Bug 514520 - Build of pki-selinux 1.2.0 component fails on fc11
Summary: Build of pki-selinux 1.2.0 component fails on fc11
Keywords:
Status: CLOSED EOL
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: SELinux
Version: unspecified
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-29 14:13 UTC by Fabien Dupont
Modified: 2020-03-27 19:11 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-27 19:11:36 UTC
Embargoed:

Attachments (Terms of Use)

Description Fabien Dupont 2009-07-29 14:13:23 UTC 
Description of problem:

While trying to build dogtag common components I get an error message and build fails. I know it's not a pretty good description...

Version-Release number of selected component (if applicable):

I downloaded revision 705 from subversion repo.

How reproducible:

Follow the steps described on http://pki.fedoraproject.org/wiki/PKI_Common_Components_via_Subversion until pki-selinux component. Then try building pki-selinux with build_dogtag.

Actual results:

I get this message :

pki.te":73:ERROR 'syntax error' at token 'corenet_tcp_bind_inaddr_any_node' on line 33741:
#73
       corenet_tcp_bind_inaddr_any_node(pki_ra_t)
/usr/sbin/checkmodule:  error(s) encountered while parsing configuration
/usr/sbin/checkmodule:  loading policy configuration from /tmp/pki.tmp
make[1] : *** [tmp/pki.mod] Error 1
make[1] : leaving directory "/root/src/release/pki/base/selinux/dist/rpmpkg/BUILD/pki-selinux-1.2.0/src"


Expected results:

It should compile and build RPM without crashing :)

Additional info:

I started compilation from a minimal Fedora 11 i386 installation (just Core).
I installed dependencies as needed by compilation process, thus I might have missed one.
Comment 1 Fabien Dupont 2009-07-31 13:11:39 UTC 
I have found this bug in bugzilla : https://bugzilla.redhat.com/show_bug.cgi?id=483742 which is related to pki-selinux compilation problem due to selinux rules syntax. Thus I have checked /usr/share/selinux/devel/policy.xml (which is mentionned in the bug) and found out that 'corenet_tcp_bind_inaddr_any_node' directive does not exist with selinux-policy-3.6.12-62.fc11.noarch which is the latest version for fc11.

I have found another directive 'corenet_tcp_bind_all_nodes', but I'm not used to SELinux. I have tried to modify pki/base/selinux/src/pki.if to use this directive and compilation works. But, again, I don't understand what it changes.

---------------------------------
--- pki/base/selinux/src/pki.if.orig	2009-07-31 15:05:29.619467463 +0200
+++ pki/base/selinux/src/pki.if	2009-07-31 15:06:20.691461463 +0200
@@ -511,7 +511,7 @@
         corecmd_search_sbin(pki_tps_t)
 
         corenet_sendrecv_unlabeled_packets(pki_tps_t)
-        corenet_tcp_bind_inaddr_any_node(pki_tps_t)
+        corenet_tcp_bind_all_nodes(pki_tps_t)
         corenet_tcp_bind_pki_tps_port(pki_tps_t)
         corenet_tcp_connect_generic_port(pki_tps_t)
 
@@ -681,7 +681,7 @@
         corecmd_search_sbin(pki_ra_t)
 
         corenet_sendrecv_unlabeled_packets(pki_ra_t)
-        corenet_tcp_bind_inaddr_any_node(pki_ra_t)
+        corenet_tcp_bind_all_nodes(pki_ra_t)
         corenet_tcp_bind_pki_ra_port(pki_ra_t)
 
         corenet_tcp_sendrecv_all_if(pki_ra_t)
---------------------------------
Comment 2 Ade Lee 2009-08-24 16:43:14 UTC 
Fabian has the patch exactly right.

Index: dogtag/selinux/pki-selinux.spec
===================================================================
--- dogtag/selinux/pki-selinux.spec     (revision 770)
+++ dogtag/selinux/pki-selinux.spec     (working copy)
@@ -33,7 +33,7 @@
 ## Package Header Definitions
 %define base_name         %{base_prefix}-%{base_component}
 %define base_version      1.2.0
-%define base_release      1
+%define base_release      2
 %define base_group        System Environment/Shells
 %define base_vendor       Red Hat, Inc.
 %define base_license      GPLv2 with exceptions
@@ -249,6 +249,8 @@
 ###############################################################################
 
