ANN: SELinux Userspace Release: 20140826-rc7

ANN: SELinux Userspace Release: 20140826-rc7

[Steve Lawrence]

The seventh release candidate for the next release of SELinux Userspace
[1] is now available. The tarballs have been built and can be downloaded
from the Releases wiki page [2]. Changes since rc6 [3] include:

- correct roletype statements in pp2cil compiler, so that all
roles/types are properly associated
- add python3 support to the semanage store migration script
- report all neverallow violations
- fix expand logic to prevent segmentation fault for policy versions
older than 24
- close hll file descriptors to prevent leaking, which caused avc denials
- update mcstrans systemd unit file to create /var/run/setrans directory
- set correct selinux labels in the semanage store migration script
- multiple fixes to CIL, including refactoring, proper association of
object_r with users, blockabstract resolution errors, and potential
memory leaks

As with the previous rc, action after installing the release candidate
is required to migrate the policy store from /etc/selinux to
/var/lib/selinux if it has not already been migrated. Detailed
information about this process can be found on the Policy Store
Migration wiki page [4].

Because the pp2cil compiler has been updated, any cached CIL
modules should be rebuilt. This can be done with the
--ignore-module-cache semodule option.

Additionally, the latest reference policy release [5] includes updated
policy to properly label the new policy store in /var/lib/selinux.

Please give this a test and let us know if you find any problems.

Thanks,
- Steve

[1] https://github.com/SELinuxProject/selinux
[2] https://github.com/SELinuxProject/selinux/wiki/Releases
[3] http://marc.info/?l=selinux&m=141580047500746&w=2
[4] https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration
[5] http://oss.tresys.com/pipermail/refpolicy/2014-December/007527.html

Re: ANN: SELinux Userspace Release: 20140826-rc7

[Sven Vermeulen]

On Thu, Dec 4, 2014 at 8:15 PM, Steve Lawrence <slawrence@tresys.com> wrote:
> The seventh release candidate for the next release of SELinux Userspace
> [1] is now available. T
[...]

Hi all

Is it possible to kepe the tmp/ directory when building/loading a policy fails?

# semodule -v -i foo.pp
Attempting to install module 'foo.pp':
Ok: return value of 0.
Committing changes:
Conflicting type rules
Binary policy creation failed at line 177 of
/var/lib/selinux/mcs/tmp/modules/400/java/cil
Failed to generate binary
semodule:  Failed!

The tmp/ directory is cleared so it is not possible to use that
location for troubleshooting.

In this particular case, I could find the java/cil in the
/var/lib/selinux/mcs/active/modules/400 location, but if the error
would be within the foo.pp-generated CIL file, then the CIL file
cannot be found anymore.

Wkr,
  Sven Vermeulen

Re: ANN: SELinux Userspace Release: 20140826-rc7

[Jason Zaman]

On Sun, Dec 14, 2014 at 04:46:40PM +0100, Sven Vermeulen wrote:
> On Thu, Dec 4, 2014 at 8:15 PM, Steve Lawrence <slawrence@tresys.com> wrote:
> > The seventh release candidate for the next release of SELinux Userspace
> > [1] is now available. T
> [...]
> 
> Hi all
> 
> Is it possible to kepe the tmp/ directory when building/loading a policy fails?
> 
> # semodule -v -i foo.pp
> Attempting to install module 'foo.pp':
> Ok: return value of 0.
> Committing changes:
> Conflicting type rules
> Binary policy creation failed at line 177 of
> /var/lib/selinux/mcs/tmp/modules/400/java/cil

Alternatively, would it be possible to just print out line 177 to the
terminal? Diving into files is less ideal than just seeing both
conflicting lines directly in the output.

eg when there are errors during building:
/usr/bin/checkmodule:  loading policy configuration from tmp/mycustom.tmp
mycustom.te:55:ERROR 'unknown type stttttaff_t' at token ';' on line 2790:
allow stttttaff_t syslogd_t:unix_dgram_socket sendto;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration


> Failed to generate binary
> semodule:  Failed!
> 
> The tmp/ directory is cleared so it is not possible to use that
> location for troubleshooting.
> 
> In this particular case, I could find the java/cil in the
> /var/lib/selinux/mcs/active/modules/400 location, but if the error
> would be within the foo.pp-generated CIL file, then the CIL file
> cannot be found anymore.
> 
> Wkr,
>   Sven Vermeulen
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

Re: ANN: SELinux Userspace Release: 20140826-rc7

[Steve Lawrence]

On 12/14/2014 11:04 AM, Jason Zaman wrote:
> On Sun, Dec 14, 2014 at 04:46:40PM +0100, Sven Vermeulen wrote:
>> On Thu, Dec 4, 2014 at 8:15 PM, Steve Lawrence <slawrence@tresys.com> wrote:
>>> The seventh release candidate for the next release of SELinux Userspace
>>> [1] is now available. T
>> [...]
>>
>> Hi all
>>
>> Is it possible to kepe the tmp/ directory when building/loading a policy fails?
>>
>> # semodule -v -i foo.pp
>> Attempting to install module 'foo.pp':
>> Ok: return value of 0.
>> Committing changes:
>> Conflicting type rules
>> Binary policy creation failed at line 177 of
>> /var/lib/selinux/mcs/tmp/modules/400/java/cil
> 
> Alternatively, would it be possible to just print out line 177 to the
> terminal? Diving into files is less ideal than just seeing both
> conflicting lines directly in the output.
> 
> eg when there are errors during building:
> /usr/bin/checkmodule:  loading policy configuration from tmp/mycustom.tmp
> mycustom.te:55:ERROR 'unknown type stttttaff_t' at token ';' on line 2790:
> allow stttttaff_t syslogd_t:unix_dgram_socket sendto;
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> 
> 
>> Failed to generate binary
>> semodule:  Failed!
>>
>> The tmp/ directory is cleared so it is not possible to use that
>> location for troubleshooting.
>>
>> In this particular case, I could find the java/cil in the
>> /var/lib/selinux/mcs/active/modules/400 location, but if the error
>> would be within the foo.pp-generated CIL file, then the CIL file
>> cannot be found anymore.
>>

Both good suggestions. I agree that it can be difficult to track down
issues. CIL diagnostics have plenty of room for improvement.

One thing that may help, if you were not already aware, you can always
compile the pp file to CIL yourself with something like this:

$ cat /var/lib/selinux/.../hll | bunzip2 | /usr/libexec/selinux/hll/pp

It's not perfect, but should allow you to view the generated CIL and
figure out where the error is to help track things down.

With all that said, I'm not sure this a blocker, and is something we'll
target to improve in the next SELinux Userspace release.

- Steve

Re: ANN: SELinux Userspace Release: 20140826-rc7

[Sven Vermeulen]

On Mon, Dec 15, 2014 at 4:12 PM, Steve Lawrence <slawrence@tresys.com> wrote:
> Both good suggestions. I agree that it can be difficult to track down
> issues. CIL diagnostics have plenty of room for improvement.
>
> One thing that may help, if you were not already aware, you can always
> compile the pp file to CIL yourself with something like this:
>
> $ cat /var/lib/selinux/.../hll | bunzip2 | /usr/libexec/selinux/hll/pp
>
> It's not perfect, but should allow you to view the generated CIL and
> figure out where the error is to help track things down.
>
> With all that said, I'm not sure this a blocker, and is something we'll
> target to improve in the next SELinux Userspace release.

Ah yes, using the /usr/libexec/selinux/hll/pp application to generate
the CIL is a big help, thanks.

It is indeed not blocking.

Wkr,
  Sven Vermeulen