Summary: | sec-policy/selinux-base-2.20220106-r2 depends on sec-policy/selinux-xserver | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Alexander Wetzel <alexander> |
Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
Status: | IN_PROGRESS --- | ||
Severity: | normal | CC: | alexander, concord |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://github.com/SELinuxProject/refpolicy/issues/488 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
emere --info after update & workaround
gentoo portage patch for selinux-base-2.20220106-r2 |
Description
Alexander Wetzel
2022-04-10 12:13:18 UTC
Created attachment 769844 [details]
emere --info after update & workaround
Output from emerge --info sec-policy/selinux-base (with sec-policy/selinux-xserver installed)
The problematic ebuild is sec-policy/selinux-base-policy-2.20220106-r2, not sec-policy/selinux-base-2.20220106-r2. The bug is in the patchbundle for 2.20220106-r2 and seems to be already reverted by the maintainer (perfinion) in 2.20220106-r3 for another reason: https://github.com/perfinion/hardened-refpolicy/commit/dada9b3defc6c44e73d56adf245a5812c3f08404?diff=unified Updating only sec-policy/selinux-base-policy to 2.20220106-r3 failed and I did not want to update all selinux policies to ~amd64. So I just ported the reverted commit manually into a crude portage patch and with the thus patched sec-policy/selinux-base-policy I could remove sec-policy/selinux-xserver again. Created attachment 769859 [details, diff] gentoo portage patch for selinux-base-2.20220106-r2 First, looks like selinux-base-2.20220106-r2 is the problematic ebuild after all... This is the manual port of https://github.com/perfinion/hardened-refpolicy/commit/dada9b3defc6c44e73d56adf245a5812c3f08404 to gentoo portage patch. With this in /etc/portage/patches/sec-policy/selinux-base-2.20220106-r2 and a reinstall of selinux-base-2.20220106-r2 I was able to remove the xserver module and make reload all selinux modules. So I guess the correct solution will be making 2.20220106-r3 stable... Upstream bug: https://github.com/SELinuxProject/refpolicy/issues/488 Stabilized -r3 in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4d7e98976dcb5420aa2b963ea90a744820dbcdd The main difference from -r2 is reverting the sddm commit so things should work again. I will discuss with upstream and figure out how to handle this best |