Description of problem: While trying to build dogtag common components I get an error message and build fails. I know it's not a pretty good description... Version-Release number of selected component (if applicable): I downloaded revision 705 from subversion repo. How reproducible: Follow the steps described on http://pki.fedoraproject.org/wiki/PKI_Common_Components_via_Subversion until pki-selinux component. Then try building pki-selinux with build_dogtag. Actual results: I get this message : pki.te":73:ERROR 'syntax error' at token 'corenet_tcp_bind_inaddr_any_node' on line 33741: #73 corenet_tcp_bind_inaddr_any_node(pki_ra_t) /usr/sbin/checkmodule: error(s) encountered while parsing configuration /usr/sbin/checkmodule: loading policy configuration from /tmp/pki.tmp make[1] : *** [tmp/pki.mod] Error 1 make[1] : leaving directory "/root/src/release/pki/base/selinux/dist/rpmpkg/BUILD/pki-selinux-1.2.0/src" Expected results: It should compile and build RPM without crashing :) Additional info: I started compilation from a minimal Fedora 11 i386 installation (just Core). I installed dependencies as needed by compilation process, thus I might have missed one.
I have found this bug in bugzilla : https://bugzilla.redhat.com/show_bug.cgi?id=483742 which is related to pki-selinux compilation problem due to selinux rules syntax. Thus I have checked /usr/share/selinux/devel/policy.xml (which is mentionned in the bug) and found out that 'corenet_tcp_bind_inaddr_any_node' directive does not exist with selinux-policy-3.6.12-62.fc11.noarch which is the latest version for fc11. I have found another directive 'corenet_tcp_bind_all_nodes', but I'm not used to SELinux. I have tried to modify pki/base/selinux/src/pki.if to use this directive and compilation works. But, again, I don't understand what it changes. --------------------------------- --- pki/base/selinux/src/pki.if.orig 2009-07-31 15:05:29.619467463 +0200 +++ pki/base/selinux/src/pki.if 2009-07-31 15:06:20.691461463 +0200 @@ -511,7 +511,7 @@ corecmd_search_sbin(pki_tps_t) corenet_sendrecv_unlabeled_packets(pki_tps_t) - corenet_tcp_bind_inaddr_any_node(pki_tps_t) + corenet_tcp_bind_all_nodes(pki_tps_t) corenet_tcp_bind_pki_tps_port(pki_tps_t) corenet_tcp_connect_generic_port(pki_tps_t) @@ -681,7 +681,7 @@ corecmd_search_sbin(pki_ra_t) corenet_sendrecv_unlabeled_packets(pki_ra_t) - corenet_tcp_bind_inaddr_any_node(pki_ra_t) + corenet_tcp_bind_all_nodes(pki_ra_t) corenet_tcp_bind_pki_ra_port(pki_ra_t) corenet_tcp_sendrecv_all_if(pki_ra_t) ---------------------------------
Fabian has the patch exactly right. Index: dogtag/selinux/pki-selinux.spec =================================================================== --- dogtag/selinux/pki-selinux.spec (revision 770) +++ dogtag/selinux/pki-selinux.spec (working copy) @@ -33,7 +33,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.2.0 -%define base_release 1 +%define base_release 2 %define base_group System Environment/Shells %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -249,6 +249,8 @@ ############################################################################### %changelog +* Mon Aug 24 2009 Ade Lee <alee> 1.2.0-2 +- Bugzilla Bug 514520 - Build of pki-selinux 1.2.0 component fails on fc11 * Tue Jul 28 2009 Matthew Harmsen <mharmsen> 1.2.0-1 - Version update to Dogtag 1.2.0. * Wed Jul 6 2009 Ade Lee <alee> 1.1.0-10 Index: base/selinux/src/pki.if =================================================================== --- base/selinux/src/pki.if (revision 770) +++ base/selinux/src/pki.if (working copy) @@ -511,7 +511,7 @@ corecmd_search_sbin(pki_tps_t) corenet_sendrecv_unlabeled_packets(pki_tps_t) - corenet_tcp_bind_inaddr_any_node(pki_tps_t) + corenet_tcp_bind_all_nodes(pki_tps_t) corenet_tcp_bind_pki_tps_port(pki_tps_t) corenet_tcp_connect_generic_port(pki_tps_t) @@ -681,7 +681,7 @@ corecmd_search_sbin(pki_ra_t) corenet_sendrecv_unlabeled_packets(pki_ra_t) - corenet_tcp_bind_inaddr_any_node(pki_ra_t) + corenet_tcp_bind_all_nodes(pki_ra_t) corenet_tcp_bind_pki_ra_port(pki_ra_t) corenet_tcp_sendrecv_all_if(pki_ra_t)
Sending base/selinux/src/pki.if Sending dogtag/selinux/pki-selinux.spec Transmitting file data .. Committed revision 771.
Some additional rules needed for fc11 (TPS and RA not starting) Index: base/selinux/src/pki.if =================================================================== --- base/selinux/src/pki.if (revision 771) +++ base/selinux/src/pki.if (working copy) @@ -547,12 +547,13 @@ sysnet_read_config(pki_tps_t) allow httpd_t pki_tps_etc_rw_t:dir search; - allow httpd_t pki_tps_etc_rw_t:file { read getattr }; - allow httpd_t pki_tps_log_t:dir search; - allow httpd_t pki_tps_log_t:file read; + allow httpd_t pki_tps_etc_rw_t:file rw_file_perms; + allow httpd_t pki_tps_log_t:dir rw_dir_perms; + allow httpd_t pki_tps_log_t:file manage_file_perms; allow httpd_t pki_tps_t:process { signal signull }; allow httpd_t pki_tps_var_lib_t:dir { getattr search }; allow httpd_t pki_tps_var_lib_t:lnk_file read; + allow httpd_t pki_tps_var_lib_t:file read_file_perms; # why do I need to add this? allow httpd_t httpd_config_t:file execute; @@ -719,12 +720,13 @@ sysnet_read_config(pki_ra_t) allow httpd_t pki_ra_etc_rw_t:dir search; - allow httpd_t pki_ra_etc_rw_t:file { read getattr }; - allow httpd_t pki_ra_log_t:dir search; - allow httpd_t pki_ra_log_t:file read; + allow httpd_t pki_ra_etc_rw_t:file rw_file_perms; + allow httpd_t pki_ra_log_t:dir rw_dir_perms; + allow httpd_t pki_ra_log_t:file manage_file_perms; allow httpd_t pki_ra_t:process { signal signull }; allow httpd_t pki_ra_var_lib_t:dir { getattr search }; allow httpd_t pki_ra_var_lib_t:lnk_file read; + allow httpd_t pki_ra_var_lib_t:file read_file_perms; # talk to the hsm allow pki_ra_t pki_common_dev_t:sock_file write; Index: base/selinux/src/pki.te =================================================================== --- base/selinux/src/pki.te (revision 770) +++ base/selinux/src/pki.te (working copy) @@ -1,4 +1,4 @@ -policy_module(pki,1.0.12) +policy_module(pki,1.0.13) attribute pki_ca_config; attribute pki_ca_executable; [alee@aleeredhat pki]$ svn ci -m "Additional rules for BZ 514529" Sending base/selinux/src/pki.if Sending base/selinux/src/pki.te Transmitting file data .. Committed revision 775.