On 05/24/2018 03:30 PM, Tom Lane wrote:
> I tried to run the regression test for sepgsql on F28 (so I could
> fix the now-obsolete expected-file therein). It fails at this
> preparatory step:
>
> $ sudo semodule -u sepgsql-regtest.pp
> The --upgrade option is deprecated. Use --install instead.
> neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:4703
> (neverallow base_typeattr_6 base_typeattr_7 (process (fork transition sigchld sigkill sigstop signull signal ptrace
getschedsetsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit
rlimitinhdyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
> <root>
> allow at /var/lib/selinux/targeted/tmp/modules/100/postgresql/cil:769
> (allow sepgsql_client_type sepgsql_ranged_proc_t (process (transition)))
> <root>
> ... lots more ...
> optional at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1617
> optional at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1676
> allow at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1679
> (allow sepgsql_regtest_superuser_t sepgsql_client_type (process (dyntransition)))
>
> Failed to generate binary
> semodule: Failed>
> For the moment I'll try an older Fedora release, but it seems
> we have some work to do here.
For a bit of background on the issue, `neverallow` is intended to prevent
policy that would violate certain information flow security models.
This error appears to be due to an update to the userspace install tools,
which do the proper `neverallow` check that was previously not happening. It
appears that at least part of this fix needs to take place in the upstream
policy repo, but in the meantime I've attached a patch that should stop the
build errors.
This has not yet tested been on F27 and earlier. Since the error you were
seeing is a policy-install error and the policy updates are using interfaces
that were available pre-F28, it should not affect the outcome of the build. I
have also not yet run the regression tests with the change, but likewise, this
patch should not affect that.
I will go ahead and test the fix on other platforms and make sure the regtest
is passing, but this should solve the problem for now. Let me know if anything
else catches fire.
Thanks,
--
Mike Palmiotto
Software Engineer
Crunchy Data Solutions
https://crunchydata.com