Bug 1861968

Summary:	container.if duplicate definition errors when building policy module
Product:	Red Hat Enterprise Linux 8	Reporter:	Flos Qi Guo <qguo>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	low
Version:	8.2	CC:	clong, kmoriguc, lvrabec, mmalik, ossman, plautrba, rmetrich, ssekidde
Target Milestone:	rc	Keywords:	Triaged
Target Release:	8.6
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.14.3-89.el8	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:
Clones:	2055890 (view as bug list)		Environment:
Last Closed:	2022-05-10 15:14:56 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2055890

Description Flos Qi Guo 2020-07-30 04:26:46 UTC

> Description of problem:
When trying to build a custom policy module with selinux devel package, lots of errors come out:

> Version-Release number of selected component (if applicable):
# rpm -qa | egrep 'selinux|container-selinux' | sort
container-selinux-2.135.0-1.module+el8.2.1+6849+893e4f4a.noarch
libselinux-2.9-3.el8.x86_64
libselinux-utils-2.9-3.el8.x86_64
python3-libselinux-2.9-3.el8.x86_64
rpm-plugin-selinux-4.14.2-10.el8_0.x86_64
selinux-policy-3.14.3-41.el8_2.5.noarch
selinux-policy-devel-3.14.3-41.el8_2.5.noarch
selinux-policy-targeted-3.14.3-41.el8_2.5.noarch

> How reproducible:
Always.

> Steps to Reproduce:
1. Create a custom type enforcement as follows:

# cat init_t_audit_control.te 

module init_t_audit_control 1.0;

require {
	type init_t;
	class capability audit_control;
}

#============= init_t ==============
allow init_t self:capability audit_control;

2. Compile it and getting the errors


# make -f /usr/share/selinux/devel/Makefile init_t_audit_control.pp
/usr/share/selinux/devel/include/services/container.if:13: Error: duplicate definition of container_runtime_domtrans(). Original definition on 13.
/usr/share/selinux/devel/include/services/container.if:40: Error: duplicate definition of container_runtime_run(). Original definition on 40.
/usr/share/selinux/devel/include/services/container.if:60: Error: duplicate definition of container_runtime_exec(). Original definition on 60.
/usr/share/selinux/devel/include/services/container.if:79: Error: duplicate definition of container_read_state(). Original definition on 79.
/usr/share/selinux/devel/include/services/container.if:97: Error: duplicate definition of container_search_lib(). Original definition on 97.
/usr/share/selinux/devel/include/services/container.if:116: Error: duplicate definition of container_exec_lib(). Original definition on 116.
/usr/share/selinux/devel/include/services/container.if:135: Error: duplicate definition of container_read_lib_files(). Original definition on 135.
/usr/share/selinux/devel/include/services/container.if:154: Error: duplicate definition of container_read_share_files(). Original definition on 154.
/usr/share/selinux/devel/include/services/container.if:175: Error: duplicate definition of container_runtime_read_tmpfs_files(). Original definition on 175.
/usr/share/selinux/devel/include/services/container.if:196: Error: duplicate definition of container_manage_share_files(). Original definition on 196.
/usr/share/selinux/devel/include/services/container.if:217: Error: duplicate definition of container_manage_share_dirs(). Original definition on 217.
/usr/share/selinux/devel/include/services/container.if:237: Error: duplicate definition of container_exec_share_files(). Original definition on 237.
/usr/share/selinux/devel/include/services/container.if:255: Error: duplicate definition of container_manage_config_files(). Original definition on 255.
/usr/share/selinux/devel/include/services/container.if:274: Error: duplicate definition of container_manage_lib_files(). Original definition on 274.
/usr/share/selinux/devel/include/services/container.if:294: Error: duplicate definition of container_manage_files(). Original definition on 294.
/usr/share/selinux/devel/include/services/container.if:313: Error: duplicate definition of container_manage_dirs(). Original definition on 313.
/usr/share/selinux/devel/include/services/container.if:331: Error: duplicate definition of container_manage_lib_dirs(). Original definition on 331.
/usr/share/selinux/devel/include/services/container.if:367: Error: duplicate definition of container_lib_filetrans(). Original definition on 367.
/usr/share/selinux/devel/include/services/container.if:385: Error: duplicate definition of container_read_pid_files(). Original definition on 385.
/usr/share/selinux/devel/include/services/container.if:404: Error: duplicate definition of container_systemctl(). Original definition on 404.
/usr/share/selinux/devel/include/services/container.if:429: Error: duplicate definition of container_rw_sem(). Original definition on 429.
/usr/share/selinux/devel/include/services/container.if:448: Error: duplicate definition of container_append_file(). Original definition on 448.
/usr/share/selinux/devel/include/services/container.if:466: Error: duplicate definition of container_use_ptys(). Original definition on 466.
/usr/share/selinux/devel/include/services/container.if:484: Error: duplicate definition of container_filetrans_named_content(). Original definition on 484.
/usr/share/selinux/devel/include/services/container.if:543: Error: duplicate definition of container_stream_connect(). Original definition on 543.
/usr/share/selinux/devel/include/services/container.if:564: Error: duplicate definition of container_spc_stream_connect(). Original definition on 564.
/usr/share/selinux/devel/include/services/container.if:585: Error: duplicate definition of container_admin(). Original definition on 585.
/usr/share/selinux/devel/include/services/container.if:632: Error: duplicate definition of container_auth_domtrans(). Original definition on 632.
/usr/share/selinux/devel/include/services/container.if:651: Error: duplicate definition of container_auth_exec(). Original definition on 651.
/usr/share/selinux/devel/include/services/container.if:670: Error: duplicate definition of container_auth_stream_connect(). Original definition on 670.
/usr/share/selinux/devel/include/services/container.if:689: Error: duplicate definition of container_runtime_typebounds(). Original definition on 689.
/usr/share/selinux/devel/include/services/container.if:708: Error: duplicate definition of container_runtime_entrypoint(). Original definition on 708.
/usr/share/selinux/devel/include/services/container.if:715: Error: duplicate definition of docker_exec_lib(). Original definition on 715.
/usr/share/selinux/devel/include/services/container.if:719: Error: duplicate definition of docker_read_share_files(). Original definition on 719.
/usr/share/selinux/devel/include/services/container.if:723: Error: duplicate definition of docker_exec_share_files(). Original definition on 723.
/usr/share/selinux/devel/include/services/container.if:727: Error: duplicate definition of docker_manage_lib_files(). Original definition on 727.
/usr/share/selinux/devel/include/services/container.if:732: Error: duplicate definition of docker_manage_lib_dirs(). Original definition on 732.
/usr/share/selinux/devel/include/services/container.if:736: Error: duplicate definition of docker_lib_filetrans(). Original definition on 736.
/usr/share/selinux/devel/include/services/container.if:740: Error: duplicate definition of docker_read_pid_files(). Original definition on 740.
/usr/share/selinux/devel/include/services/container.if:744: Error: duplicate definition of docker_systemctl(). Original definition on 744.
/usr/share/selinux/devel/include/services/container.if:748: Error: duplicate definition of docker_use_ptys(). Original definition on 748.
/usr/share/selinux/devel/include/services/container.if:752: Error: duplicate definition of docker_stream_connect(). Original definition on 752.
/usr/share/selinux/devel/include/services/container.if:756: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 756.
/usr/share/selinux/devel/include/services/container.if:770: Error: duplicate definition of container_spc_read_state(). Original definition on 770.
/usr/share/selinux/devel/include/services/container.if:789: Error: duplicate definition of container_runtime_domain_template(). Original definition on 789.
/usr/share/selinux/devel/include/services/container.if:825: Error: duplicate definition of container_domain_template(). Original definition on 825.
/usr/share/selinux/devel/include/services/container.if:853: Error: duplicate definition of container_spc_rw_pipes(). Original definition on 853.
Compiling targeted init_t_audit_control module
Creating targeted init_t_audit_control.pp policy package
rm tmp/init_t_audit_control.mod tmp/init_t_audit_control.mod.fc

