#acl PaulHowarth:read,write,admin,revert,delete All:read
=== Thursday 4th March 2010 ===
==== Fedora Project ====
* Updated `imlib` in rawhide not to have a dependency on the `/usr/share/aclocal` directory, which is now included as part of the `filesystem` package (resolves [[RedHatBugzilla:533962|Bug #533962]])
* Updated `perl-Math-Pari` to 2.01080604
==== Local Packages ====
* Updated `imlib` to drop the `%{_datadir}/aclocal` dependency from the `devel` subpackage from Fedora 14, where this directory is part of the `filesystem` package ([[RedHatBugzilla:533962|Bug #533962]]), drop the manual `pkgconfig` dependency from the `devel` package from Fedora 11, where this dependency is auto-detected, drop some of the `%description` text no longer appropriate for this legacy package, and don't self-obsolete `Imlib` and `imlib-cfgeditor`
* Updated `perl-Test-Prereq` to buildreq `perl(LWP::UserAgent)` as the preferred download method for `CPAN` and update `CPAN.conf` to work with the current `perl(CPAN)` in Rawhide, which won't guess CPAN mirror URLs for itself
* Updated the entire [[http://twistedmatrix.com/trac/|Twisted]] stack to version 10.0.0
* Rebuilt `perl-Test-SubCalls`, `perl-Test-Tester` and `perl-Text-Glob` for `perl` 5.10.1 in devel branches
==== SELinux Policy Update ====
Today's update of `selinux-policy` to 3.6.32-92.fc12 proved to be a little more troublesome than usual.
My "`yum update`" session went like this:
{{{
# yum update
updates-local | 2.7 kB 00:00
city-fan.org | 2.7 kB 00:00 ...
updates/metalink | 21 kB 00:00
updates | 4.4 kB 00:00
updates/primary_db | 4.7 MB 00:10
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package perl-Socket6.x86_64 0:0.23-4.fc12 set to be updated
---> Package selinux-policy.noarch 0:3.6.32-92.fc12 set to be updated
---> Package selinux-policy-targeted.noarch 0:3.6.32-92.fc12 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
===========================================================================================================
Package Arch Version Repository Size
===========================================================================================================
Updating:
perl-Socket6 x86_64 0.23-4.fc12 city-fan.org 24 k
selinux-policy noarch 3.6.32-92.fc12 updates-local 657 k
selinux-policy-targeted noarch 3.6.32-92.fc12 updates-local 2.0 M
Transaction Summary
===========================================================================================================
Install 0 Package(s)
Upgrade 3 Package(s)
Total download size: 2.7 M
Is this ok [y/N]: y
Downloading Packages:
(2/3): selinux-policy-3.6.32-92.fc12.noarch.rpm | 657 kB 00:00
(3/3): selinux-policy-targeted-3.6.32-92.fc12.noarch.rpm | 2.0 MB 00:00
-----------------------------------------------------------------------------------------------------------
Total 13 MB/s | 2.7 MB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : selinux-policy-3.6.32-92.fc12.noarch 1/6
Updating : perl-Socket6-0.23-4.fc12.x86_64 2/6
Updating : selinux-policy-targeted-3.6.32-92.fc12.noarch 3/6
libsepol.print_missing_requirements: mcivta-site-update's global requirements were not met: type/attribute etcfile (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule: Failed!
Cleanup : selinux-policy-3.6.32-89.fc12.noarch 4/6
Cleanup : perl-Socket6-0.23-3.fc12.x86_64 5/6
Cleanup : selinux-policy-targeted-3.6.32-89.fc12.noarch 6/6
Updated:
perl-Socket6.x86_64 0:0.23-4.fc12 selinux-policy.noarch 0:3.6.32-92.fc12
selinux-policy-targeted.noarch 0:3.6.32-92.fc12
Complete!
#
}}}
The "`Link packages failed`" error meant that the new Fedora policy didn't link successfully with one or more of
the existing policy modules on my system that weren't being replaced in the new version of the Fedora policy, i.e.
in this case one of my local policy modules, `mcivta-site-update`.
This is a module I wrote to support an application I have that does some unusual things like mounting a `davfs`
filesystem, running an `svn update`, doing an `rsync` over the network and sending an email about results, all
triggered using an inbound email in conjunction with `procmail`.
The existing policy module I had included a reference to an attribute `etcfile` that was no longer included
in the Fedora policy.
The result of this failure: ''I was still running the old SELinux policy.''
My immediate concern was to get the updated Fedora policy in place and then get my local policy module working again.
So the first step was to remove the problematic module:
{{{
# semodule -r mcivta-site-update
libsepol.print_missing_requirements: localmisc's global requirements were not met: type/attribute mcivta_site_update_exec_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule: Failed!
#
}}}
Unfortunately, removing that module would have broken another one of my local policy modules, `localmisc` in this
case, which had a requirement for one of the types defined in the `mcivta-site-update` module. So again the
running SELinux policy was unchanged.
In this case I didn't want to simply remove the `localmisc` policy module because that might have broken some
running processes that needed rules defined in that module.
So instead I edited `localmisc.te` to remove the reference to `mcivta_site_update_exec_t`, which was actually
derived from a call to an interface `mcivta_site_update_domtrans`:
{{{
mcivta_site_update_domtrans(procmail_t)
}}}
This was defined in `mcivta_site_update.if`:
{{{
########################################
##
## Execute a domain transition to run mcivta-site-update.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`mcivta_site_update_domtrans',`
gen_require(`
type mcivta_site_update_t, mcivta_site_update_exec_t;
')
domain_auto_trans($1, mcivta_site_update_exec_t, mcivta_site_update_t)
allow mcivta_site_update_t $1:fd use;
allow mcivta_site_update_t $1:fifo_file rw_file_perms;
allow mcivta_site_update_t $1:process sigchld;
')
}}}
So I rebuilt `localmisc.pp`, updated the running policy and was then able to remove the `mcivta_site_update` policy module:
{{{
# vi localmisc.te
# make
Compiling targeted localmisc module
/usr/bin/checkmodule: loading policy configuration from tmp/localmisc.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/localmisc.mod
Creating targeted localmisc.pp policy package
Compiling targeted mcivta-site-update-extras module
/usr/bin/checkmodule: loading policy configuration from tmp/mcivta-site-update-extras.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/mcivta-site-update-extras.mod
Creating targeted mcivta-site-update-extras.pp policy package
Compiling targeted mcivta-site-update module
/usr/bin/checkmodule: loading policy configuration from tmp/mcivta-site-update.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/mcivta-site-update.mod
Creating targeted mcivta-site-update.pp policy package
Compiling targeted svnmailer-extras module
/usr/bin/checkmodule: loading policy configuration from tmp/svnmailer-extras.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/svnmailer-extras.mod
Creating targeted svnmailer-extras.pp policy package
Compiling targeted svnmailer module
/usr/bin/checkmodule: loading policy configuration from tmp/svnmailer.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/svnmailer.mod
Creating targeted svnmailer.pp policy package
rm tmp/mcivta-site-update-extras.mod tmp/mcivta-site-update-extras.mod.fc tmp/mcivta-site-update.mod.fc tmp/svnmailer.mod.fc tmp/mcivta-site-update.mod tmp/svnmailer-extras.mod.fc tmp/svnmailer-extras.mod tmp/svnmailer.mod
# semodule -u localmisc.pp
# semodule -r mcivta-site-update.pp
#
}}}
I was now ready to try updating the Fedora policy again.
I could do that by re-running the post-install script from the `selinux-policy-targeted` package, but that's needs some careful copy-and-pasting as there's a lot in there, and a simpler method is just to reinstall the package itself:
{{{
# yum reinstall selinux-policy selinux-policy-targeted
Setting up Reinstall Process
updates-local | 2.7 kB 00:00
city-fan.org | 2.7 kB 00:00 ...
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy.noarch 0:3.6.32-92.fc12 set to be updated
---> Package selinux-policy-targeted.noarch 0:3.6.32-92.fc12 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================================================
Package Arch Version Repository Size
==========================================================================================================
Reinstalling:
selinux-policy noarch 3.6.32-92.fc12 updates-local 657 k
selinux-policy-targeted noarch 3.6.32-92.fc12 updates-local 2.0 M
Transaction Summary
==========================================================================================================
Remove 0 Package(s)
Reinstall 2 Package(s)
Downgrade 0 Package(s)
Total download size: 2.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): selinux-policy-3.6.32-92.fc12.noarch.rpm | 657 kB 00:00
(2/2): selinux-policy-targeted-3.6.32-92.fc12.noarch.rpm | 2.0 MB 00:00
-------------------------------------------------------------------------------------------------
Total 17 MB/s | 2.6 MB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : selinux-policy-3.6.32-92.fc12.noarch 1/2
Installing : selinux-policy-targeted-3.6.32-92.fc12.noarch 2/2
libsepol.print_missing_requirements: svnmailer's global requirements were not met: type/attribute etcfile (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule: Failed!
