PaulHowarth/Blog/2010-03-04

Thursday 4th March 2010

Fedora Project

  • Updated imlib in rawhide not to have a dependency on the /usr/share/aclocal directory, which is now included as part of the filesystem package (resolves Bug #533962)

  • Updated perl-Math-Pari to 2.01080604

Local Packages

  • Updated imlib to drop the %{_datadir}/aclocal dependency from the devel subpackage from Fedora 14, where this directory is part of the filesystem package (Bug #533962), drop the manual pkgconfig dependency from the devel package from Fedora 11, where this dependency is auto-detected, drop some of the %description text no longer appropriate for this legacy package, and don't self-obsolete Imlib and imlib-cfgeditor

  • Updated perl-Test-Prereq to buildreq perl(LWP::UserAgent) as the preferred download method for CPAN and update CPAN.conf to work with the current perl(CPAN) in Rawhide, which won't guess CPAN mirror URLs for itself

  • Updated the entire Twisted stack to version 10.0.0

  • Rebuilt perl-Test-SubCalls, perl-Test-Tester and perl-Text-Glob for perl 5.10.1 in devel branches

SELinux Policy Update

Today's update of selinux-policy to 3.6.32-92.fc12 proved to be a little more troublesome than usual. My "yum update" session went like this:

# yum update
updates-local                                                                      | 2.7 kB     00:00     
city-fan.org                                                                       | 2.7 kB     00:00 ... 
updates/metalink                                                                   |  21 kB     00:00     
updates                                                                            | 4.4 kB     00:00     
updates/primary_db                                                                 | 4.7 MB     00:10     
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package perl-Socket6.x86_64 0:0.23-4.fc12 set to be updated
---> Package selinux-policy.noarch 0:3.6.32-92.fc12 set to be updated
---> Package selinux-policy-targeted.noarch 0:3.6.32-92.fc12 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

===========================================================================================================
 Package                           Arch             Version                  Repository               Size
===========================================================================================================
Updating:
 perl-Socket6                      x86_64           0.23-4.fc12              city-fan.org             24 k
 selinux-policy                    noarch           3.6.32-92.fc12           updates-local           657 k
 selinux-policy-targeted           noarch           3.6.32-92.fc12           updates-local           2.0 M

Transaction Summary
===========================================================================================================
Install       0 Package(s)
Upgrade       3 Package(s)

Total download size: 2.7 M
Is this ok [y/N]: y
Downloading Packages:
(2/3): selinux-policy-3.6.32-92.fc12.noarch.rpm                                     | 657 kB     00:00     
(3/3): selinux-policy-targeted-3.6.32-92.fc12.noarch.rpm                            | 2.0 MB     00:00     
-----------------------------------------------------------------------------------------------------------
Total                                                                       13 MB/s | 2.7 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating       : selinux-policy-3.6.32-92.fc12.noarch                                               1/6 
  Updating       : perl-Socket6-0.23-4.fc12.x86_64                                                    2/6 
  Updating       : selinux-policy-targeted-3.6.32-92.fc12.noarch                                      3/6 
libsepol.print_missing_requirements: mcivta-site-update's global requirements were not met: type/attribute etcfile (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
  Cleanup        : selinux-policy-3.6.32-89.fc12.noarch                                               4/6 
  Cleanup        : perl-Socket6-0.23-3.fc12.x86_64                                                    5/6 
  Cleanup        : selinux-policy-targeted-3.6.32-89.fc12.noarch                                      6/6 

Updated:
  perl-Socket6.x86_64 0:0.23-4.fc12                     selinux-policy.noarch 0:3.6.32-92.fc12
  selinux-policy-targeted.noarch 0:3.6.32-92.fc12        

Complete!
#

The "Link packages failed" error meant that the new Fedora policy didn't link successfully with one or more of the existing policy modules on my system that weren't being replaced in the new version of the Fedora policy, i.e. in this case one of my local policy modules, mcivta-site-update. This is a module I wrote to support an application I have that does some unusual things like mounting a davfs filesystem, running an svn update, doing an rsync over the network and sending an email about results, all triggered using an inbound email in conjunction with procmail. The existing policy module I had included a reference to an attribute etcfile that was no longer included in the Fedora policy. The result of this failure: I was still running the old SELinux policy.

