1861968 – container.if duplicate definition errors when building policy module

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1861968 - container.if duplicate definition errors when building policy module

Summary: container.if duplicate definition errors when building policy module

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.2
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	8.6
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2055890
TreeView+	depends on / blocked

Reported:	2020-07-30 04:26 UTC by Flos Qi Guo
Modified:	2022-05-10 16:22 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.14.3-89.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2055890 (view as bug list)
Environment:
Last Closed:	2022-05-10 15:14:56 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	5272801	0	None	None	None	2020-07-30 11:31:01 UTC
Red Hat Product Errata	RHBA-2022:1995	0	None	None	None	2022-05-10 15:15:13 UTC

Internal Links: 1967642

Description Flos Qi Guo 2020-07-30 04:26:46 UTC

> Description of problem:
When trying to build a custom policy module with selinux devel package, lots of errors come out:

> Version-Release number of selected component (if applicable):
# rpm -qa | egrep 'selinux|container-selinux' | sort
container-selinux-2.135.0-1.module+el8.2.1+6849+893e4f4a.noarch
libselinux-2.9-3.el8.x86_64
libselinux-utils-2.9-3.el8.x86_64
python3-libselinux-2.9-3.el8.x86_64
rpm-plugin-selinux-4.14.2-10.el8_0.x86_64
selinux-policy-3.14.3-41.el8_2.5.noarch
selinux-policy-devel-3.14.3-41.el8_2.5.noarch
selinux-policy-targeted-3.14.3-41.el8_2.5.noarch

> How reproducible:
Always.

> Steps to Reproduce:
1. Create a custom type enforcement as follows:

# cat init_t_audit_control.te 

module init_t_audit_control 1.0;

require {
	type init_t;
	class capability audit_control;
}

#============= init_t ==============
allow init_t self:capability audit_control;

2. Compile it and getting the errors


# make -f /usr/share/selinux/devel/Makefile init_t_audit_control.pp
/usr/share/selinux/devel/include/services/container.if:13: Error: duplicate definition of container_runtime_domtrans(). Original definition on 13.
/usr/share/selinux/devel/include/services/container.if:40: Error: duplicate definition of container_runtime_run(). Original definition on 40.
/usr/share/selinux/devel/include/services/container.if:60: Error: duplicate definition of container_runtime_exec(). Original definition on 60.
/usr/share/selinux/devel/include/services/container.if:79: Error: duplicate definition of container_read_state(). Original definition on 79.
/usr/share/selinux/devel/include/services/container.if:97: Error: duplicate definition of container_search_lib(). Original definition on 97.
/usr/share/selinux/devel/include/services/container.if:116: Error: duplicate definition of container_exec_lib(). Original definition on 116.
/usr/share/selinux/devel/include/services/container.if:135: Error: duplicate definition of container_read_lib_files(). Original definition on 135.
/usr/share/selinux/devel/include/services/container.if:154: Error: duplicate definition of container_read_share_files(). Original definition on 154.
/usr/share/selinux/devel/include/services/container.if:175: Error: duplicate definition of container_runtime_read_tmpfs_files(). Original definition on 175.
/usr/share/selinux/devel/include/services/container.if:196: Error: duplicate definition of container_manage_share_files(). Original definition on 196.
/usr/share/selinux/devel/include/services/container.if:217: Error: duplicate definition of container_manage_share_dirs(). Original definition on 217.
/usr/share/selinux/devel/include/services/container.if:237: Error: duplicate definition of container_exec_share_files(). Original definition on 237.
/usr/share/selinux/devel/include/services/container.if:255: Error: duplicate definition of container_manage_config_files(). Original definition on 255.
/usr/share/selinux/devel/include/services/container.if:274: Error: duplicate definition of container_manage_lib_files(). Original definition on 274.
/usr/share/selinux/devel/include/services/container.if:294: Error: duplicate definition of container_manage_files(). Original definition on 294.
/usr/share/selinux/devel/include/services/container.if:313: Error: duplicate definition of container_manage_dirs(). Original definition on 313.
/usr/share/selinux/devel/include/services/container.if:331: Error: duplicate definition of container_manage_lib_dirs(). Original definition on 331.
/usr/share/selinux/devel/include/services/container.if:367: Error: duplicate definition of container_lib_filetrans(). Original definition on 367.
/usr/share/selinux/devel/include/services/container.if:385: Error: duplicate definition of container_read_pid_files(). Original definition on 385.
/usr/share/selinux/devel/include/services/container.if:404: Error: duplicate definition of container_systemctl(). Original definition on 404.
/usr/share/selinux/devel/include/services/container.if:429: Error: duplicate definition of container_rw_sem(). Original definition on 429.
/usr/share/selinux/devel/include/services/container.if:448: Error: duplicate definition of container_append_file(). Original definition on 448.
/usr/share/selinux/devel/include/services/container.if:466: Error: duplicate definition of container_use_ptys(). Original definition on 466.
/usr/share/selinux/devel/include/services/container.if:484: Error: duplicate definition of container_filetrans_named_content(). Original definition on 484.
/usr/share/selinux/devel/include/services/container.if:543: Error: duplicate definition of container_stream_connect(). Original definition on 543.
/usr/share/selinux/devel/include/services/container.if:564: Error: duplicate definition of container_spc_stream_connect(). Original definition on 564.
/usr/share/selinux/devel/include/services/container.if:585: Error: duplicate definition of container_admin(). Original definition on 585.
/usr/share/selinux/devel/include/services/container.if:632: Error: duplicate definition of container_auth_domtrans(). Original definition on 632.
/usr/share/selinux/devel/include/services/container.if:651: Error: duplicate definition of container_auth_exec(). Original definition on 651.
/usr/share/selinux/devel/include/services/container.if:670: Error: duplicate definition of container_auth_stream_connect(). Original definition on 670.
/usr/share/selinux/devel/include/services/container.if:689: Error: duplicate definition of container_runtime_typebounds(). Original definition on 689.
/usr/share/selinux/devel/include/services/container.if:708: Error: duplicate definition of container_runtime_entrypoint(). Original definition on 708.
/usr/share/selinux/devel/include/services/container.if:715: Error: duplicate definition of docker_exec_lib(). Original definition on 715.
/usr/share/selinux/devel/include/services/container.if:719: Error: duplicate definition of docker_read_share_files(). Original definition on 719.
/usr/share/selinux/devel/include/services/container.if:723: Error: duplicate definition of docker_exec_share_files(). Original definition on 723.
/usr/share/selinux/devel/include/services/container.if:727: Error: duplicate definition of docker_manage_lib_files(). Original definition on 727.
/usr/share/selinux/devel/include/services/container.if:732: Error: duplicate definition of docker_manage_lib_dirs(). Original definition on 732.
/usr/share/selinux/devel/include/services/container.if:736: Error: duplicate definition of docker_lib_filetrans(). Original definition on 736.
/usr/share/selinux/devel/include/services/container.if:740: Error: duplicate definition of docker_read_pid_files(). Original definition on 740.
/usr/share/selinux/devel/include/services/container.if:744: Error: duplicate definition of docker_systemctl(). Original definition on 744.
/usr/share/selinux/devel/include/services/container.if:748: Error: duplicate definition of docker_use_ptys(). Original definition on 748.
/usr/share/selinux/devel/include/services/container.if:752: Error: duplicate definition of docker_stream_connect(). Original definition on 752.
/usr/share/selinux/devel/include/services/container.if:756: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 756.
/usr/share/selinux/devel/include/services/container.if:770: Error: duplicate definition of container_spc_read_state(). Original definition on 770.
/usr/share/selinux/devel/include/services/container.if:789: Error: duplicate definition of container_runtime_domain_template(). Original definition on 789.
/usr/share/selinux/devel/include/services/container.if:825: Error: duplicate definition of container_domain_template(). Original definition on 825.
/usr/share/selinux/devel/include/services/container.if:853: Error: duplicate definition of container_spc_rw_pipes(). Original definition on 853.
Compiling targeted init_t_audit_control module
Creating targeted init_t_audit_control.pp policy package
rm tmp/init_t_audit_control.mod tmp/init_t_audit_control.mod.fc

