Bug 2136212 - Current libsepol 3.4-1.1 version issue with SEuser defintions within policy modules
Summary: Current libsepol 3.4-1.1 version issue with SEuser defintions within policy m...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: libsepol
Version: 9.1
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Petr Lautrbach
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-10-19 15:30 UTC by Hubert Quarantel-Colombani
Modified: 2023-01-19 16:46 UTC (History)
6 users (show)

Fixed In Version: libsepol-3.4-3.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-137061 0 None None None 2022-10-19 15:35:55 UTC

Description Hubert Quarantel-Colombani 2022-10-19 15:30:57 UTC 
Description of problem:

Versions 3.4 of libsepol prior to commit https://github.com/SELinuxProject/selinux/commit/88a703399f3f44be2502fd4ecd22ac3d3c560694 of June 15th (2022) will have a serious problem with SELinux policy modules containing SEuser definitions: source code won't compile.

Version-Release number of selected component (if applicable):
3.4-1.1

How reproducible:

Compilation/packaging of source code will fail 100% of times at the semodule_package stage (either using the Makefile from selinux-policy-devel or using checkmodule and semodule_package commands)

Steps to Reproduce:
1. Create a simple policy module source file foo.te like:
   module foo 0.0.1;
   require {
     role staff_r;
     sensitivity s0;
     category c0;
     category c1023;
   }
   user foo_u roles staff_r level s0 range s0 - s0:c0.c1023;
2. Compile this code to foo.mod file using the checkmodule command: OK
3. Finalise the module with the semodule_package command: not OK

Actual results:

The semodule_package command crashes with error message:
   libsepol.validate_user_datum: Invalid user datum
   libsepol.validate_datum_array_entries: Invalid datum array entries
   libsepol.validate_policydb: Invalid policydb
   /usr/bin/semodule_package:  Error while reading policy module from foo.mod

Expected results:

foo.pp binary file created and module can be loaded using semodule command.


Additional info:

Issue was fixed on the master branch of libsepol by commit 88a703399f3f44be2502fd4ecd22ac3d3c560694
Comment 1 Laurent Gaillard 2022-10-20 14:38:53 UTC 
Hi,

I gave it a try downloading the source code zip file from https://github.com/SELinuxProject/selinux and compiling it on RHEL 9.1 Beta.

After replacing userspace SELinux components (followed README file to compile and install), I was able to compile the SELinux Policy module source code with no errors and load it with "semodule -i" command:

   module foo 0.0.1;
   require {
     role staff_r;
     sensitivity s0;
     category c0;
     category c1023;
   }
   user foo_u roles staff_r level s0 range s0 - s0:c0.c1023;

Hope it can help.
Comment 2 Petr Lautrbach 2022-10-21 07:51:31 UTC 
We appreciate you taking the time to submit a report, provide a reproducer, and provide hints. We will begin working on this immediately.
Comment 3 Petr Lautrbach 2022-10-21 09:15:33 UTC 
https://gitlab.com/redhat/centos-stream/rpms/libsepol/-/merge_requests/9
Note You need to log in before you can comment on or make changes to this bug.