Ganesha's selinux bits can can be seen at https://github.com/nfs-ganesha/nfs-ganesha/tree/next/src/selinux At some point in the past they installed without any issues. Now we are seeing fedora rawhide: >>> Running post-install scriptlet: nfs-ganesha-selinux-0:7.0-0.1dev.10.fc42.noarch >>> Finished post-install scriptlet: nfs-ganesha-selinux-0:7.0-0.1dev.10.fc42.noarch >>> Scriptlet output: >>> Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/ganesha/cil:61 >>> Failed to resolve AST >>> semodule: Failed! centos9s: Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:373 Failed to resolve AST /usr/sbin/semodule: Failed! centos10s: Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/ganesha/cil:61 Failed to resolve AST semodule: Failed! The nfs-ganesha.spec scriptlet in post: selinux is the same for all, i.e.: ... %post selinux %selinux_modules_install %{_selinux_store_path}/packages/ganesha.pp.bz2 ... I searched for possible fixes but my google-fu is weak here and weaker than my selinux-fu. The centos{9,10} builds are available at https://cbs.centos.org/koji/buildinfo?buildID=59726 and https://cbs.centos.org/koji/buildinfo?buildID=59726 respectively. Reproducible: Always
Kaleb, Can you check the content of the file on which line it is failing? bunzip2 < /var/lib/selinux/targeted/active/modules/200/ganesha/cil | nl (or if the installation failed) bunzip2 < /var/lib/selinux/targeted/tmp/modules/200/ganesha/cil | nl
nfs-ganesha-selinux installs "successfully" but there are no files installed at /var/lib/selinux/targeted/{active,tmp}/modules/200/ganesha. # sudo dnf install -y nfs-ganesha-7.0-0.1dev.10.el10s.x86_64.rpm nfs-ganesha-selinux-7.0-0.1dev.10.el10s.noarch.rpm ... Running transaction Preparing : 1/1 Running scriptlet: nfs-ganesha-selinux-7.0-0.1dev.10.el10s.noarch 1/2 Installing : nfs-ganesha-selinux-7.0-0.1dev.10.el10s.noarch 1/2 Running scriptlet: nfs-ganesha-selinux-7.0-0.1dev.10.el10s.noarch 1/2 Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/ganesha/cil:61 Failed to resolve AST semodule: Failed! Running scriptlet: nfs-ganesha-7.0-0.1dev.10.el10s.x86_64 2/2 Installing : nfs-ganesha-7.0-0.1dev.10.el10s.x86_64 2/2 Running scriptlet: nfs-ganesha-7.0-0.1dev.10.el10s.x86_64 2/2 Installed: nfs-ganesha-7.0-0.1dev.10.el10s.x86_64 nfs-ganesha-selinux-7.0-0.1dev.10.el10s.noarch Complete! # ls /var/lib/selinux/targeted/active/modules/200/ container passt passt-repair pasta smartmon # ls /var/lib/selinux/targeted/tmp/modules/200/ container passt passt-repair pasta smartmon You can trivially reproduce this on your own c10s box by installing these three packages: https://cbs.centos.org/kojifiles/packages/libntirpc/7.0/0.2.068ebc76.el10s/x86_64/libntirpc-7.0-0.2.068ebc76.el10s.x86_64.rpm https://cbs.centos.org/kojifiles/packages/nfs-ganesha/7.0/0.1dev.10.el10s/x86_64/nfs-ganesha-7.0-0.1dev.10.el10s.x86_64.rpm https://cbs.centos.org/kojifiles/packages/nfs-ganesha/7.0/0.1dev.10.el10s/noarch/nfs-ganesha-selinux-7.0-0.1dev.10.el10s.noarch.rpm or for c9s: https://cbs.centos.org/kojifiles/packages/libntirpc/7.0/0.2.068ebc76.el9s/x86_64/libntirpc-7.0-0.2.068ebc76.el9s.x86_64.rpm https://cbs.centos.org/kojifiles/packages/nfs-ganesha/7.0/0.1dev.10.el9s/x86_64/nfs-ganesha-7.0-0.1dev.10.el9s.x86_64.rpm https://cbs.centos.org/kojifiles/packages/nfs-ganesha/7.0/0.1dev.10.el9s/noarch/nfs-ganesha-selinux-7.0-0.1dev.10.el9s.noarch.rpm I can try to resurrect the f42 packages, but they might have been deleted from koji by now.
Tried the c10s package and checked the module: 60 (typeattributeset cil_gen_require cluster_t) 61 (typeattributeset cil_gen_require ceph_t) 62 (typeattributeset cil_gen_require ceph_log_t) The type ceph_t is not defined and that's why installing fails. Such failures could be prevented using optional blocks.
(In reply to Zdenek Pytela from comment #3) > Tried the c10s package and checked the module: > > 60 (typeattributeset cil_gen_require cluster_t) > 61 (typeattributeset cil_gen_require ceph_t) > 62 (typeattributeset cil_gen_require ceph_log_t) > > The type ceph_t is not defined and that's why installing fails. > Such failures could be prevented using optional blocks. I guess you mean something like this in ganesha.te ... optional_policy(` gen_require(` type ceph_t; type ceph_log_t; ') allow ganesha_t ceph_t:unix_stream_socket connectto; allow ganesha_t ceph_log_t:dir { add_name search write }; allow ganesha_t ceph_log_t:file { create open }; ') ... (It sure is hard to find docs on how to do this.)
(In reply to Kaleb KEITHLEY from comment #4) > > I guess you mean something like this in ganesha.te > > ... > optional_policy(` > gen_require(` > type ceph_t; > type ceph_log_t; > ') > > allow ganesha_t ceph_t:unix_stream_socket connectto; > allow ganesha_t ceph_log_t:dir { add_name search write }; > allow ganesha_t ceph_log_t:file { create open }; > ') > ... Which installs successfully, even including installing files in /var/lib/selinux/targeted/active/modules/200/ganesha/* and without emitting the error(s) in https://bugzilla.redhat.com/show_bug.cgi?id=2356228#c0. But I'm hesitant to declare victory with my limited knowledge of policy files and inability to find documentation.
Kaleb, I am not quite sure if there was a development on the ganesha side and nothing is now needed in selinux-policy? > (It sure is hard to find docs on how to do this.) We have an article which has been updated recently: https://access.redhat.com/articles/6999267 You should rather look for the proper interface from the ceph module.