Bug 1371849 - Problem installing local policy
Summary: Problem installing local policy
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: libsemanage
Version: 24
Hardware: x86_64
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-31 09:19 UTC by Michael Lipp
Modified: 2016-08-31 15:12 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-31 15:12:43 UTC
Type: Bug

Attachments (Terms of Use)
pp-file (1.10 KB, application/octet-stream)
2016-08-31 09:19 UTC, Michael Lipp 		no flags Details
te-file (305 bytes, text/plain)
2016-08-31 11:21 UTC, Michael Lipp 		no flags Details
Session log (19.62 KB, text/plain)
2016-08-31 11:48 UTC, Michael Lipp 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Michael Lipp 2016-08-31 09:19:05 UTC 
Created attachment 1196270 [details]
pp-file

Description of problem:

Printing fails because the brother driver needs execmem. Following the instructions from the journal to enable this permanently I did:

$ ausearch -c 'brcupsconfpt1' --raw | audit2allow -M my-brcupsconfpt1 # works
$ semodule -X 300 -i my-brcupsconfpt1.pp # fails with:

libsemanage.semanage_direct_get_module_info: Unable to read mypol module lang ext file.
libsemanage.semanage_direct_get_module_info: Unable to read mypol module lang ext file.
libsemanage.semanage_direct_get_module_info: Unable to read mypol module lang ext file.
semodule:  Failed on my-brcupsconfpt1.pp!


How reproducible:

Always

Steps to Reproduce: (see above)

Expected results:

Installed policy

Additional info: pp-file attached
Comment 1 Daniel Walsh 2016-08-31 10:55:22 UTC 
Does this work if you don't use the '-'

$ ausearch -c 'brcupsconfpt1' --raw | audit2allow -M mybrcupsconfpt1
$ semodule -X 300 -i mybrcupsconfpt1.pp
Comment 2 Michael Lipp 2016-08-31 10:59:01 UTC 
(In reply to Daniel Walsh from comment #1)
> Does this work if you don't use the '-'
> 
> $ ausearch -c 'brcupsconfpt1' --raw | audit2allow -M mybrcupsconfpt1
> $ semodule -X 300 -i mybrcupsconfpt1.pp

Don't get that. Which dash am I supposed to leave out? May be my fault, but to me the lines that you propose look exactly like the ones I used.
Comment 3 Daniel Walsh 2016-08-31 11:02:38 UTC 
You did my-brcupsconfpt1 I am saying try mybrcupsconfpt1
Comment 4 Michael Lipp 2016-08-31 11:07:25 UTC 
Ah sorry, I was looking at the option's dashes only. 

Well, doesn't change anything (would have been quite strange programming if it had).
Comment 5 Daniel Walsh 2016-08-31 11:14:55 UTC 
Just to make sure, you executed both commands?  The audit2allow imbeds the name my-brcupsconfpt1 in the te file and I am not sure "-" is legal there.  But that was just a guess what is coing on.

Attaching the generated te file would probably be helpful
Comment 6 Michael Lipp 2016-08-31 11:21:20 UTC 
(In reply to Daniel Walsh from comment #5)
> Just to make sure, you executed both commands?
Yes, I copy-pasted and executed them both.
  
> The audit2allow imbeds the
> name my-brcupsconfpt1 in the te file and I am not sure "-" is legal there.
Now I see.

> Attaching the generated te file would probably be helpful
Attaching...
Comment 7 Michael Lipp 2016-08-31 11:21:53 UTC 
Created attachment 1196310 [details]
te-file
Comment 8 Petr Lautrbach 2016-08-31 11:29:45 UTC 
- is legal here and with the attached module semodule works for me:

$ sudo semodule -X 300 -i my-brcupsconfpt1.pp                                                               
$ sudo semodule -lfull | grep my-brcupsconfpt1
300 my-brcupsconfpt1        pp         

It looks like you have a module called 'mypol' and this module has corrupted hll file in the store.

This command should fix it:

$ sudo semodule -d mypol


But for the record please run these commands and attach the output:

# semodule -lfull | grep mypol

# for module_path in `find /var/lib/selinux/targeted/active/modules -name mypol`; do  echo $module_path; ls $module_path; cat $module_path/hll; done
Comment 9 Petr Lautrbach 2016-08-31 11:31:21 UTC 
Could you please also attach the output of:

# ausearch -c 'brcupsconfpt1' --raw

and the full setroubleshoot analysis?
Comment 10 Petr Lautrbach 2016-08-31 11:33:30 UTC 
(In reply to Petr Lautrbach from comment #8)
> 
> # for module_path in `find /var/lib/selinux/targeted/active/modules -name
> mypol`; do  echo $module_path; ls $module_path; cat $module_path/hll; done

instead of cat hll  use cat lang_ext:

for module_path in `find /var/lib/selinux/targeted/active/modules -name mypol`; do  echo $module_path; ls $module_path; cat $module_path/lang_ext; done
Comment 11 Michael Lipp 2016-08-31 11:48:25 UTC 
Created attachment 1196324 [details]
Session log

I executed the commands (see attachements). It seems that I cannot get rid of mypol with `semodule -d mypol` due to the faulty mypol, too sad. Is there another way to get rid of it?
Comment 12 Petr Lautrbach 2016-08-31 12:06:26 UTC 
You can try to remove the module using: 

# semodule -r mypol

and if it fails you can tryt o remove the directory from the store directly:

# mv /var/lib/selinux/targeted/active/modules/400/mypol /tmp
# semodule -B
Comment 13 Petr Lautrbach 2016-08-31 12:10:28 UTC 
Or you can try to replace /var/lib/selinux/targeted/active/modules/400/mypol/lang_ext file using another lang_ext file from other module, e.g.

# cp /var/lib/selinux/targeted/active/modules/100/ssh/lang_ext /var/lib/selinux/targeted/active/modules/400/mypol/lang_ext
Comment 14 Michael Lipp 2016-08-31 15:12:43 UTC 
Removing the files the hard way finally worked fixed the issue. "mypol" wasn't important. I assume I generated it in much the same way in response to a journal entry as I tried to do this time.

Thank you very much for your help.
Note You need to log in before you can comment on or make changes to this bug.