> Actual results:
Building with errors. 

> Expected results:
No errors.

> Additional info:
Seems there's a similiar bug on fedora:
 - https://bugzilla.redhat.com/show_bug.cgi?id=1567980
Don't know it's related or not.

Comment 1 Renaud Métrich 2020-07-30 07:41:44 UTC

The issue is due to having 2 source files for the same definitions, e.g.:

# grep -rw container_runtime_domtrans /usr/share/selinux/devel/include | grep if:interface
/usr/share/selinux/devel/include/services/container.if:interface(`container_runtime_domtrans',`
/usr/share/selinux/devel/include/contrib/container.if:interface(`container_runtime_domtrans',`


# rpm -qf /usr/share/selinux/devel/include/services/container.if /usr/share/selinux/devel/include/contrib/container.if
container-selinux-2.135.0-1.module+el8.2.1+6849+893e4f4a.noarch
selinux-policy-devel-3.14.3-41.el8_2.5.noarch

--> 2 packages ship the identical files in different locations.

Comment 2 Zdenek Pytela 2020-08-04 14:45:36 UTC

I can confirm there is a conflict:

  # grep -r 'interface(`container_runtime_domtrans' /usr/share/selinux/devel/include/
/usr/share/selinux/devel/include/contrib/container.if:interface(`container_runtime_domtrans',`
/usr/share/selinux/devel/include/services/container.if:interface(`container_runtime_domtrans',`

  # rpm -qf /usr/share/selinux/devel/include/services/container.if /usr/share/selinux/devel/include/contrib/container.if
container-selinux-2.142.0-1.module+el8.3.0+7472+edf95ef7.noarch
selinux-policy-devel-3.14.3-49.el8.noarch

The message seems to be harmless though.

Comment 17 errata-xmlrpc 2022-05-10 15:14:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995

Note You need to log in before you can comment on or make changes to this bug.