Ran yum, it tried to install selinux-policy-strict-2.2.5-1 and died a horrid death:
Updating : selinux-policy-strict ####################### [13/24] libsepol.verify_module_requirements: Module acct's global requirements were not met: type/attribute sysadm_home_dir_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! libsepol.verify_module_requirements: Module alsa's global requirements were not met: type/attribute devlog_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! libsepol.verify_module_requirements: Module amanda's global requirements were not met: type/attribute sysadm_home_dir_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! .... (skipping scads of similar errors..) libsepol.verify_module_requirements: Module xserver's global requirements were not met: type/attribute logfile libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! libsepol.verify_module_requirements: Module zebra's global requirements were not met: type/attribute direct_init libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!
Running strict/permissive. Any suggestions?
Valdis.Kletnieks@vt.edu wrote:
Ran yum, it tried to install selinux-policy-strict-2.2.5-1 and died a horrid death:
Updating : selinux-policy-strict ####################### [13/24] libsepol.verify_module_requirements: Module acct's global requirements were not met: type/attribute sysadm_home_dir_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! libsepol.verify_module_requirements: Module alsa's global requirements were not met: type/attribute devlog_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! libsepol.verify_module_requirements: Module amanda's global requirements were not met: type/attribute sysadm_home_dir_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! .... (skipping scads of similar errors..) libsepol.verify_module_requirements: Module xserver's global requirements were not met: type/attribute logfile libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! libsepol.verify_module_requirements: Module zebra's global requirements were not met: type/attribute direct_init libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!
Running strict/permissive. Any suggestions?
Yes stict is still very much a work in process. Basically we need major fixup on modules.conf to get it working properly. Hopefully we will have it fixed soon. I am mainly focused on MLS and Targeted though.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Thu, 2006-01-26 at 13:02 -0500, Valdis.Kletnieks@vt.edu wrote:
Ran yum, it tried to install selinux-policy-strict-2.2.5-1 and died a horrid death:
Updating : selinux-policy-strict ####################### [13/24] libsepol.verify_module_requirements: Module acct's global requirements were not met: type/attribute sysadm_home_dir_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! libsepol.verify_module_requirements: Module alsa's global requirements were not met: type/attribute devlog_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! libsepol.verify_module_requirements: Module amanda's global requirements were not met: type/attribute sysadm_home_dir_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! .... (skipping scads of similar errors..) libsepol.verify_module_requirements: Module xserver's global requirements were not met: type/attribute logfile libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! libsepol.verify_module_requirements: Module zebra's global requirements were not met: type/attribute direct_init libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!
Running strict/permissive. Any suggestions?
Looks like the .spec file needs to install all of the modules as a single transaction to deal with mutually dependent modules. Or, it could install them layer-by-layer. Unfortunately, current semodule usage requires you to generate the list of all the modules, then prefix them all with -i options, then pass that entire string as the commandline to semodule. Something like: # Location where modules are installed from policy package cd /usr/share/selinux/strict # Generate semodule command line with all non-base modules ls *.pp | sed -e "/base.pp/d" -e "/enableaudit.pp/d" -e "i-i " | tr "\n" " " > out # Run semodule semodule -v `cat out`
On Wed, 01 Feb 2006 14:39:37 EST, Stephen Smalley said:
Looks like the .spec file needs to install all of the modules as a single transaction to deal with mutually dependent modules. Or, it could install them layer-by-layer. Unfortunately, current semodule usage requires you to generate the list of all the modules, then prefix them all with -i options, then pass that entire string as the commandline to semodule. Something like: # Location where modules are installed from policy package cd /usr/share/selinux/strict # Generate semodule command line with all non-base modules ls *.pp | sed -e "/base.pp/d" -e "/enableaudit.pp/d" -e "i-i " | tr "\n
" " " > out
# Run semodule semodule -v `cat out`
I did this after yum updated me to selinux-policy-strict-2.2.9-1 this morning, and things are much less broken now. Now we have:
Attempting to install module 'acct.pp': Ok: return value of 0. Attempting to install module 'alsa.pp': Ok: return value of 0. Attempting to install module 'amanda.pp': Ok: return value of 0. ... Attempting to install module 'xserver.pp': Ok: return value of 0. Attempting to install module 'zebra.pp': Ok: return value of 0. Committing changes: libsepol.check_assertion_helper: assertion on line 0 violated by allow pam_console_t scsi_generic_device_t:chr_file { setattr }; libsepol.check_assertion_helper: assertion on line 0 violated by allow initrc_t scsi_generic_device_t:chr_file { setattr }; libsepol.check_assertion_helper: assertion on line 0 violated by allow restorecon_t scsi_generic_device_t:chr_file { relabelto }; libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t scsi_generic_device_t:chr_file { relabelto }; libsepol.check_assertion_helper: assertion on line 0 violated by allow restorecon_t lvm_vg_t:chr_file { relabelto }; libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t lvm_vg_t:chr_file { relabelto }; libsepol.check_assertion_helper: assertion on line 0 violated by allow pam_console_t fixed_disk_device_t:blk_file { setattr }; libsepol.check_assertion_helper: assertion on line 0 violated by allow hotplug_t fixed_disk_device_t:blk_file { setattr }; libsepol.check_assertion_helper: assertion on line 0 violated by allow restorecon_t fixed_disk_device_t:chr_file { relabelto }; libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t fixed_disk_device_t:chr_file { relabelto }; libsepol.check_assertion_helper: assertion on line 0 violated by allow initrc_t shadow_t:file { getattr }; libsepol.check_assertion_helper: assertion on line 0 violated by allow locate_t shadow_t:file { getattr }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sysadm_t shadow_t:file { getattr }; libsepol.check_assertion_helper: assertion on line 0 violated by allow prelink_t shadow_t:file { getattr }; libsepol.check_assertion_helper: assertion on line 0 violated by allow nscd_t shadow_t:file { getattr }; libsepol.check_assertion_helper: assertion on line 0 violated by allow system_crond_t shadow_t:file { getattr }; libsepol.check_assertion_helper: assertion on line 0 violated by allow restorecon_t shadow_t:file { getattr relabelto }; libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t shadow_t:file { getattr relabelto }; libsepol.check_assertions: 18 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
18 assertions. This looks fixable....
