Unable to define SELinux user in policy module

Support for security such as Firewalls and securing linux
Post Reply
hubertqc
Posts: 1
Joined: 2022/10/18 06:25:29

Unable to define SELinux user in policy module

Post by hubertqc » 2022/10/18 07:21:55

Hello,

I recently discovered that a piece of SELInux code perfectly OK on CentOS 7, CentOS Stream8, RHEL 7.X, RHEL 8, Fedora 35 and Fedora 36, would not just compile on CentOS Stream9, since the definition of a SELinux user is rejected on Stream 9 with an error message.

For instance the SELinux policy module source code below will pass the check module stage successfully an all distress, but the CentOS Stream 9 will fail at the semodule_package stage.

Code: Select all

module foo 0.1.0;

require {
	role		staff_r;
	sensitivity	s0;
	sensitivity	s0-s0;
	category	c0;
	category	c1023;
}

user foo_u roles staff_r level s0 range s0-s0:c0.c1023;
[hubertqc@nyx ~]$ checkmodule -M -m -o foo.mod foo.te
[hubertqc@nyx ~]$ semodule_package -o foo.pp -m foo.mod
libsepol.validate_user_datum: Invalid user datum
libsepol.validate_datum_array_entries: Invalid datum array entries
libsepol.validate_policydb: Invalid policydb
semodule_package: Error while reading policy module from foo.mod


I just don't understand what is going on.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Unable to define SELinux user in policy module

Post by TrevorH » 2022/10/18 08:15:06

I'd suggest reading viewtopic.php?f=9&t=79466 and using the discourse Stream forum.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply