Bug 1801249
| Summary: | some policy interfaces cannot be compiled | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.2 | CC: | lvrabec, mmalik, plautrba, ssekidde |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.5 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-69.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-09 19:42:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Milos Malik
2020-02-10 14:02:02 UTC
The automated TC revealed following problems when testing the selinux-policy 3.14.3-51.el8 packages on RHEL-8.3: Compile test for container_filetrans_named_content failed. Compile test for cron_admin_role failed. Compile test for cron_role failed. Compile test for cron_unconfined_role failed. Compile test for rpm_named_filetrans failed. Compilation of interfaces cron_role, cron_admin_role, cron_unconfined_role leads to the same error message: compiletest.te:43:ERROR 'unknown type sepolicy_domain_t_t' at token ';' on line 4427: #line 43 typeattribute sepolicy_domain_t_t crontab_domain; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1 But the remaining 2 interfaces produce different errors: # sepolicy interface -c -i rpm_named_filetrans Compiling rpm_named_filetrans interface Compiling targeted compiletest module compiletest.te:43:ERROR 'unknown type rpm_var_cache_t used in transition definition' at token ';' on line 4595: type_transition sepolicy_domain_t var_t:dir rpm_var_cache_t "dnf"; #line 43 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1 Compile test for rpm_named_filetrans failed. # sepolicy interface -c -i container_filetrans_named_content Compiling container_filetrans_named_content interface Compiling targeted compiletest module compiletest.te:43:ERROR 'unknown type container_kvm_var_run_t used in transition definition' at token ';' on line 4731: type_transition sepolicy_domain_t var_run_t:dir container_kvm_var_run_t "kata-containers"; #line 43 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1 Compile test for container_filetrans_named_content failed. Fixed in rawhide:
commit b7b77904e0a165fc3ef54fe8c6f12405261c47b5 (HEAD -> rawhide, upstream/rawhide, upstream-rw/rawhide)
Author: Zdenek Pytela <zpytela>
Date: Wed Feb 24 19:45:15 2021 +0100
Add missing declaration in rpm_named_filetrans()
In the rpm_named_filetrans() interface, the rpm_var_cache_t type was
used, but not previously declared.
As a result, the interface test compile failed using sepolicy-interface:
$ sepolicy interface -c -i rpm_named_filetrans
Compiling rpm_named_filetrans interface
Compiling targeted compiletest module
compiletest.te:43:ERROR 'unknown type rpm_var_cache_t used in transition definition' at token ';' on line 4641:
type_transition sepolicy_domain_t var_t:dir rpm_var_cache_t "dnf";
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1
Compile test for rpm_named_filetrans failed.
Resolves: rhbz#1801249
commit 62db6d0b9fef710c6b186490861f6e816d2fa139
Author: Zdenek Pytela <zpytela>
Date: Wed Feb 24 19:00:22 2021 +0100
Change param description in cron interfaces to userdomain_prefix
In the cron_role(), cron_unconfined_role(), and cron_admin_role()
interfaces the second parameter name was incorrectly stated as "domain"
while it should rather be "userdomain_prefix". As an example, "user" is
the userdomain prefix for the "user_t" domain.
As a result, test compile of these interfaces failed using sepolicy-interface:
$ sepolicy interface -c -i cron_unconfined_role
Compiling cron_unconfined_role interface
Compiling targeted compiletest module
compiletest.te:43:ERROR 'unknown type sepolicy_domain_t_t' at token ';' on line 4423:
typeattribute sepolicy_domain_t_t crontab_domain;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1
Compile test for cron_unconfined_role failed.
Resolves: rhbz#1801249
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4420 |