tripleo

SELinux checkmodule change breaks tripleo-image-elements custom policies

Bug #1636613 reported by Lon Hohberger
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Undecided
Lon Hohberger

Bug Description

As of this commit:

https://github.com/SELinuxProject/selinux/commit/c6acfae4bc22586ad1dc259b0aad57fa6c5b43ef

The module name specified in an external policy source file must match the filename of the source file.

OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: nobody → Lon Hohberger (lhh)
status: New → In Progress
Revision history for this message
Lon Hohberger (lhh) wrote :

The fix is to change a couple of underscores to dashes. This was first noticed on Red Hat Enterprise Linux 7.3 Beta, as of checkpolicy-2.5-3.el7.

Revision history for this message
Lon Hohberger (lhh) wrote :

The failure looks something like this:

2016-10-23 19:06:17,387 INFO: + for file in '$(ls /opt/stack/selinux-policy/*.te)'
2016-10-23 19:06:17,387 INFO: ++ basename /opt/stack/selinux-policy/tripleo-selinux-mariadb.te
2016-10-23 19:06:17,389 INFO: + filename=tripleo-selinux-mariadb.te
2016-10-23 19:06:17,389 INFO: + filename_no_ext=tripleo-selinux-mariadb
2016-10-23 19:06:17,389 INFO: + cp /opt/stack/selinux-policy/tripleo-selinux-mariadb.te /tmp/tmp.tH0r4UG9HO
2016-10-23 19:06:17,391 INFO: + make -f /usr/share/selinux/devel/Makefile tripleo-selinux-mariadb.pp
2016-10-23 19:06:18,505 INFO: Compiling targeted tripleo-selinux-mariadb module
2016-10-23 19:06:18,967 INFO: /usr/bin/checkmodule: Module name tripleo_selinux_mariadb is different than the output base filename tripleo-selinux-mariadb
2016-10-23 19:06:18,968 INFO: /usr/bin/checkmodule: loading policy configuration from tmp/tripleo-selinux-mariadb.tmp
2016-10-23 19:06:18,968 INFO: make: *** [tmp/tripleo-selinux-mariadb.mod] Error 1
2016-10-23 19:06:18,970 INFO: [2016-10-23 19:06:18,969] (os-refresh-config) [ERROR] during configure phase. [Command '['dib-run-parts', '/usr/libexec/os-refresh-config/configure.d']' returned non-zero exit status 2]
2016-10-23 19:06:18,971 INFO:
2016-10-23 19:06:18,971 INFO: [2016-10-23 19:06:18,970] (os-refresh-config) [ERROR] Aborting...

Revision history for this message
Lon Hohberger (lhh) wrote :

https://review.openstack.org/#/c/390632/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-image-elements (master)

Reviewed: https://review.openstack.org/390632
Committed: https://git.openstack.org/cgit/openstack/tripleo-image-elements/commit/?id=3648c68a22b09bf0fc0604dba4f227ac3f3fbd75
Submitter: Jenkins
Branch: master

commit 3648c68a22b09bf0fc0604dba4f227ac3f3fbd75
Author: Lon Hohberger <email address hidden>
Date: Tue Oct 25 14:31:32 2016 -0400

    Make 'module' directives match filenames

    As of the following upstream commit to checkpolicy, compiling
    policy modules with filenames which differ from the module
    directive will fail:

    https://github.com/SELinuxProject/selinux/commit/c6acfae4bc22586ad1dc259b0aad57fa6c5b43ef

    This patch makes the policy filenames match the module directive
    in the policy file, resolving the issue.

    Change-Id: I5730bc51658bb886eacedd8af2c6251e1f8387f5
    Closes-bug: 1636613
    Signed-off-by: Lon Hohberger <email address hidden>

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-image-elements (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/391218

James Slagle (james-slagle)
tags: added: newton-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-image-elements (stable/newton)

Reviewed: https://review.openstack.org/391218
Committed: https://git.openstack.org/cgit/openstack/tripleo-image-elements/commit/?id=acde285c69d4a265689621b47b8b3cb083057389
Submitter: Jenkins
Branch: stable/newton

commit acde285c69d4a265689621b47b8b3cb083057389
Author: Lon Hohberger <email address hidden>
Date: Tue Oct 25 14:31:32 2016 -0400

    Make 'module' directives match filenames

    As of the following upstream commit to checkpolicy, compiling
    policy modules with filenames which differ from the module
    directive will fail:

    https://github.com/SELinuxProject/selinux/commit/c6acfae4bc22586ad1dc259b0aad57fa6c5b43ef

    This patch makes the policy filenames match the module directive
    in the policy file, resolving the issue.

    Change-Id: I5730bc51658bb886eacedd8af2c6251e1f8387f5
    Closes-bug: 1636613
    Signed-off-by: Lon Hohberger <email address hidden>
    (cherry picked from commit 3648c68a22b09bf0fc0604dba4f227ac3f3fbd75)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-image-elements 5.1.0

This issue was fixed in the openstack/tripleo-image-elements 5.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-image-elements 6.0.0.0b1

This issue was fixed in the openstack/tripleo-image-elements 6.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-image-elements 5.1.0

This issue was fixed in the openstack/tripleo-image-elements 5.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.