Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] SELinux module issues, failed to resolve ast
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Jara0
n00b
n00b


Joined: 08 Jan 2016
Posts: 18

PostPosted: Fri Jan 08, 2016 5:43 pm    Post subject: [SOLVED] SELinux module issues, failed to resolve ast Reply with quote

Hello,

(Hopefully this is the right section)
I have been troubleshooting some SELinux related errors for the last few days. Looking to migrate to a hardened+selinux configuration from just hardened. Currently this is all in a test VM so no risk for breakage. As I work my way through the audit errors I have been unable to load any of the custom policies iv created.

IE (initrc_t.te as an example)
[code]policy_module(initrc_t, 1.0)
gen_require(`
type initrc_t;
type etc_t;
type root_t;
type unlabeled_t;
type file_t;
type dir_t;
')

#========== initrc_t ==============
allow initrc_t etc_t:lnk_file { create unlink };
allow initrc_t root_t:dir { write remove_name add_name };
allow initrc_t root_t:file { write create unlink open };
allow initrc_t unlabeled_t:file read;[/code]

Once that is compiled "sudo make -f /usr/share/selinux/strict/include/Makefile" is creates the initrc_t.pp successfully. However when I attempt to load it ("semodule -i initrc_t.pp"), I receive

Failed to resolve typeattributeset statement at 7 of /var/lib/selinux/strict/tmp/modules/400/initrc_t/cil
Failed to resolve ast
semodule: Failed!

I read the https://wiki.gentoo.org/wiki/SELinux/FAQ#How_to_I_load_an_entire_policy_set.3F section which seemed relevant however have been unable to work around the "failed to resolve ast" error. I receive it with the 3 or 4 other policy modules iv tried creating and loading as well. Any help would be appreciated.

-Jara
Back to top
View user's profile Send private message
Jara0
n00b
n00b


Joined: 08 Jan 2016
Posts: 18

PostPosted: Sun Jan 10, 2016 3:04 am    Post subject: Reply with quote

resolved issue myself. Needed to fix the policy. That error comes from including types that are not necessary/valid. It will still compile with them present but apparently in a way that causes issues.

In the above case it was type file_t; type dir_t;. Remove those, recompile and wala. Hope this helps someone.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum