Rahul Sandhu <[email protected]> writes: > In selinux-policy-2_pkg_postinst(), the installation of the unconfined > policy module is already gated for the strict module store. This means > there is no valid situation where the unconfined module is installed > into the strict module store by portage. > > Hence — if a full reload is attempted — don't bother trying to filter > out the unconfined module in any case: it shouldn't be there at all. > > Nevertheless, the existing logic to filter out the unconfined module is > broken. The unconfined module is filtered for all policy types apart > from the targeted store. This however is inaccurate; both the mcs and > mls stores support usage of the unconfined module, and it's actually > enabled by default[1]! > > This has exacerbated the issues of the module ordering surrounding the > unconfined policy module such that it is expected for a full reload of > the policy store where the unconfined module is used can be reliably > expected to fail. Various mappings for USE="unconfined" for the base > policy module depend on having the unconfined policy module available > (such as the default login mappings[2]). > > This patch may not entirely fix the issues surrounding the unconfined > module loading however. It only comes in effect if the initial policy > load fails. This may be related to bug 891963? > > While we're at it, also update our ewarn message — which is displayed > when we fail to reload all policy modules — to both use a full path to > the policy modules, such that the user is not required to cd into the > policy store first, and also follow the above recommendation and not > filter out the unconfined module. > > [1] > https://github.com/gentoo/gentoo/blob/71c44ac5699be0b924fc42cb473a2e2872d1f59c/sec-policy/selinux-base/selinux-base-2.20250618-r1.ebuild#L23 > [2] > https://github.com/gentoo/gentoo/blob/71c44ac5699be0b924fc42cb473a2e2872d1f59c/sec-policy/selinux-base/selinux-base-2.20250618-r1.ebuild#L102-L106
Thanks, I'll apply this in the hopes it fixes some issues users keep reporting. > > Bug: https://bugs.gentoo.org/891963 > Signed-off-by: Rahul Sandhu <[email protected]> > --- > eclass/selinux-policy-2.eclass | 14 ++++---------- > 1 file changed, 4 insertions(+), 10 deletions(-) > > v2: whoops, forgot to tack on the bug tag for bug 891963 > > diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass > index 739acc695..d79c97d09 100644 > --- a/eclass/selinux-policy-2.eclass > +++ b/eclass/selinux-policy-2.eclass > @@ -359,11 +359,8 @@ selinux-policy-2_pkg_postinst() { > if [[ $? -ne 0 ]]; then > ewarn "SELinux module load failed. Trying full > reload..."; > > - if [[ "${1}" == "targeted" ]]; then > - semodule ${root_opts} -s ${1} -i *.pp > - else > - semodule ${root_opts} -s ${1} -i $(ls *.pp | > grep -v unconfined.pp); > - fi > + semodule ${root_opts} -s ${1} -i *.pp > + > if [[ $? -ne 0 ]]; then > ewarn "Failed to reload SELinux policies." > ewarn "" > @@ -376,11 +373,8 @@ selinux-policy-2_pkg_postinst() { > ewarn "action since the new SELinux policies > are not loaded until the" > ewarn "command finished successfully." > ewarn "" > - ewarn "To reload, run the following command > from within /usr/share/selinux/${1}:" > - ewarn " semodule -i *.pp" > - ewarn "or" > - ewarn " semodule -i \$(ls *.pp | grep -v > unconfined.pp)" > - ewarn "depending on if you need the unconfined > domain loaded as well or not." > + ewarn "To reload, run the following command:" > + ewarn " semodule -i > /usr/share/selinux/${1}/*.pp" > else > einfo "SELinux modules reloaded successfully." > fi
signature.asc
Description: PGP signature
