From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: selinux <selinux@tycho.nsa.gov>
Subject: SELinux Userspace Release 2014-08-26-rc2 feedback on Arch
Date: Sat, 06 Sep 2014 18:39:38 +0200 [thread overview]
Message-ID: <540B38CA.5060200@m4x.org> (raw)
Hi,
I've successfully built and installed components of the SELinux
Userspace Release 2014-08-26-rc2 on my Arch Linux system. I had some
minor issues because:
* "flex" was not up to date on my system. This was easy to fix.
* Some Makefiles use "python" instead of "$(PYTHON)" with Python2 code.
Doing some "sed" commands in the PKGBUILD script worked around this.
* I used LIBEXECDIR="${pkgdir}/usr/lib" but libsemanage still wanted to
use /usr/libexec/selinux/hll/pp. Setting compiler-directory variable
in /etc/selinux/semanage.conf solved this issue.
Now I would like to migrate my policy to the new store. The helper
script fails with this message:
# /usr/lib/selinux/semanage_migrate_store
Migrating from /etc/selinux/refpolicy-patched/modules/active to
/var/lib/selinux/refpolicy-patched/active
Attempting to rebuild policy from /var/lib/selinux
sysnetwork: Warning: 'else' blocks in optional statements are
unsupported in CIL. Dropping from output.
Failed to resolve roletype statement at 14 of
/var/lib/selinux/refpolicy-patched/tmp/modules/100/accountsd/cil
Failed to resolve ast
Traceback (most recent call last):
File "/usr/lib/selinux/semanage_migrate_store", line 313, in
<module>
rebuild_policy()
File "/usr/lib/selinux/semanage_migrate_store", line 212, in
rebuild_policy
rc = semanage.semanage_commit(handle)
OSError: [Errno 0] Error
Moreover doing "semodule -i whatever_module.pp" gives the same error
messages. After some investigation I've found that line 14 of the
reported file is:
(roletype system_r accountsd_t)
... and that system_r is defined as a role in refpolicy in
modules/kernel/kernel.te, which is included in base.pp. This role
definition is eaten by the pp compiler (as expected, according to a
thread in this ML two days ago). As system_r is not defined in any
module, semanage fails.
A quick-and-dirty fix consists in building a new module with only "role
system_r;". Then I've been able to successfully build the policy in its
new store, but this looks dirty. Is there a better way to solve this
issue or does system_r definition needs to be moved in a real module?
By the way, "OSError: [Errno 0] Error" is quite strange...
Best,
Nicolas
next reply other threads:[~2014-09-06 16:40 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-06 16:39 Nicolas Iooss [this message]
2014-09-08 12:12 ` SELinux Userspace Release 2014-08-26-rc2 feedback on Arch Steve Lawrence
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=540B38CA.5060200@m4x.org \
--to=nicolas.iooss@m4x.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.