Installed:
selinux-policy.noarch 0:3.6.32-92.fc12 selinux-policy-targeted.noarch 0:3.6.32-92.fc12
Complete!
#
}}}
So, same problem again, only this time with the local `svnmailer` policy module.
I could live without that one for a few minutes so I tried removing it:
{{{
# semodule -r svnmailer.pp
libsepol.print_missing_requirements: svnmailer-extras's global requirements were not met: type/attribute httpd_svnmailer_script_exec_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule: Failed!
#
}}}
There was a reference to `httpd_svnmailer_script_exec_t` (defined in the `svnmailer` policy module) in the
`svnmailer-extras` policy module, so I had to remove that too:
{{{
# semodule -r svnmailer.pp svnmailer-extras.pp
#
}}}
I was now ready to try the Fedora policy again:
{{{
# yum reinstall selinux-policy selinux-policy-targeted
Setting up Reinstall Process
updates-local | 2.7 kB 00:00
city-fan.org | 2.7 kB 00:00 ...
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy.noarch 0:3.6.32-92.fc12 set to be updated
---> Package selinux-policy-targeted.noarch 0:3.6.32-92.fc12 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
===========================================================================================================
Package Arch Version Repository Size
===========================================================================================================
Reinstalling:
selinux-policy noarch 3.6.32-92.fc12 updates-local 657 k
selinux-policy-targeted noarch 3.6.32-92.fc12 updates-local 2.0 M
Transaction Summary
===========================================================================================================
Remove 0 Package(s)
Reinstall 2 Package(s)
Downgrade 0 Package(s)
Total download size: 2.6 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): selinux-policy-3.6.32-92.fc12.noarch.rpm | 657 kB 00:00
(2/2): selinux-policy-targeted-3.6.32-92.fc12.noarch.rpm | 2.0 MB 00:00
-----------------------------------------------------------------------------------------------------------
Total 19 MB/s | 2.6 MB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : selinux-policy-3.6.32-92.fc12.noarch 1/2
Installing : selinux-policy-targeted-3.6.32-92.fc12.noarch 2/2
Installed:
selinux-policy.noarch 0:3.6.32-92.fc12 selinux-policy-targeted.noarch 0:3.6.32-92.fc12
Complete!
#
}}}
Success at last! With the new Fedora policy in place, I could now attempt to rebuild my local policy modules
and add them back into the running policy:
{{{
# rm *.pp
# make
Compiling targeted localmisc module
/usr/bin/checkmodule: loading policy configuration from tmp/localmisc.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/localmisc.mod
Creating targeted localmisc.pp policy package
Compiling targeted mcivta-site-update-extras module
/usr/bin/checkmodule: loading policy configuration from tmp/mcivta-site-update-extras.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/mcivta-site-update-extras.mod
Creating targeted mcivta-site-update-extras.pp policy package
Compiling targeted mcivta-site-update module
/usr/bin/checkmodule: loading policy configuration from tmp/mcivta-site-update.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/mcivta-site-update.mod
Creating targeted mcivta-site-update.pp policy package
Compiling targeted svnmailer-extras module
/usr/bin/checkmodule: loading policy configuration from tmp/svnmailer-extras.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/svnmailer-extras.mod
Creating targeted svnmailer-extras.pp policy package
Compiling targeted svnmailer module
/usr/bin/checkmodule: loading policy configuration from tmp/svnmailer.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/svnmailer.mod
Creating targeted svnmailer.pp policy package
rm tmp/mcivta-site-update-extras.mod tmp/mcivta-site-update-extras.mod.fc tmp/mcivta-site-update.mod.fc tmp/svnmailer.mod.fc tmp/mcivta-site-update.mod tmp/svnmailer-extras.mod.fc tmp/svnmailer-extras.mod tmp/svnmailer.mod
# semodule -i mcivta-site-update.pp svnmailer-extras.pp svnmailer.pp
#
}}}
Since that worked without changing any policy module source, it was clear that the Fedora policy update
had included an ABI change (removal of the `etcfile` attribute) though there was no API change, so the rebuild fixed the problem.
One last step I needed was to add the `mcivta_site_update_domtrans(procmail_t)` line back into the `localmisc` policy and update the running policy:
{{{
# vi localmisc.te
# make
Compiling targeted localmisc module
/usr/bin/checkmodule: loading policy configuration from tmp/localmisc.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/localmisc.mod
Creating targeted localmisc.pp policy package
# semodule -u localmisc.pp
#
}}}
And that was it, though not the two-minute job I'd expected it to be when I kicked off the `yum update`!
----