> Actual results:
Building with errors. 

> Expected results:
No errors.

> Additional info:
Seems there's a similiar bug on fedora:
 - https://bugzilla.redhat.com/show_bug.cgi?id=1567980
Don't know it's related or not.

Comment 1 Renaud Métrich 2020-07-30 07:41:44 UTC

The issue is due to having 2 source files for the same definitions, e.g.:

# grep -rw container_runtime_domtrans /usr/share/selinux/devel/include | grep if:interface
/usr/share/selinux/devel/include/services/container.if:interface(`container_runtime_domtrans',`
/usr/share/selinux/devel/include/contrib/container.if:interface(`container_runtime_domtrans',`


# rpm -qf /usr/share/selinux/devel/include/services/container.if /usr/share/selinux/devel/include/contrib/container.if
container-selinux-2.135.0-1.module+el8.2.1+6849+893e4f4a.noarch
selinux-policy-devel-3.14.3-41.el8_2.5.noarch

--> 2 packages ship the identical files in different locations.

Comment 2 Zdenek Pytela 2020-08-04 14:45:36 UTC

I can confirm there is a conflict:

  # grep -r 'interface(`container_runtime_domtrans' /usr/share/selinux/devel/include/
/usr/share/selinux/devel/include/contrib/container.if:interface(`container_runtime_domtrans',`
/usr/share/selinux/devel/include/services/container.if:interface(`container_runtime_domtrans',`

  # rpm -qf /usr/share/selinux/devel/include/services/container.if /usr/share/selinux/devel/include/contrib/container.if
container-selinux-2.142.0-1.module+el8.3.0+7472+edf95ef7.noarch
selinux-policy-devel-3.14.3-49.el8.noarch

The message seems to be harmless though.

Comment 17 errata-xmlrpc 2022-05-10 15:14:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995