Trying to build a third party policy module using the selinux devel package results in these errors from the core interfaces: /usr/share/selinux/devel/include/contrib/container.if:14: Error: duplicate definition of container_runtime_domtrans(). Original definition on 14. /usr/share/selinux/devel/include/contrib/container.if:40: Error: duplicate definition of container_runtime_run(). Original definition on 40. /usr/share/selinux/devel/include/contrib/container.if:60: Error: duplicate definition of container_runtime_exec(). Original definition on 60. /usr/share/selinux/devel/include/contrib/container.if:79: Error: duplicate definition of container_read_state(). Original definition on 79. /usr/share/selinux/devel/include/contrib/container.if:97: Error: duplicate definition of container_search_lib(). Original definition on 97. /usr/share/selinux/devel/include/contrib/container.if:116: Error: duplicate definition of container_exec_lib(). Original definition on 116. /usr/share/selinux/devel/include/contrib/container.if:135: Error: duplicate definition of container_read_lib_files(). Original definition on 135. /usr/share/selinux/devel/include/contrib/container.if:154: Error: duplicate definition of container_read_share_files(). Original definition on 154. /usr/share/selinux/devel/include/contrib/container.if:176: Error: duplicate definition of container_exec_share_files(). Original definition on 176. /usr/share/selinux/devel/include/contrib/container.if:194: Error: duplicate definition of container_manage_lib_files(). Original definition on 194. /usr/share/selinux/devel/include/contrib/container.if:214: Error: duplicate definition of container_manage_files(). Original definition on 214. /usr/share/selinux/devel/include/contrib/container.if:233: Error: duplicate definition of container_manage_dirs(). Original definition on 233. /usr/share/selinux/devel/include/contrib/container.if:251: Error: duplicate definition of container_manage_lib_dirs(). Original definition on 251. /usr/share/selinux/devel/include/contrib/container.if:287: Error: duplicate definition of container_lib_filetrans(). Original definition on 287. /usr/share/selinux/devel/include/contrib/container.if:305: Error: duplicate definition of container_read_pid_files(). Original definition on 305. /usr/share/selinux/devel/include/contrib/container.if:324: Error: duplicate definition of container_systemctl(). Original definition on 324. /usr/share/selinux/devel/include/contrib/container.if:349: Error: duplicate definition of container_rw_sem(). Original definition on 349. /usr/share/selinux/devel/include/contrib/container.if:367: Error: duplicate definition of container_use_ptys(). Original definition on 367. /usr/share/selinux/devel/include/contrib/container.if:385: Error: duplicate definition of container_filetrans_named_content(). Original definition on 385. /usr/share/selinux/devel/include/contrib/container.if:431: Error: duplicate definition of container_stream_connect(). Original definition on 431. /usr/share/selinux/devel/include/contrib/container.if:452: Error: duplicate definition of container_spc_stream_connect(). Original definition on 452. /usr/share/selinux/devel/include/contrib/container.if:473: Error: duplicate definition of container_admin(). Original definition on 473. /usr/share/selinux/devel/include/contrib/container.if:520: Error: duplicate definition of container_auth_domtrans(). Original definition on 520. /usr/share/selinux/devel/include/contrib/container.if:539: Error: duplicate definition of container_auth_exec(). Original definition on 539. /usr/share/selinux/devel/include/contrib/container.if:558: Error: duplicate definition of container_auth_stream_connect(). Original definition on 558. /usr/share/selinux/devel/include/contrib/container.if:577: Error: duplicate definition of container_runtime_typebounds(). Original definition on 577. /usr/share/selinux/devel/include/contrib/container.if:596: Error: duplicate definition of container_runtime_entrypoint(). Original definition on 596. /usr/share/selinux/devel/include/contrib/container.if:603: Error: duplicate definition of docker_exec_lib(). Original definition on 603. /usr/share/selinux/devel/include/contrib/container.if:607: Error: duplicate definition of docker_read_share_files(). Original definition on 607. /usr/share/selinux/devel/include/contrib/container.if:611: Error: duplicate definition of docker_exec_share_files(). Original definition on 611. /usr/share/selinux/devel/include/contrib/container.if:615: Error: duplicate definition of docker_manage_lib_files(). Original definition on 615. /usr/share/selinux/devel/include/contrib/container.if:620: Error: duplicate definition of docker_manage_lib_dirs(). Original definition on 620. /usr/share/selinux/devel/include/contrib/container.if:624: Error: duplicate definition of docker_lib_filetrans(). Original definition on 624. /usr/share/selinux/devel/include/contrib/container.if:628: Error: duplicate definition of docker_read_pid_files(). Original definition on 628. /usr/share/selinux/devel/include/contrib/container.if:632: Error: duplicate definition of docker_systemctl(). Original definition on 632. /usr/share/selinux/devel/include/contrib/container.if:636: Error: duplicate definition of docker_use_ptys(). Original definition on 636. /usr/share/selinux/devel/include/contrib/container.if:640: Error: duplicate definition of docker_stream_connect(). Original definition on 640. /usr/share/selinux/devel/include/contrib/container.if:644: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 644. /usr/share/selinux/devel/include/contrib/container.if:658: Error: duplicate definition of container_spc_read_state(). Original definition on 658. /usr/share/selinux/devel/include/contrib/container.if:677: Error: duplicate definition of container_domain_template(). Original definition on 677. /usr/share/selinux/devel/include/contrib/container.if:706: Error: duplicate definition of container_spc_rw_pipes(). Original definition on 706. selinux-policy-devel-3.13.1-283.30.fc27.noarch
THis is not a bug. What is happening here is the selinux-policy is shipping its own container.if so that third parties can use it to compile against. When you build container-selinux from scratch you also get a version of contianer.if and their compiler is just pointing out this fact. The compiler will use the local container.if, rather then the selinux-policy-targeted version.
This only happens if container-selinux and selinux-policy-devel are installed at the same time. They're shipping identical container.if in two different locations. I'd argue this is a bug in container-selinux package. There should be only one container.if. $ rpm -qf /usr/share/selinux/devel/include/services/container.if container-selinux-2.123.0-2.fc31.noarch $ rpm -qf /usr/share/selinux/devel/include/contrib/container.if selinux-policy-devel-3.14.4-43.fc31.noarch $ sha512sum /usr/share/selinux/devel/include/services/container.if /usr/share/selinux/devel/include/contrib/container.if f6987ed181c24b7de0aacf4c3dd9e5b07d906df7ed87157290656e0f4c6a6663ff87b7ccb8a38ccd90c4778950fed4e50204d5458b57534aaba2c5a5b708cd3b /usr/share/selinux/devel/include/services/container.if f6987ed181c24b7de0aacf4c3dd9e5b07d906df7ed87157290656e0f4c6a6663ff87b7ccb8a38ccd90c4778950fed4e50204d5458b57534aaba2c5a5b708cd3b /usr/share/selinux/devel/include/contrib/container.if
The container.if that is in selinux-policy is the downstream of container-selinux. Now whether or not it should be carried, is up to the selinux-policy maintainers. I do not know how often it is copied from the upstream. It is needed so that if policy packages in the selinux-policy package use container interfaces, it will compile.
We're taking the latest version of container.if file from container-selinux with every build of selinux-policy. It should be fixed with the next build of selinux-policy.
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-397eea28b7
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
The problem persists in Fedora 33. $ rpm -qa selinux-policy selinux-policy-3.14.6-36.fc33.noarch $ rpm -qa selinux-policy-devel selinux-policy-devel-3.14.6-36.fc33.noarch $ rpm -qa container-selinux container-selinux-2.158.0-1.fc33.noarch