+++ This bug was initially created as a clone of Bug #2254169 +++ Installing selinux-policy-devel package, I could see the following error message when RPM scriptlet executes: ~~~ # /usr/bin/sepolgen-ifgen Illegal character '"' ~~~ This is seen with an uncustomized fresh system. Reproducible: Always Steps to Reproduce: 1. Install selinux-policy-devel package Actual Results: Illegal character '"' Expected Results: No such error message --- Additional comment from Petr Lautrbach on 2023-12-12 17:43:39 CET --- It's caused by filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interfac(e)") in /usr/share/selinux/devel/include/contrib/virt.if "interfac(e)" is probably a typo, "(e)" is same as "e" This change would fix it: --- /usr/share/selinux/devel/include/contrib/virt.if.rpm 2023-12-12 11:36:05.608235197 -0500 +++ /usr/share/selinux/devel/include/contrib/virt.if 2023-12-12 11:36:20.212343183 -0500 @@ -164,7 +164,7 @@ filetrans_pattern($1, virt_driver_var_run, virt_common_var_run_t, dir, "common") filetrans_pattern($1, virt_var_run_t, virt_common_var_run_t, dir, "common") - filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interfac(e)") + filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interface") filetrans_pattern($1, virt_var_run_t, virtnodedevd_var_run_t, dir, "nodedev") filetrans_pattern($1, virt_var_run_t, virtnwfilterd_var_run_t, dir, "nwfilter") filetrans_pattern($1, virt_var_run_t, virtsecretd_var_run_t, dir, "secrets") But sepolgen-ifgen should not fail on it.
Thank you for the report, it was introduced in rawhide in v40.2 with e62efd6dd Split virt policy, introduce virt_supplementary module and the change seems to have been intentional, not to make our tools fail or report an error. +# Use parentheses so that "interface" is not recognized as a keyword by M4 +/var/run/libvirt/interfac(e)(/.*)? gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) ... + filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interfac(e)") Will check if it is valid also for the filename in the transition pattern.
Well, in the filename transition rule "interfac(e)" will not match "interface" (it's not a regex), so the rule doesn't have the desired effect even now.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 40 development cycle. Changing version to 40.
*** Bug 2277925 has been marked as a duplicate of this bug. ***
An attempt to use "interface" fails at the first virt_driver_template call at #L167 containing: filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interface") virt_driver_template(virtinterfaced_t) -> allow virtinterfaced_t virt_var_run_t:dir { open read getattr lock search ioctl add_name remove_name write }; policy/modules/contrib/virt.te:298:ERROR 'unrecognized character' at token '"' on line 6887: #line 298 type_transition virtinterfaced_t virt_var_run_t:dir virtinterfaced_var_run_t " policy/modules/contrib/virt.te:298:ERROR 'syntax error' at token 'allow' on line 6891: #line 298 allow virtinterfaced_t virt_var_run_t:dir { open read getattr lock search ioctl add_name remove_name write }; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [Rules.modular:77: tmp/virt.mod] Error 1 make: *** Waiting for unfinished jobs.... Do you happen to have a workaround handy? I am looking for string concatenation in m4. If any of these do not work, we can still try an unnamed file transition as this should not make things worse at least.
Given that "interface" is defined macro, it needs to be quoted - https://www.gnu.org/software/m4/manual/m4.html#Quoted-strings Unfortunately, simple quotes would not help: filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "`interface'") would be expanded to define(`filetrans_pattern',` allow $1 $2:dir rw_dir_perms; type_transition $1 $2:$4 $3 "interface"; ') which would be again expanded to interface macro definition. Therefore it's necessary double quotes: filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "``interface''") -> type_transition $1 $2:$4 $3 "`interface'";
*** Bug 2254169 has been marked as a duplicate of this bug. ***
FEDORA-2024-2bc43119f3 (selinux-policy-40.23-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-2bc43119f3
FEDORA-2024-2bc43119f3 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-2bc43119f3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-2bc43119f3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-2bc43119f3 (selinux-policy-40.23-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
selinux-policy-40.23-1.fc40 does NOT fix this bug: # rpm -qa 'selinux-policy*' selinux-policy-40.23-1.fc40.noarch selinux-policy-targeted-40.23-1.fc40.noarch selinux-policy-devel-40.23-1.fc40.noarch # dnf reinstall --refresh --enablerepo=updates-testing 'selinux-*' ... Running scriptlet: selinux-policy-devel-40.23-1.fc40.noarch 3/6 Illegal character '"' ...
Switching the component, maybe parser needs to be updated? In the policy we now have: # This sequence of quotation marks is needed to prevent "interface" # from being interpreted as a keyword and further parsed by m4 macros filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "``interface''")
It is still happening... Upgrading : selinux-policy-devel-40.24-1.fc40.noarch 93/224 Running scriptlet: selinux-policy-devel-40.24-1.fc40.noarch 93/224 Illegal character '"'
This is fixed in policycoreutils-3.7-4.fc42.x86_64
I have policycoreutils-3.7-5.fc41.x86_64 and still can see in DNF5 output when reinstalling selinux-policy-devel-0:41.27-1.fc41.noarch: >>> Running post-install scriptlet: selinux-policy-devel-0:41.27-1.fc41.noarch >>> Finished post-install scriptlet: selinux-policy-devel-0:41.27-1.fc41.noarch >>> Scriptlet output: >>> /usr/share/selinux/devel/include/contrib/virt.if: Syntax error on line 169 ` [type=TICK] >>> /usr/share/selinux/devel/include/contrib/virt.if: Syntax error on line 220 ' [type=SQUOTE]
https://src.fedoraproject.org/rpms/policycoreutils/pull-request/49
FEDORA-2025-e94bfc5f12 (policycoreutils-3.7-6.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2025-e94bfc5f12
FEDORA-2025-e94bfc5f12 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-e94bfc5f12` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-e94bfc5f12 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-e94bfc5f12 (policycoreutils-3.7-6.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.