My immediate concern was to get the updated Fedora policy in place and then get my local policy module working again. So the first step was to remove the problematic module:

# semodule -r mcivta-site-update
libsepol.print_missing_requirements: localmisc's global requirements were not met: type/attribute mcivta_site_update_exec_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
#

Unfortunately, removing that module would have broken another one of my local policy modules, localmisc in this case, which had a requirement for one of the types defined in the mcivta-site-update module. So again the running SELinux policy was unchanged. In this case I didn't want to simply remove the localmisc policy module because that might have broken some running processes that needed rules defined in that module. So instead I edited localmisc.te to remove the reference to mcivta_site_update_exec_t, which was actually derived from a call to an interface mcivta_site_update_domtrans:

mcivta_site_update_domtrans(procmail_t)

This was defined in mcivta_site_update.if:

########################################
## <summary>
##      Execute a domain transition to run mcivta-site-update.
## </summary>
## <param name="domain">
## <summary>
##      Domain allowed to transition.
## </summary>
## </param>
#
interface(`mcivta_site_update_domtrans',`
        gen_require(`
                type mcivta_site_update_t, mcivta_site_update_exec_t;
        ')

        domain_auto_trans($1, mcivta_site_update_exec_t, mcivta_site_update_t)

        allow mcivta_site_update_t $1:fd use;
        allow mcivta_site_update_t $1:fifo_file rw_file_perms;
        allow mcivta_site_update_t $1:process sigchld;
')

So I rebuilt localmisc.pp, updated the running policy and was then able to remove the mcivta_site_update policy module:

# vi localmisc.te 
# make
Compiling targeted localmisc module
/usr/bin/checkmodule:  loading policy configuration from tmp/localmisc.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/localmisc.mod
Creating targeted localmisc.pp policy package
Compiling targeted mcivta-site-update-extras module
/usr/bin/checkmodule:  loading policy configuration from tmp/mcivta-site-update-extras.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/mcivta-site-update-extras.mod
Creating targeted mcivta-site-update-extras.pp policy package
Compiling targeted mcivta-site-update module
/usr/bin/checkmodule:  loading policy configuration from tmp/mcivta-site-update.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/mcivta-site-update.mod
Creating targeted mcivta-site-update.pp policy package
Compiling targeted svnmailer-extras module
/usr/bin/checkmodule:  loading policy configuration from tmp/svnmailer-extras.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/svnmailer-extras.mod
Creating targeted svnmailer-extras.pp policy package
Compiling targeted svnmailer module
/usr/bin/checkmodule:  loading policy configuration from tmp/svnmailer.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/svnmailer.mod
Creating targeted svnmailer.pp policy package
rm tmp/mcivta-site-update-extras.mod tmp/mcivta-site-update-extras.mod.fc tmp/mcivta-site-update.mod.fc tmp/svnmailer.mod.fc tmp/mcivta-site-update.mod tmp/svnmailer-extras.mod.fc tmp/svnmailer-extras.mod tmp/svnmailer.mod
# semodule -u localmisc.pp
# semodule -r mcivta-site-update.pp
#

I was now ready to try updating the Fedora policy again. I could do that by re-running the post-install script from the selinux-policy-targeted package, but that's needs some careful copy-and-pasting as there's a lot in there, and a simpler method is just to reinstall the package itself:

# yum reinstall selinux-policy selinux-policy-targeted
Setting up Reinstall Process
updates-local                                                                      | 2.7 kB     00:00     
city-fan.org                                                                       | 2.7 kB     00:00 ... 
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy.noarch 0:3.6.32-92.fc12 set to be updated
---> Package selinux-policy-targeted.noarch 0:3.6.32-92.fc12 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================
 Package                           Arch             Version                  Repository               Size
==========================================================================================================
Reinstalling:
 selinux-policy                    noarch           3.6.32-92.fc12           updates-local           657 k
 selinux-policy-targeted           noarch           3.6.32-92.fc12           updates-local           2.0 M

Transaction Summary
==========================================================================================================
Remove        0 Package(s)
Reinstall     2 Package(s)
Downgrade     0 Package(s)

Total download size: 2.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): selinux-policy-3.6.32-92.fc12.noarch.rpm                                     | 657 kB     00:00     
(2/2): selinux-policy-targeted-3.6.32-92.fc12.noarch.rpm                            | 2.0 MB     00:00     
-------------------------------------------------------------------------------------------------
Total                                                                       17 MB/s | 2.6 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : selinux-policy-3.6.32-92.fc12.noarch                                                1/2 
  Installing     : selinux-policy-targeted-3.6.32-92.fc12.noarch                                       2/2 
libsepol.print_missing_requirements: svnmailer's global requirements were not met: type/attribute etcfile (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

