From 58294f287ff60afaa58af9a92a2c1846dd5792eb Mon Sep 17 00:00:00 2001 From: Thilo Fromm Date: Wed, 15 Dec 2021 17:59:40 +0100 Subject: [PATCH 1/3] sys-apps/policycoreutils: update correct SELinux store The policycoreutils ebuild calls `semodule` in postinst to update SELinux stores. It does not, however, tells `semodule` the correct ROOT to use, so builds that go into `/build/[arch]-usr` end up updating the SDK's store. Fixes libsemanage.semanage_commit_sandbox: Error while renaming /var/lib/selinux/targeted/active to /var/lib/selinux/targeted/previous. (Invalid cross-device link) observed when using the SDK Container to build the OS image. It now also updates the correct store, which it previously did not. --- .../sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild index f0d8ad028c..eb88ffc6cb 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild @@ -219,7 +219,7 @@ pkg_postinst() { for POLICY_TYPE in ${POLICY_TYPES} ; do # There have been some changes to the policy store, rebuilding now. # https://marc.info/?l=selinux&m=143757277819717&w=2 - einfo "Rebuilding store ${POLICY_TYPE} (without re-loading)." - semodule -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}" + einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT}' (without re-loading)." + semodule -S "${ROOT}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}" done } From 99ab4bc73c4133c0837f9a61479f1422f048bb9d Mon Sep 17 00:00:00 2001 From: Thilo Fromm Date: Wed, 15 Dec 2021 19:15:54 +0100 Subject: [PATCH 2/3] sys-apps/policycoreutils: guard against empty ${ROOT} Co-authored-by: Krzesimir Nowak --- .../sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild index eb88ffc6cb..949fd35c8c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r3.ebuild @@ -219,7 +219,7 @@ pkg_postinst() { for POLICY_TYPE in ${POLICY_TYPES} ; do # There have been some changes to the policy store, rebuilding now. # https://marc.info/?l=selinux&m=143757277819717&w=2 - einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT}' (without re-loading)." - semodule -S "${ROOT}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}" + einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)." + semodule -S "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}" done } From 6038166dc1f453372707e8fd557ecd571562447d Mon Sep 17 00:00:00 2001 From: Thilo Fromm Date: Thu, 16 Dec 2021 18:48:06 +0100 Subject: [PATCH 3/3] policycoreutils semodule fix: add bugfix changelog Signed-off-by: Thilo Fromm --- ...2021-12-16-policycoreutils-fix-semodule-postinst.md | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/changelog/bugfixes/2021-12-16-policycoreutils-fix-semodule-postinst.md diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/bugfixes/2021-12-16-policycoreutils-fix-semodule-postinst.md b/sdk_container/src/third_party/coreos-overlay/changelog/bugfixes/2021-12-16-policycoreutils-fix-semodule-postinst.md new file mode 100644 index 0000000000..5dd37192db --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/changelog/bugfixes/2021-12-16-policycoreutils-fix-semodule-postinst.md @@ -0,0 +1,10 @@ +The policycoreutils ebuild calls semodule in postinst to update SELinux stores. +It does not, however, tells semodule the correct ROOT to use, so builds that go into /build/[arch]-usr end up updating the SDK's store. +This patch resolves the following error message: +``` +$ emerge-amd64-usr policycoreutils +[...] +libsemanage.semanage_commit_sandbox: Error while renaming /var/lib/selinux/targeted/active to /var/lib/selinux/targeted/previous. (Invalid cross-device link) +``` +The error is observed when using the SDK Container to build an OS image. +The `semanage` run in policycoreutilsi' `postinst` now also updates the correct store, which it previously did not.