On Thu, 2006-02-02 at 12:18 -0500, Valdis.Kletnieks@vt.edu wrote:
18 assertions. This looks fixable....
Yes, that is actually a bug in the copying of assertions during module linking - no real assertions failed. Should be fixed in libsepol 1.11.11.
On Thu, 02 Feb 2006 12:31:08 EST, Stephen Smalley said:
On Thu, 2006-02-02 at 12:18 -0500, Valdis.Kletnieks@vt.edu wrote:
18 assertions. This looks fixable....
Yes, that is actually a bug in the copying of assertions during module linking - no real assertions failed. Should be fixed in libsepol 1.11.11.
I snagged libsepol-1.11.12 and selinux-policy-strict-2.2.9-2 and now we have:
... Attempting to install module 'xserver.pp': Ok: return value of 0. Attempting to install module 'zebra.pp': Ok: return value of 0. Committing changes: libsepol.check_assertion_helper: assertion on line 0 violated by allow user_sudo_t user_sudo_t:process { setcurrent }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_sudo_t staff_sudo_t:process { setcurrent }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sysadm_sudo_t sysadm_sudo_t:process { setcurrent }; libsepol.check_assertions: 3 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
Looks like 1 issue left in sudo.pp generating 3 asserts (the upgrade to libsepol 1.11.12 cleared 18 others). Haven't dug in yet whether this is another manifestation of the same/similar bug, or an actual sudo.pp issue. (in either case, "on line 0" is a busticated message...)
On Fri, 03 Feb 2006 13:19:52 EST, Valdis.Kletnieks@vt.edu said:
Committing changes: libsepol.check_assertion_helper: assertion on line 0 violated by allow user_sudo_t user_sudo_t:process { setcurrent }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_sudo_t staff_sudo_t:process { setcurrent }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sysadm_sudo_t sysadm_sudo_t:process { setcurrent }; libsepol.check_assertions: 3 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
Follow-up - moving sudo.pp out of the way gets me this:
Committing changes: /etc/selinux/strict/contexts/files/file_contexts: Multiple same specifications for /usr/sbin/sendmail.postfix. /etc/selinux/strict/contexts/files/file_contexts: Multiple different specifications for /var/spool/postfix(/.*)? (system_u:object_r:postfix_spool_t:s0 and system_u:object_r:mail_spool_t:s0). genhomedircon: Warning! No support yet for expanding ROLE macros in the /etc/selinux/strict/contexts/files/homedir_template file when using libsemanage. genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users (including root). Ok: transaction number 101.
Not perfect, but at least I'm back to running a functional 'strict' and only chasing quirks rather than total failures. ;)
Valdis.Kletnieks@vt.edu wrote:
On Fri, 03 Feb 2006 13:19:52 EST, Valdis.Kletnieks@vt.edu said:
Committing changes: libsepol.check_assertion_helper: assertion on line 0 violated by allow user_sudo_t user_sudo_t:process { setcurrent }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_sudo_t staff_sudo_t:process { setcurrent }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sysadm_sudo_t sysadm_sudo_t:process { setcurrent }; libsepol.check_assertions: 3 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
Follow-up - moving sudo.pp out of the way gets me this:
Committing changes: /etc/selinux/strict/contexts/files/file_contexts: Multiple same specifications for /usr/sbin/sendmail.postfix. /etc/selinux/strict/contexts/files/file_contexts: Multiple different specifications for /var/spool/postfix(/.*)? (system_u:object_r:postfix_spool_t:s0 and system_u:object_r:mail_spool_t:s0). genhomedircon: Warning! No support yet for expanding ROLE macros in the /etc/selinux/strict/contexts/files/homedir_template file when using libsemanage. genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users (including root). Ok: transaction number 101.
Not perfect, but at least I'm back to running a functional 'strict' and only chasing quirks rather than total failures. ;)
Those are fixed in tonights rawhide. Currently available on ftp://people.redhat.com/dwalsh/SELinux/Fedora
I am not seeing the sudo problems???
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Stephen Smalley -
Valdis.Kletnieks@vt.edu