 %changelog
+* Mon Aug 24 2009 Ade Lee <alee> 1.2.0-2
+- Bugzilla Bug 514520 -  Build of pki-selinux 1.2.0 component fails on fc11
 * Tue Jul 28 2009 Matthew Harmsen <mharmsen> 1.2.0-1
 - Version update to Dogtag 1.2.0.
 * Wed Jul 6 2009 Ade Lee <alee> 1.1.0-10
Index: base/selinux/src/pki.if
===================================================================
--- base/selinux/src/pki.if     (revision 770)
+++ base/selinux/src/pki.if     (working copy)
@@ -511,7 +511,7 @@
         corecmd_search_sbin(pki_tps_t)
 
         corenet_sendrecv_unlabeled_packets(pki_tps_t)
-        corenet_tcp_bind_inaddr_any_node(pki_tps_t)
+        corenet_tcp_bind_all_nodes(pki_tps_t)
         corenet_tcp_bind_pki_tps_port(pki_tps_t)
         corenet_tcp_connect_generic_port(pki_tps_t)
 
@@ -681,7 +681,7 @@
         corecmd_search_sbin(pki_ra_t)
 
         corenet_sendrecv_unlabeled_packets(pki_ra_t)
-        corenet_tcp_bind_inaddr_any_node(pki_ra_t)
+        corenet_tcp_bind_all_nodes(pki_ra_t)
         corenet_tcp_bind_pki_ra_port(pki_ra_t)
 
         corenet_tcp_sendrecv_all_if(pki_ra_t)
Comment 3 Ade Lee 2009-08-24 16:44:42 UTC 
Sending        base/selinux/src/pki.if
Sending        dogtag/selinux/pki-selinux.spec
Transmitting file data ..
Committed revision 771.
Comment 4 Ade Lee 2009-08-25 02:29:05 UTC 
Some additional rules needed for fc11 (TPS and RA not starting)

Index: base/selinux/src/pki.if
===================================================================
--- base/selinux/src/pki.if     (revision 771)
+++ base/selinux/src/pki.if     (working copy)
@@ -547,12 +547,13 @@
         sysnet_read_config(pki_tps_t)
 
         allow httpd_t pki_tps_etc_rw_t:dir search;
-        allow httpd_t pki_tps_etc_rw_t:file { read getattr };
-        allow httpd_t pki_tps_log_t:dir search;
-        allow httpd_t pki_tps_log_t:file read;
+        allow httpd_t pki_tps_etc_rw_t:file rw_file_perms;
+        allow httpd_t pki_tps_log_t:dir rw_dir_perms;
+        allow httpd_t pki_tps_log_t:file manage_file_perms;
         allow httpd_t pki_tps_t:process { signal signull };
         allow httpd_t pki_tps_var_lib_t:dir { getattr search };
         allow httpd_t pki_tps_var_lib_t:lnk_file read;
+        allow httpd_t pki_tps_var_lib_t:file read_file_perms;
 
         # why do I need to add this?
         allow httpd_t httpd_config_t:file execute;
@@ -719,12 +720,13 @@
         sysnet_read_config(pki_ra_t)
 
         allow httpd_t pki_ra_etc_rw_t:dir search;
-        allow httpd_t pki_ra_etc_rw_t:file { read getattr };
-        allow httpd_t pki_ra_log_t:dir search;
-        allow httpd_t pki_ra_log_t:file read;
+        allow httpd_t pki_ra_etc_rw_t:file rw_file_perms;
+        allow httpd_t pki_ra_log_t:dir rw_dir_perms;
+        allow httpd_t pki_ra_log_t:file manage_file_perms;
         allow httpd_t pki_ra_t:process { signal signull };
         allow httpd_t pki_ra_var_lib_t:dir { getattr search };
         allow httpd_t pki_ra_var_lib_t:lnk_file read;
+        allow httpd_t pki_ra_var_lib_t:file read_file_perms;
 
         # talk to the hsm
         allow pki_ra_t pki_common_dev_t:sock_file write;
Index: base/selinux/src/pki.te
===================================================================
--- base/selinux/src/pki.te     (revision 770)
+++ base/selinux/src/pki.te     (working copy)
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.12)
+policy_module(pki,1.0.13)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;
[alee@aleeredhat pki]$ svn ci -m "Additional rules for BZ 514529" 
Sending        base/selinux/src/pki.if
Sending        base/selinux/src/pki.te
Transmitting file data ..
Committed revision 775.
Note You need to log in before you can comment on or make changes to this bug.