On 09/06/2014 12:39 PM, Nicolas Iooss wrote:
> Hi,
>
> I've successfully built and installed components of the SELinux
> Userspace Release 2014-08-26-rc2 on my Arch Linux system. I had some
> minor issues because:
>
> * "flex" was not up to date on my system. This was easy to fix.
> * Some Makefiles use "python" instead of "$(PYTHON)" with Python2 code.
> Doing some "sed" commands in the PKGBUILD script worked around this.
> * I used LIBEXECDIR="${pkgdir}/usr/lib" but libsemanage still wanted to
> use /usr/libexec/selinux/hll/pp. Setting compiler-directory variable
> in /etc/selinux/semanage.conf solved this issue.
>
> Now I would like to migrate my policy to the new store. The helper
> script fails with this message:
>
> # /usr/lib/selinux/semanage_migrate_store
> Migrating from /etc/selinux/refpolicy-patched/modules/active to
> /var/lib/selinux/refpolicy-patched/active
> Attempting to rebuild policy from /var/lib/selinux
> sysnetwork: Warning: 'else' blocks in optional statements are
> unsupported in CIL. Dropping from output.
> Failed to resolve roletype statement at 14 of
> /var/lib/selinux/refpolicy-patched/tmp/modules/100/accountsd/cil
> Failed to resolve ast
> Traceback (most recent call last):
> File "/usr/lib/selinux/semanage_migrate_store", line 313, in
> <module>
> rebuild_policy()
> File "/usr/lib/selinux/semanage_migrate_store", line 212, in
> rebuild_policy
> rc = semanage.semanage_commit(handle)
> OSError: [Errno 0] Error
>
> Moreover doing "semodule -i whatever_module.pp" gives the same error
> messages. After some investigation I've found that line 14 of the
> reported file is:
>
> (roletype system_r accountsd_t)
>
> ... and that system_r is defined as a role in refpolicy in
> modules/kernel/kernel.te, which is included in base.pp. This role
> definition is eaten by the pp compiler (as expected, according to a
> thread in this ML two days ago). As system_r is not defined in any
> module, semanage fails.
>
> A quick-and-dirty fix consists in building a new module with only "role
> system_r;". Then I've been able to successfully build the policy in its
> new store, but this looks dirty. Is there a better way to solve this
> issue or does system_r definition needs to be moved in a real module?
>
> By the way, "OSError: [Errno 0] Error" is quite strange...
>
Thanks for the feedback. All good. We'll look into these issues. If you
have any already fixed (like the python changes) feel free to submit
them and we can review/pull them in.
As far as the roletype issues, we are actively working on it and should
have a fix this week. In the mean time, your solution of adding a module
that defines the role is probably the best workaround, but should not be
necessary once we get the fixes in.
Thanks,
- Steve
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
