Hi,
I've got a bug report from Milos Malik <mmalik@xxxxxxxxxx> that the
current semodule does not reject policies with duplicate fc entries.
[root@fedora selinux]# semanage fcontext -l | grep '/var/run/passenger'
/var/run/passenger(/.*)? all files system_u:object_r:passenger_var_run_t:s0
[root@fedora selinux]# cat mypolicy.fc
/var/run/passenger(/.*)? system_u:object_r:mail_home_rw_t:s0
...
[root@fedora selinux]# semodule -i mypolicy.pp
[root@fedora selinux]#
Using -v, semodule rejects the policy as expected:
[root@fedora selinux]# semodule -v -i mypolicy.pp
Attempting to install module 'mypolicy.pp':
Ok: return value of 0.
Committing changes:
Found conflicting filecon rules
at /var/lib/selinux/targeted/tmp/modules/400/mypolicy/cil:3
at /var/lib/selinux/targeted/tmp/modules/100/passenger/cil:343
Problems processing filecon rules
Failed post db handling
Post process failed
semodule: Failed!
I've bisected the problem to the commit
bc26ddc59c8dc76aefb841166f6e18672fb88adc ("libsepol/cil: Limit the
amount of reporting for context rule conflicts")
Before this commit semodule rejects duplicate fc's with/without -v:
[root@fedora selinux]# semodule -i mypolicy.pp
Problems processing filecon rules
Failed post db handling
Post process failed
semodule: Failed!
[root@fedora selinux]# semodule -v -i mypolicy.pp
Attempting to install module 'mypolicy.pp':
Ok: return value of 0.
Committing changes:
Found conflicting filecon rules
at /var/lib/selinux/targeted/tmp/modules/100/passenger/cil:343
at /var/lib/selinux/targeted/tmp/modules/400/mypolicy/cil:3
Problems processing filecon rules
Failed post db handling
Post process failed
semodule: Failed!
Petr
