] init.cil (In reply to Dennis Schridde from comment #8) > Line 39 of that is: > (typeattributeset init_script_domain_type (initrc_t )) > > Random guess: Xake, do you have sec-policy/selinux-openrc installed? I have no idea how these policy files work, but a few lines later there is: (type initrc_t) So maybe it's just in the wrong order? # q file subsonic.pp sec-policy/selinux-cgmanager (/usr/share/selinux/targeted/subsonic.pp) Created attachment 422756 [details]
subsonic.cil
My bad... I was looking at the wrong policy file...
This time I ran:
# /usr/libexec/selinux/hll/pp subsonic.pp
Line 39 of that is:
(typeattributeset cil_gen_require java_domain)
(In reply to Dennis Schridde from comment #11) > # q file subsonic.pp > sec-policy/selinux-cgmanager (/usr/share/selinux/targeted/subsonic.pp) yeah, that was my bad. its fixed in the tree, just re-emerge it. (In reply to Dennis Schridde from comment #6) > (In reply to Xake from comment #5) > > So please add that ebuild to portage and make systemd depend on it when > > selinux is enabled. > > I tried this, but still get the following error: > I created a simple selinux-systemd ebuild: This wont work as-is unfortunately. The init.pp modules depends on a systemd type. the call to the systemd interface needs to be inside an optional_policy() block. the problem is it tries to re-load init.pp and there is no systemd type and then later the selinux-systemd package tries to load systemd.pp and the types from init are missing. you should be able to load both together for now. cd /usr/share/selinux/strict/; semodule -i init.pp systemd.pp I need to send a patch upstream so they can be loaded separately before I can add the selinux-systemd policy package. I will send it in the next week or so, I have unfortunately been fairly busy. till then, loading them manually together the first time should work. I can confirm this too. That's a bit unfortunate. I take it that you can't just have the ebuild postinstall do the loading? The optional_policy() bit to fix this is merged into the repo now and I added sec-policy/selinux-systemd to the tree (only -9999 for now) in ~arch stable |