Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1801249

Summary: some policy interfaces cannot be compiled
Product: Red Hat Enterprise Linux 8 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.2CC: lvrabec, mmalik, plautrba, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 8.5Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-69.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:42:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2020-02-10 14:02:02 UTC 
Description of problem:
following interfaces cannot be compiled: cron_role, cron_unconfined_role, cron_admin_role, rpm_named_filetrans.

Version-Release number of selected component (if applicable):
selinux-policy-devel-3.14.3-38.el8.noarch
selinux-policy-3.14.3-38.el8.noarch
selinux-policy-targeted-3.14.3-38.el8.noarch

How reproducible:
 * always

Steps to Reproduce:
# sepolicy interface -c -i cron_unconfined_role
Compiling cron_unconfined_role interface
Compiling targeted compiletest module
compiletest.te:43:ERROR 'unknown type sepolicy_domain_t_t' at token ';' on line 4423:
#line 43
	typeattribute sepolicy_domain_t_t crontab_domain;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1
Compile test for cron_unconfined_role failed.
#

Actual results:
 * failed compilation

Expected results:
 * successful compilation
Comment 2 Milos Malik 2020-08-17 15:54:51 UTC 
The automated TC revealed following problems when testing the selinux-policy 3.14.3-51.el8 packages on RHEL-8.3:

Compile test for container_filetrans_named_content failed.
Compile test for cron_admin_role failed.
Compile test for cron_role failed.
Compile test for cron_unconfined_role failed.
Compile test for rpm_named_filetrans failed.
Comment 4 Milos Malik 2020-10-02 12:29:01 UTC 
Compilation of interfaces cron_role, cron_admin_role, cron_unconfined_role leads to the same error message:

compiletest.te:43:ERROR 'unknown type sepolicy_domain_t_t' at token ';' on line 4427:
#line 43
	typeattribute sepolicy_domain_t_t crontab_domain;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1

But the remaining 2 interfaces produce different errors:

# sepolicy interface -c -i rpm_named_filetrans
Compiling rpm_named_filetrans interface
Compiling targeted compiletest module
compiletest.te:43:ERROR 'unknown type rpm_var_cache_t used in transition definition' at token ';' on line 4595:
	type_transition sepolicy_domain_t var_t:dir rpm_var_cache_t "dnf";
#line 43
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1
Compile test for rpm_named_filetrans failed.

# sepolicy interface -c -i container_filetrans_named_content
Compiling container_filetrans_named_content interface
Compiling targeted compiletest module
compiletest.te:43:ERROR 'unknown type container_kvm_var_run_t used in transition definition' at token ';' on line 4731:
	type_transition sepolicy_domain_t var_run_t:dir container_kvm_var_run_t "kata-containers";
#line 43
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1
Compile test for container_filetrans_named_content failed.
Comment 6 Zdenek Pytela 2021-02-24 19:30:02 UTC 
Fixed in rawhide:
commit b7b77904e0a165fc3ef54fe8c6f12405261c47b5 (HEAD -> rawhide, upstream/rawhide, upstream-rw/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Wed Feb 24 19:45:15 2021 +0100

    Add missing declaration in rpm_named_filetrans()

    In the rpm_named_filetrans() interface, the rpm_var_cache_t type was
    used, but not previously declared.

    As a result, the interface test compile failed using sepolicy-interface:

    $ sepolicy interface -c -i rpm_named_filetrans
    Compiling rpm_named_filetrans interface
    Compiling targeted compiletest module
    compiletest.te:43:ERROR 'unknown type rpm_var_cache_t used in transition definition' at token ';' on line 4641:
            type_transition sepolicy_domain_t var_t:dir rpm_var_cache_t "dnf";
    /usr/bin/checkmodule:  error(s) encountered while parsing configuration
    make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1
    Compile test for rpm_named_filetrans failed.

    Resolves: rhbz#1801249

commit 62db6d0b9fef710c6b186490861f6e816d2fa139
Author: Zdenek Pytela <zpytela>
Date:   Wed Feb 24 19:00:22 2021 +0100

    Change param description in cron interfaces to userdomain_prefix

    In the cron_role(), cron_unconfined_role(), and cron_admin_role()
    interfaces the second parameter name was incorrectly stated as "domain"
    while it should rather be "userdomain_prefix". As an example, "user" is
    the userdomain prefix for the "user_t" domain.

    As a result, test compile of these interfaces failed using sepolicy-interface:

    $ sepolicy interface -c -i cron_unconfined_role
    Compiling cron_unconfined_role interface
    Compiling targeted compiletest module
    compiletest.te:43:ERROR 'unknown type sepolicy_domain_t_t' at token ';' on line 4423:
            typeattribute sepolicy_domain_t_t crontab_domain;
    /usr/bin/checkmodule:  error(s) encountered while parsing configuration
    make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/compiletest.mod] Error 1
    Compile test for cron_unconfined_role failed.

    Resolves: rhbz#1801249
Comment 16 errata-xmlrpc 2021-11-09 19:42:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420