RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1801249 - some policy interfaces cannot be compiled
Summary: some policy interfaces cannot be compiled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.5
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-10 14:02 UTC by Milos Malik
Modified: 2021-11-10 08:25 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.14.3-69.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-09 19:42:28 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:4420 0 None None None 2021-11-09 19:42:56 UTC

Description Milos Malik 2020-02-10 14:02:02 UTC
Description of problem:
following interfaces cannot be compiled: cron_role, cron_unconfined_role, cron_admin_role, rpm_named_filetrans.

Version-Release number of selected component (if applicable):
selinux-policy-devel-3.14.3-38.el8.noarch
selinux-policy-3.14.3-38.el8.noarch
selinux-policy-targeted-3.14.3-38.el8.noarch

How reproducible:
 * always

Steps to Reproduce:
# sepolicy interface -c -i cron_unconfined_role
Compiling cron_unconfined_role interface
Compiling targeted compiletest module
compiletest.te:43:ERROR 'unknown type sepolicy_domain_t_t' at token ';' on line 4423:
#line 43
	typeattribute sepolicy_domain_t_t crontab_domain;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1
Compile test for cron_unconfined_role failed.
#

Actual results:
 * failed compilation

Expected results:
 * successful compilation

Comment 2 Milos Malik 2020-08-17 15:54:51 UTC
The automated TC revealed following problems when testing the selinux-policy 3.14.3-51.el8 packages on RHEL-8.3:

Compile test for container_filetrans_named_content failed.
Compile test for cron_admin_role failed.
Compile test for cron_role failed.
Compile test for cron_unconfined_role failed.
Compile test for rpm_named_filetrans failed.

Comment 4 Milos Malik 2020-10-02 12:29:01 UTC
Compilation of interfaces cron_role, cron_admin_role, cron_unconfined_role leads to the same error message:

compiletest.te:43:ERROR 'unknown type sepolicy_domain_t_t' at token ';' on line 4427:
#line 43
	typeattribute sepolicy_domain_t_t crontab_domain;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1

But the remaining 2 interfaces produce different errors:

# sepolicy interface -c -i rpm_named_filetrans
Compiling rpm_named_filetrans interface
Compiling targeted compiletest module
compiletest.te:43:ERROR 'unknown type rpm_var_cache_t used in transition definition' at token ';' on line 4595:
	type_transition sepolicy_domain_t var_t:dir rpm_var_cache_t "dnf";
#line 43
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1
Compile test for rpm_named_filetrans failed.

# sepolicy interface -c -i container_filetrans_named_content
Compiling container_filetrans_named_content interface
Compiling targeted compiletest module
compiletest.te:43:ERROR 'unknown type container_kvm_var_run_t used in transition definition' at token ';' on line 4731:
	type_transition sepolicy_domain_t var_run_t:dir container_kvm_var_run_t "kata-containers";
#line 43
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1
Compile test for container_filetrans_named_content failed.

Comment 6 Zdenek Pytela 2021-02-24 19:30:02 UTC
Fixed in rawhide:
commit b7b77904e0a165fc3ef54fe8c6f12405261c47b5 (HEAD -> rawhide, upstream/rawhide, upstream-rw/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Wed Feb 24 19:45:15 2021 +0100

    Add missing declaration in rpm_named_filetrans()

    In the rpm_named_filetrans() interface, the rpm_var_cache_t type was
    used, but not previously declared.

    As a result, the interface test compile failed using sepolicy-interface:

    $ sepolicy interface -c -i rpm_named_filetrans
    Compiling rpm_named_filetrans interface
    Compiling targeted compiletest module
    compiletest.te:43:ERROR 'unknown type rpm_var_cache_t used in transition definition' at token ';' on line 4641:
            type_transition sepolicy_domain_t var_t:dir rpm_var_cache_t "dnf";
    /usr/bin/checkmodule:  error(s) encountered while parsing configuration
    make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1
    Compile test for rpm_named_filetrans failed.

    Resolves: rhbz#1801249

commit 62db6d0b9fef710c6b186490861f6e816d2fa139
Author: Zdenek Pytela <zpytela>
Date:   Wed Feb 24 19:00:22 2021 +0100

    Change param description in cron interfaces to userdomain_prefix

    In the cron_role(), cron_unconfined_role(), and cron_admin_role()
    interfaces the second parameter name was incorrectly stated as "domain"
    while it should rather be "userdomain_prefix". As an example, "user" is
    the userdomain prefix for the "user_t" domain.

    As a result, test compile of these interfaces failed using sepolicy-interface:

    $ sepolicy interface -c -i cron_unconfined_role
    Compiling cron_unconfined_role interface
    Compiling targeted compiletest module
    compiletest.te:43:ERROR 'unknown type sepolicy_domain_t_t' at token ';' on line 4423:
            typeattribute sepolicy_domain_t_t crontab_domain;
    /usr/bin/checkmodule:  error(s) encountered while parsing configuration
    make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1
    Compile test for cron_unconfined_role failed.

    Resolves: rhbz#1801249

Comment 16 errata-xmlrpc 2021-11-09 19:42:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420


Note You need to log in before you can comment on or make changes to this bug.