Bug 1058470 - Policy modules created by audit2allow can't be loaded
Summary: Policy modules created by audit2allow can't be loaded
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: 20
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-27 20:59 UTC by Alan Stern
Modified: 2014-02-21 21:26 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-02-21 21:26:36 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
AVC violations extracted from journalctl for sshd (8.51 KB, text/plain)
2014-01-27 20:59 UTC, Alan Stern 		no flags Details
View All

Description Alan Stern 2014-01-27 20:59:05 UTC 
Created attachment 856258 [details]
AVC violations extracted from journalctl for sshd

Description of problem:
An selinux module package created by audit2allow can't be loaded.  semodule -i fails, claiming that the module contains a duplicate declaration of nsplugin_rw_t.

Version-Release number of selected component (if applicable):
policycoreutils-2.2.5-1.fc20.i686
policycoreutils-python-2.2.5-1.fc20.i686

How reproducible:
Always

Steps to Reproduce:
(sshd-avc is attached to the bug report)
1. audit2allow -i sshd-avc -M sshdAS
2. semodule -i sshdAS.pp

Actual results:
# semodule -i sshdAS.pp
libsepol.scope_copy_callback: nsplugin: Duplicate declaration in module: type/attribute nsplugin_rw_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

Expected results:
The module should have been loaded into the kernel.

Additional info:
Note that I am not running sshd from the sshd.service script in the usual way.

The sshdAS.te file generated by audit2allow says:

module sshdAS 1.0;

require {
        type sshd_t;
        type initrc_t;
        class tcp_socket { getopt getattr setopt };
}

#============= sshd_t ==============
allow sshd_t initrc_t:tcp_socket { getopt getattr setopt };
Comment 1 Daniel Walsh 2014-02-14 17:25:56 UTC 
As root execute

semodule -r nsplugin

This should have been removed on an update.


Also could you execute

rpm -qf /etc/selinux/targeted/modules/active/modules/*.pp| grep "not owned"

To see if you have any other old policy modules.
Comment 2 Alan Stern 2014-02-14 21:25:46 UTC 
In an attempt to straighten things out, I uninstalled and reinstalled the selinux-policy and selinux-policy-targeted packages.  The machine has not been rebooted since the reinstallation, so it is currently running with selinux disabled.  I won't be able to reboot it or remove the nsplugin module until next week.

In the meanwhile, that rpm command gives:

file /etc/selinux/targeted/modules/active/modules/nsplugin.pp is not owned by any package
file /etc/selinux/targeted/modules/active/modules/qemu.pp is not owned by any package
Comment 3 Miroslav Grepl 2014-02-17 07:50:57 UTC 
Did you do an upgrade to F20?
Comment 4 Alan Stern 2014-02-17 14:40:56 UTC 
There is no need to add my name to the CC list.  Since I am the bug reporter, all the transactions are copied to me anyway.

Yes, I did an upgrade from F18 directly to F20.
Comment 5 Daniel Walsh 2014-02-18 15:17:11 UTC 
Alan remove those two files.  And then policy should work fine.
Comment 6 Daniel Walsh 2014-02-18 15:21:30 UTC 
commit 0474cb579e07b7baf30dfe5b03019e11a6ea64c2 in git to the selinux-policy.spec file will make sure these two modules are removed on upgrades.
Comment 7 Alan Stern 2014-02-18 20:59:38 UTC 
I ran "semodule -r nsplugin qemu", and that has fixed the problem.  Thanks for the help.

PS: Daniel, I may want to ask you a few more questions about selinux, things that aren't really bugzilla material.  Will it be okay to email you questions directly?
Comment 8 Daniel Walsh 2014-02-21 21:26:36 UTC 
Everyone else does.  :^)
Note You need to log in before you can comment on or make changes to this bug.