Installed:
  selinux-policy.noarch 0:3.6.32-92.fc12          selinux-policy-targeted.noarch 0:3.6.32-92.fc12                             

Complete!
#

So, same problem again, only this time with the local svnmailer policy module. I could live without that one for a few minutes so I tried removing it:

# semodule -r svnmailer.pp
libsepol.print_missing_requirements: svnmailer-extras's global requirements were not met: type/attribute httpd_svnmailer_script_exec_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
#

There was a reference to httpd_svnmailer_script_exec_t (defined in the svnmailer policy module) in the svnmailer-extras policy module, so I had to remove that too:

# semodule -r svnmailer.pp svnmailer-extras.pp
#

I was now ready to try the Fedora policy again:

# yum reinstall selinux-policy selinux-policy-targeted
Setting up Reinstall Process
updates-local                                                                      | 2.7 kB     00:00     
city-fan.org                                                                       | 2.7 kB     00:00 ... 
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy.noarch 0:3.6.32-92.fc12 set to be updated
---> Package selinux-policy-targeted.noarch 0:3.6.32-92.fc12 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

===========================================================================================================
 Package                           Arch             Version                  Repository                Size
===========================================================================================================
Reinstalling:
 selinux-policy                    noarch           3.6.32-92.fc12           updates-local           657 k
 selinux-policy-targeted           noarch           3.6.32-92.fc12           updates-local           2.0 M

Transaction Summary
===========================================================================================================
Remove        0 Package(s)
Reinstall     2 Package(s)
Downgrade     0 Package(s)

Total download size: 2.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): selinux-policy-3.6.32-92.fc12.noarch.rpm                                     | 657 kB     00:00     
(2/2): selinux-policy-targeted-3.6.32-92.fc12.noarch.rpm                            | 2.0 MB     00:00     
-----------------------------------------------------------------------------------------------------------
Total                                                                       19 MB/s | 2.6 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : selinux-policy-3.6.32-92.fc12.noarch                                                1/2 
  Installing     : selinux-policy-targeted-3.6.32-92.fc12.noarch                                       2/2 

Installed:
  selinux-policy.noarch 0:3.6.32-92.fc12          selinux-policy-targeted.noarch 0:3.6.32-92.fc12                             

Complete!
#

Success at last! With the new Fedora policy in place, I could now attempt to rebuild my local policy modules and add them back into the running policy:

# rm *.pp
# make
Compiling targeted localmisc module
/usr/bin/checkmodule:  loading policy configuration from tmp/localmisc.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/localmisc.mod
Creating targeted localmisc.pp policy package
Compiling targeted mcivta-site-update-extras module
/usr/bin/checkmodule:  loading policy configuration from tmp/mcivta-site-update-extras.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/mcivta-site-update-extras.mod
Creating targeted mcivta-site-update-extras.pp policy package
Compiling targeted mcivta-site-update module
/usr/bin/checkmodule:  loading policy configuration from tmp/mcivta-site-update.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/mcivta-site-update.mod
Creating targeted mcivta-site-update.pp policy package
Compiling targeted svnmailer-extras module
/usr/bin/checkmodule:  loading policy configuration from tmp/svnmailer-extras.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/svnmailer-extras.mod
Creating targeted svnmailer-extras.pp policy package
Compiling targeted svnmailer module
/usr/bin/checkmodule:  loading policy configuration from tmp/svnmailer.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/svnmailer.mod
Creating targeted svnmailer.pp policy package
rm tmp/mcivta-site-update-extras.mod tmp/mcivta-site-update-extras.mod.fc tmp/mcivta-site-update.mod.fc tmp/svnmailer.mod.fc tmp/mcivta-site-update.mod tmp/svnmailer-extras.mod.fc tmp/svnmailer-extras.mod tmp/svnmailer.mod
# semodule -i mcivta-site-update.pp svnmailer-extras.pp svnmailer.pp
#

Since that worked without changing any policy module source, it was clear that the Fedora policy update had included an ABI change (removal of the etcfile attribute) though there was no API change, so the rebuild fixed the problem. One last step I needed was to add the mcivta_site_update_domtrans(procmail_t) line back into the localmisc policy and update the running policy:

# vi localmisc.te
# make
Compiling targeted localmisc module
/usr/bin/checkmodule:  loading policy configuration from tmp/localmisc.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/localmisc.mod
Creating targeted localmisc.pp policy package
# semodule -u localmisc.pp
#

And that was it, though not the two-minute job I'd expected it to be when I kicked off the yum update!


Recent