SELinux Userspace Release 2014-08-26-rc2 feedback on Arch

SELinux Userspace Release 2014-08-26-rc2 feedback on Arch

[Nicolas Iooss]

Hi,

I've successfully built and installed components of the SELinux
Userspace Release 2014-08-26-rc2 on my Arch Linux system.  I had some
minor issues because:

* "flex" was not up to date on my system.  This was easy to fix.
* Some Makefiles use "python" instead of "$(PYTHON)" with Python2 code.
  Doing some "sed" commands in the PKGBUILD script worked around this.
* I used LIBEXECDIR="${pkgdir}/usr/lib" but libsemanage still wanted to
  use /usr/libexec/selinux/hll/pp.  Setting compiler-directory variable
  in /etc/selinux/semanage.conf solved this issue.

Now I would like to migrate my policy to the new store.  The helper
script fails with this message:

  # /usr/lib/selinux/semanage_migrate_store
  Migrating from /etc/selinux/refpolicy-patched/modules/active to
  /var/lib/selinux/refpolicy-patched/active
  Attempting to rebuild policy from /var/lib/selinux
  sysnetwork: Warning: 'else' blocks in optional statements are
  unsupported in CIL. Dropping from output.
  Failed to resolve roletype statement at 14 of
  /var/lib/selinux/refpolicy-patched/tmp/modules/100/accountsd/cil
  Failed to resolve ast
  Traceback (most recent call last):
    File "/usr/lib/selinux/semanage_migrate_store", line 313, in
  <module>
      rebuild_policy()
    File "/usr/lib/selinux/semanage_migrate_store", line 212, in
  rebuild_policy
    rc = semanage.semanage_commit(handle)
  OSError: [Errno 0] Error

Moreover doing "semodule -i whatever_module.pp" gives the same error
messages.  After some investigation I've found that line 14 of the
reported file is:

  (roletype system_r accountsd_t)

... and that system_r is defined as a role in refpolicy in
modules/kernel/kernel.te, which is included in base.pp.  This role
definition is eaten by the pp compiler (as expected, according to a
thread in this ML two days ago).  As system_r is not defined in any
module, semanage fails.

A quick-and-dirty fix consists in building a new module with only "role
system_r;".  Then I've been able to successfully build the policy in its
new store, but this looks dirty.  Is there a better way to solve this
issue or does system_r definition needs to be moved in a real module?

By the way, "OSError: [Errno 0] Error" is quite strange...

Best,

Nicolas

Re: SELinux Userspace Release 2014-08-26-rc2 feedback on Arch

[Steve Lawrence]

On 09/06/2014 12:39 PM, Nicolas Iooss wrote:
> Hi,
> 
> I've successfully built and installed components of the SELinux
> Userspace Release 2014-08-26-rc2 on my Arch Linux system.  I had some
> minor issues because:
> 
> * "flex" was not up to date on my system.  This was easy to fix.
> * Some Makefiles use "python" instead of "$(PYTHON)" with Python2 code.
>   Doing some "sed" commands in the PKGBUILD script worked around this.
> * I used LIBEXECDIR="${pkgdir}/usr/lib" but libsemanage still wanted to
>   use /usr/libexec/selinux/hll/pp.  Setting compiler-directory variable
>   in /etc/selinux/semanage.conf solved this issue.
> 
> Now I would like to migrate my policy to the new store.  The helper
> script fails with this message:
> 
>   # /usr/lib/selinux/semanage_migrate_store
>   Migrating from /etc/selinux/refpolicy-patched/modules/active to
>   /var/lib/selinux/refpolicy-patched/active
>   Attempting to rebuild policy from /var/lib/selinux
>   sysnetwork: Warning: 'else' blocks in optional statements are
>   unsupported in CIL. Dropping from output.
>   Failed to resolve roletype statement at 14 of
>   /var/lib/selinux/refpolicy-patched/tmp/modules/100/accountsd/cil
>   Failed to resolve ast
>   Traceback (most recent call last):
>     File "/usr/lib/selinux/semanage_migrate_store", line 313, in
>   <module>
>       rebuild_policy()
>     File "/usr/lib/selinux/semanage_migrate_store", line 212, in
>   rebuild_policy
>     rc = semanage.semanage_commit(handle)
>   OSError: [Errno 0] Error
> 
> Moreover doing "semodule -i whatever_module.pp" gives the same error
> messages.  After some investigation I've found that line 14 of the
> reported file is:
> 
>   (roletype system_r accountsd_t)
> 
> ... and that system_r is defined as a role in refpolicy in
> modules/kernel/kernel.te, which is included in base.pp.  This role
> definition is eaten by the pp compiler (as expected, according to a
> thread in this ML two days ago).  As system_r is not defined in any
> module, semanage fails.
> 
> A quick-and-dirty fix consists in building a new module with only "role
> system_r;".  Then I've been able to successfully build the policy in its
> new store, but this looks dirty.  Is there a better way to solve this
> issue or does system_r definition needs to be moved in a real module?
> 
> By the way, "OSError: [Errno 0] Error" is quite strange...
> 

Thanks for the feedback. All good. We'll look into these issues. If you
have any already fixed (like the python changes) feel free to submit
them and we can review/pull them in.

As far as the roletype issues, we are actively working on it and should
have a fix this week. In the mean time, your solution of adding a module
that defines the role is probably the best workaround, but should not be
necessary once we get the fixes in.

Thanks,
- Steve