Bug 2136212

Summary:	Current libsepol 3.4-1.1 version issue with SEuser defintions within policy modules
Product:	Red Hat Enterprise Linux 9	Reporter:	Hubert Quarantel-Colombani <hubert.quarantel>
Component:	libsepol	Assignee:	Petr Lautrbach <plautrba>
Status:	VERIFIED ---	QA Contact:	Milos Malik <mmalik>
Severity:	high	Docs Contact:
Priority:	high
Version:	9.1	CC:	gchamoul, laurent.gaillard, lvrabec, mmalik, plautrba, vmojzis
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	libsepol-3.4-3.el9	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Hubert Quarantel-Colombani 2022-10-19 15:30:57 UTC

Description of problem:

Versions 3.4 of libsepol prior to commit https://github.com/SELinuxProject/selinux/commit/88a703399f3f44be2502fd4ecd22ac3d3c560694 of June 15th (2022) will have a serious problem with SELinux policy modules containing SEuser definitions: source code won't compile.

Version-Release number of selected component (if applicable):
3.4-1.1

How reproducible:

Compilation/packaging of source code will fail 100% of times at the semodule_package stage (either using the Makefile from selinux-policy-devel or using checkmodule and semodule_package commands)

Steps to Reproduce:
1. Create a simple policy module source file foo.te like:
   module foo 0.0.1;
   require {
     role staff_r;
     sensitivity s0;
     category c0;
     category c1023;
   }
   user foo_u roles staff_r level s0 range s0 - s0:c0.c1023;
2. Compile this code to foo.mod file using the checkmodule command: OK
3. Finalise the module with the semodule_package command: not OK

Actual results:

The semodule_package command crashes with error message:
   libsepol.validate_user_datum: Invalid user datum
   libsepol.validate_datum_array_entries: Invalid datum array entries
   libsepol.validate_policydb: Invalid policydb
   /usr/bin/semodule_package:  Error while reading policy module from foo.mod

Expected results:

foo.pp binary file created and module can be loaded using semodule command.


Additional info:

Issue was fixed on the master branch of libsepol by commit 88a703399f3f44be2502fd4ecd22ac3d3c560694

Comment 1 Laurent Gaillard 2022-10-20 14:38:53 UTC

Hi,

I gave it a try downloading the source code zip file from https://github.com/SELinuxProject/selinux and compiling it on RHEL 9.1 Beta.

After replacing userspace SELinux components (followed README file to compile and install), I was able to compile the SELinux Policy module source code with no errors and load it with "semodule -i" command:

   module foo 0.0.1;
   require {
     role staff_r;
     sensitivity s0;
     category c0;
     category c1023;
   }
   user foo_u roles staff_r level s0 range s0 - s0:c0.c1023;

Hope it can help.

Comment 2 Petr Lautrbach 2022-10-21 07:51:31 UTC

We appreciate you taking the time to submit a report, provide a reproducer, and provide hints. We will begin working on this immediately.

Comment 3 Petr Lautrbach 2022-10-21 09:15:33 UTC

https://gitlab.com/redhat/centos-stream/rpms/libsepol/-/merge_requests/9