Description of problem: running # semodule -i <module_package> or # semodule -r <module> or # semodule -b /usr/share/selinux/targeted/base.pp segfaults. This happens when upgrading selinux-policy and when installing policy modules by hand. However at least while installing policy modules by hand, it seems that the module does get installed, even with the segfault. Version-Release number of selected component (if applicable): policycoreutils-1.30.26-1 on i386 libsemanage-1.6.15-1 How reproducible: Always Steps to Reproduce: [root@cypher-01 ~]# semodule -l amavis 1.0.5 clamav 1.0.5 dcc 1.0.1 evolution 1.0.3 mozilla 1.0.3 nagios 1.0.2 pyzor 1.0.4 razor 1.0.1 [root@cypher-01 ~]# semodule -i local.pp Segmentation fault [root@cypher-01 ~]# semodule -l amavis 1.0.5 clamav 1.0.5 dcc 1.0.1 evolution 1.0.3 local 1.0 mozilla 1.0.3 nagios 1.0.2 pyzor 1.0.4 razor 1.0.1 [root@cypher-01 ~]# semodule -r local Segmentation fault [root@cypher-01 ~]# semodule -l amavis 1.0.5 clamav 1.0.5 dcc 1.0.1 evolution 1.0.3 mozilla 1.0.3 nagios 1.0.2 pyzor 1.0.4 razor 1.0.1 [root@cypher-01 ~]# Actual results: semodule segfaults, although the module is installed and removed Expected results: semodule doesn't segfault Additional info: [root@cypher-01 ~]# gdb semodule GNU gdb Red Hat Linux (6.3.0.0-1.131.FC6rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) run -i local.pp Starting program: /usr/sbin/semodule -i local.pp Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0xb7f15000 Program received signal SIGSEGV, Segmentation fault. 0x00000000 in ?? () (gdb) bt #0 0x00000000 in ?? () #1 0x007877a0 in semanage_install_active (sh=0xa0373b0) at semanage_store.c:1018 #2 0x007897b5 in semanage_install_sandbox (sh=0xa0373b0) at semanage_store.c:1208 #3 0x0077e96b in semanage_direct_commit (sh=0xa0373b0) at direct_api.c:661 #4 0x007806c8 in semanage_commit (sh=0xa0373b0) at handle.c:246 #5 0x080494e8 in main (argc=7794416, argv=0xbf867354) at semodule.c:429 #6 0x481bc214 in __libc_start_main () from /lib/libc.so.6 #7 0x08048d91 in _start () (gdb)
Created attachment 134416 [details] policy module package used in the example
Well, once I noticed that libselinux wasn't uptodate and updated it, the segfault went away. Instead, I get libsemanage.semanage_install_active: Non-fatal error: Could not copy /etc/selinux/targeted/modules/active/file_contexts.local to /etc/selinux/targeted/contexts/files/file_contexts.local
This looks like a labeling problem. Could you attach the avc messages from /var/log/messages or /var/log/audit/audit.log restorecon -R -v /etc/selinux Will clear up labeling problems in policy. touch /.autorelabel; reboot will relabel the entire machine.
relabeling the machine didn't change the message. here are the messages from /var/log/audit/audit.log type=MAC_POLICY_LOAD msg=audit(1155924789.856:46): policy loaded auid=0 type=SYSCALL msg=audit(1155924789.856:46): arch=40000003 syscall=4 success=yes exit=910553 a0=4 a1=b7ecf000 a2=de4d9 a3=bfce5258 items=0 pid=2369 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="load_policy" exe="/usr/sbin/load_policy" subj=root:system_r:load_policy_t:s0-s0:c0.c255 type=AVC msg=audit(1155924790.460:47): avc: denied { read } for pid=2210 comm="hald-addon-stor" name="hdc" dev=tmpfs ino=3533 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1155924790.460:47): arch=40000003 syscall=5 success=yes exit=4 a0=bfbf5e08 a1=8880 a2=0 a3=8880 items=1 pid=2210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="hald-addon-stor" exe="/usr/libexec/hald-addon-storage" subj=system_u:system_r:hald_t:s0 type=CWD msg=audit(1155924790.460:47): cwd="/usr/libexec" type=PATH msg=audit(1155924790.460:47): item=0 name="/dev/hdc" inode=3533 dev=00:10 mode=060660 ouid=0 ogid=6 rdev=16:00 obj=system_u:object_r:device_t:s0 type=AVC msg=audit(1155924790.464:48): avc: denied { ioctl } for pid=2210 comm="hald-addon-stor" name="hdc" dev=tmpfs ino=3533 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1155924790.464:48): arch=40000003 syscall=54 success=yes exit=1 a0=4 a1=5326 a2=7fffffff a3=4 items=0 pid=2210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="hald-addon-stor" exe="/usr/libexec/hald-addon-storage" subj=system_u:system_r:hald_t:s0 type=AVC_PATH msg=audit(1155924790.464:48): path="/dev/hdc"
Please attach the local.te file that you used to create the pp file.
libsemanage.semanage_install_active: Non-fatal error: Could not copy /etc/selinux/targeted/modules/active/file_contexts.local to /etc/selinux/targeted/contexts/files/file_contexts.local Has been fixed in a rawhide Not sure why you are getting a mislaneled /dev/hfc though.