Bug 2136212 - Current libsepol 3.4-1.1 version issue with SEuser defintions within policy modules
Summary: Current libsepol 3.4-1.1 version issue with SEuser defintions within policy m...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: libsepol
Version: 9.1
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Petr Lautrbach
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-10-19 15:30 UTC by Hubert Quarantel-Colombani
Modified: 2023-05-09 10:17 UTC (History)
6 users (show)

Fixed In Version: libsepol-3.4-3.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-09 08:15:28 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-137061 0 None None None 2022-10-19 15:35:55 UTC
Red Hat Product Errata RHBA-2023:2480 0 None None None 2023-05-09 08:15:42 UTC

Description Hubert Quarantel-Colombani 2022-10-19 15:30:57 UTC 
Description of problem:

Versions 3.4 of libsepol prior to commit https://github.com/SELinuxProject/selinux/commit/88a703399f3f44be2502fd4ecd22ac3d3c560694 of June 15th (2022) will have a serious problem with SELinux policy modules containing SEuser definitions: source code won't compile.

Version-Release number of selected component (if applicable):
3.4-1.1

How reproducible:

Compilation/packaging of source code will fail 100% of times at the semodule_package stage (either using the Makefile from selinux-policy-devel or using checkmodule and semodule_package commands)

Steps to Reproduce:
1. Create a simple policy module source file foo.te like:
   module foo 0.0.1;
   require {
     role staff_r;
     sensitivity s0;
     category c0;
     category c1023;
   }
   user foo_u roles staff_r level s0 range s0 - s0:c0.c1023;
2. Compile this code to foo.mod file using the checkmodule command: OK
3. Finalise the module with the semodule_package command: not OK

Actual results:

The semodule_package command crashes with error message:
   libsepol.validate_user_datum: Invalid user datum
   libsepol.validate_datum_array_entries: Invalid datum array entries
   libsepol.validate_policydb: Invalid policydb
   /usr/bin/semodule_package:  Error while reading policy module from foo.mod

Expected results:

foo.pp binary file created and module can be loaded using semodule command.


Additional info:

Issue was fixed on the master branch of libsepol by commit 88a703399f3f44be2502fd4ecd22ac3d3c560694
Comment 1 Laurent Gaillard 2022-10-20 14:38:53 UTC 
Hi,

I gave it a try downloading the source code zip file from https://github.com/SELinuxProject/selinux and compiling it on RHEL 9.1 Beta.

After replacing userspace SELinux components (followed README file to compile and install), I was able to compile the SELinux Policy module source code with no errors and load it with "semodule -i" command:

   module foo 0.0.1;
   require {
     role staff_r;
     sensitivity s0;
     category c0;
     category c1023;
   }
   user foo_u roles staff_r level s0 range s0 - s0:c0.c1023;

Hope it can help.
Comment 2 Petr Lautrbach 2022-10-21 07:51:31 UTC 
We appreciate you taking the time to submit a report, provide a reproducer, and provide hints. We will begin working on this immediately.
Comment 3 Petr Lautrbach 2022-10-21 09:15:33 UTC 
https://gitlab.com/redhat/centos-stream/rpms/libsepol/-/merge_requests/9
Comment 11 errata-xmlrpc 2023-05-09 08:15:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libsepol bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2480
Note You need to log in before you can comment on or make changes to this bug.