Bug 2136212

Summary: Current libsepol 3.4-1.1 version issue with SEuser defintions within policy modules
Product: Red Hat Enterprise Linux 9 Reporter: Hubert Quarantel-Colombani <hubert.quarantel>
Component: libsepolAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 9.1CC: gchamoul, laurent.gaillard, lvrabec, mmalik, plautrba, vmojzis
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libsepol-3.4-3.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 08:15:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hubert Quarantel-Colombani 2022-10-19 15:30:57 UTC 
Description of problem:

Versions 3.4 of libsepol prior to commit https://github.com/SELinuxProject/selinux/commit/88a703399f3f44be2502fd4ecd22ac3d3c560694 of June 15th (2022) will have a serious problem with SELinux policy modules containing SEuser definitions: source code won't compile.

Version-Release number of selected component (if applicable):
3.4-1.1

How reproducible:

Compilation/packaging of source code will fail 100% of times at the semodule_package stage (either using the Makefile from selinux-policy-devel or using checkmodule and semodule_package commands)

Steps to Reproduce:
1. Create a simple policy module source file foo.te like:
   module foo 0.0.1;
   require {
     role staff_r;
     sensitivity s0;
     category c0;
     category c1023;
   }
   user foo_u roles staff_r level s0 range s0 - s0:c0.c1023;
2. Compile this code to foo.mod file using the checkmodule command: OK
3. Finalise the module with the semodule_package command: not OK

Actual results:

The semodule_package command crashes with error message:
   libsepol.validate_user_datum: Invalid user datum
   libsepol.validate_datum_array_entries: Invalid datum array entries
   libsepol.validate_policydb: Invalid policydb
   /usr/bin/semodule_package:  Error while reading policy module from foo.mod

Expected results:

foo.pp binary file created and module can be loaded using semodule command.


Additional info:

Issue was fixed on the master branch of libsepol by commit 88a703399f3f44be2502fd4ecd22ac3d3c560694
Comment 1 Laurent Gaillard 2022-10-20 14:38:53 UTC 
Hi,

I gave it a try downloading the source code zip file from https://github.com/SELinuxProject/selinux and compiling it on RHEL 9.1 Beta.

After replacing userspace SELinux components (followed README file to compile and install), I was able to compile the SELinux Policy module source code with no errors and load it with "semodule -i" command:

   module foo 0.0.1;
   require {
     role staff_r;
     sensitivity s0;
     category c0;
     category c1023;
   }
   user foo_u roles staff_r level s0 range s0 - s0:c0.c1023;

Hope it can help.
Comment 2 Petr Lautrbach 2022-10-21 07:51:31 UTC 
We appreciate you taking the time to submit a report, provide a reproducer, and provide hints. We will begin working on this immediately.
Comment 3 Petr Lautrbach 2022-10-21 09:15:33 UTC 
https://gitlab.com/redhat/centos-stream/rpms/libsepol/-/merge_requests/9
Comment 11 errata-xmlrpc 2023-05-09 08:15:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libsepol bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2480