Page 1 of 1

Unable to define SELinux user in policy module

Posted: 2022/10/18 07:21:55
by hubertqc
Hello,

I recently discovered that a piece of SELInux code perfectly OK on CentOS 7, CentOS Stream8, RHEL 7.X, RHEL 8, Fedora 35 and Fedora 36, would not just compile on CentOS Stream9, since the definition of a SELinux user is rejected on Stream 9 with an error message.

For instance the SELinux policy module source code below will pass the check module stage successfully an all distress, but the CentOS Stream 9 will fail at the semodule_package stage.

Code: Select all

module foo 0.1.0;

require {
	role		staff_r;
	sensitivity	s0;
	sensitivity	s0-s0;
	category	c0;
	category	c1023;
}

user foo_u roles staff_r level s0 range s0-s0:c0.c1023;
[hubertqc@nyx ~]$ checkmodule -M -m -o foo.mod foo.te
[hubertqc@nyx ~]$ semodule_package -o foo.pp -m foo.mod
libsepol.validate_user_datum: Invalid user datum
libsepol.validate_datum_array_entries: Invalid datum array entries
libsepol.validate_policydb: Invalid policydb
semodule_package: Error while reading policy module from foo.mod


I just don't understand what is going on.

Re: Unable to define SELinux user in policy module

Posted: 2022/10/18 08:15:06
by TrevorH
I'd suggest reading viewtopic.php?f=9&t=79466 and using the discourse Stream forum.