Bug 526462 - semanage can't be used to recover from some invalid states
Summary: semanage can't be used to recover from some invalid states
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2009-09-30 12:25 UTC by Bruno Wolff III
Modified: 2009-10-01 13:30 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-10-01 13:30:12 UTC

Attachments (Terms of Use)

Description Bruno Wolff III 2009-09-30 12:25:11 UTC
Description of problem:
After doing an upgrade, policy was left in an invalid state. This included both modules and a user with a role in the invalid policy. As far as I can figure out, I couldn't delete the extra user and roles at the same time I could remove (or disable) modules. My attempts at rebuilding policy and trying to remove the user and role were all failing because the resulting policy was always going to continue to be left in an invalid state.
Eventually I went into /etc/selinux/targeted and manually messed with stuff to get into a valid state. And then reinstalled selinux-policy-targeted to get back into a normal state.

Version-Release number of selected component (if applicable):

How reproducible:
I am not sure how to normally get into an invalid state in order to test this.

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 Daniel Walsh 2009-09-30 17:37:30 UTC
Can you give me a reproducer?

I have seen this before, but I am not sure how to get it into this state.  Of course the tools should prevent you from getting the state bad in the first place.

Comment 2 Bruno Wolff III 2009-09-30 21:51:22 UTC
Not really. It happened when I upgraded from F9 to F11 to F12. There were issues going from F9 to F11, but I really didn't worry about the selinux stuff until updates for F12 were failing. I had some local modules installed and one of the users had a role defined in a local module.
Presumably I could have cleanly fixed things by switching policies, removing the targeted policy and then reinstalling targeted and switching back. This would probably trigger two relabels.
One thing that might work is going in an editing the active policy modules by hand. If one of the modules has a role dependency on it, I think you end up in the situation I was in.

Comment 3 Daniel Walsh 2009-10-01 13:30:12 UTC
Ok, We had some problems upgrading between versions.  Which hopefully are fixed now.  We did some experiments which failed badly. :^(

I think we are learning from our mistakes.  But upgrading between versions is always difficult.

I will close this as fixed in Rawhide.  Since I think we have most of these upgrade issues fixed.

Note You need to log in before you can comment on or make changes to this bug.