SELinux Userspace Release: 20140826-rc1

SELinux Userspace Release: 20140826-rc1

[Steve Lawrence]

A release candidate for the next release of SELinux userspace is
available on GitHub's releases page [1]. This release contains a handful
of bug fixes and the new source policy/CIL work. Please let us know if
you find any problems.

- Steve

[1] https://github.com/SELinuxProject/selinux/releases/tag/20140826-rc1

Re: SELinux Userspace Release: 20140826-rc1

[Sven Vermeulen]

On Tue, Aug 26, 2014 at 11:31:17AM -0400, Steve Lawrence wrote:
> A release candidate for the next release of SELinux userspace is
> available on GitHub's releases page [1]. This release contains a handful
> of bug fixes and the new source policy/CIL work. Please let us know if
> you find any problems.
> 
> - Steve
> 
> [1] https://github.com/SELinuxProject/selinux/releases/tag/20140826-rc1

Hi Steve

Are you planning on creating tarballs for this release candidate?

Also, is this a release that requires any actions to be taken as part of an
upgrade (the move of /etc/selinux -> /var/lib/selinux)?

Wkr,
	Sven Vermeulen

Re: SELinux Userspace Release: 20140826-rc1

[Steve Lawrence]

On 08/27/2014 11:06 AM, Sven Vermeulen wrote:
> On Tue, Aug 26, 2014 at 11:31:17AM -0400, Steve Lawrence wrote:
>> A release candidate for the next release of SELinux userspace is
>> available on GitHub's releases page [1]. This release contains a handful
>> of bug fixes and the new source policy/CIL work. Please let us know if
>> you find any problems.
>>
>> - Steve
>>
>> [1] https://github.com/SELinuxProject/selinux/releases/tag/20140826-rc1
> 
> Hi Steve
> 
> Are you planning on creating tarballs for this release candidate?
> 
> Also, is this a release that requires any actions to be taken as part of an
> upgrade (the move of /etc/selinux -> /var/lib/selinux)?
> 
> Wkr,
> 	Sven Vermeulen

We just pushed a second release candidate, 20140826-rc2, which just has
some minor fixes to the ChangeLogs and uses the scripts/release method
to make an actual release consistent with how they've been done in the
past. The tarballs for the individual components of userspace for rc2
are now available on the GitHub "Releases" wiki page [1].

The only action that should be required post upgrade is migration from
/etc/selinux to /var/lib/selinux. There is detailed information about
this process on the GitHub "Policy Store Migration" wiki page [2], but
the jist of it is after upgrading, execute the the
semanage_migrate_store script installed by default to
/usr/libexec/selinux. The script has additional options that can be used
to do things like remove the old store or prevent rebuilding the policy.
Run the script with --help for a description of the options.

Please let us know if there are any questions/issues.

Thanks,
- Steve

[1] https://github.com/SELinuxProject/selinux/wiki/Releases
[2] https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration

Re: SELinux Userspace Release: 20140826-rc1

[Sven Vermeulen]

On Wed, Aug 27, 2014 at 6:10 PM, Steve Lawrence <slawrence@tresys.com> wrote:
> The only action that should be required post upgrade is migration from
> /etc/selinux to /var/lib/selinux. There is detailed information about
> this process on the GitHub "Policy Store Migration" wiki page [2], but
> the jist of it is after upgrading, execute the the
> semanage_migrate_store script installed by default to
> /usr/libexec/selinux. The script has additional options that can be used
> to do things like remove the old store or prevent rebuilding the policy.
> Run the script with --help for a description of the options.
>
> Please let us know if there are any questions/issues.

Hi Steve

(Sorry for the direct mail in the previous remark, gmail doesn't like
to automatically reply to the mailinglist)

When running the semanage_migrate_script I get the following problem:

Migrating from /etc/selinux/mcs/modules/active to /var/lib/selinux/mcs/active
Attempting to rebuild policy from /var/lib/selinux
sysnetwork: Warning: 'else' blocks in optional statements are
unsupported in CIL. Dropping from output.
Segmentation fault

The segmentation fault comes up at the following python code:

rc = semanage.semanage_commit(handle)

In the logs, I get:

[ 2403.250065] semanage_migrat[25752]: segfault at 28 ip
000003044dd14c5b sp 000003d2272a1140 error 4 in
libsepol.so.1[3044dcb2000+8f000]

The system has grsecurity enabled as well, but grsecurity should give
more output if it was preventing something. I'll investigate this more
tomorrow-evening.

Wkr,
  Sven Vermeulen

Re: SELinux Userspace Release: 20140826-rc1

[Stephen Smalley]

On 08/28/2014 03:58 PM, Sven Vermeulen wrote:
> On Wed, Aug 27, 2014 at 6:10 PM, Steve Lawrence <slawrence@tresys.com> wrote:
>> The only action that should be required post upgrade is migration from
>> /etc/selinux to /var/lib/selinux. There is detailed information about
>> this process on the GitHub "Policy Store Migration" wiki page [2], but
>> the jist of it is after upgrading, execute the the
>> semanage_migrate_store script installed by default to
>> /usr/libexec/selinux. The script has additional options that can be used
>> to do things like remove the old store or prevent rebuilding the policy.
>> Run the script with --help for a description of the options.
>>
>> Please let us know if there are any questions/issues.
> 
> Hi Steve
> 
> (Sorry for the direct mail in the previous remark, gmail doesn't like
> to automatically reply to the mailinglist)
> 
> When running the semanage_migrate_script I get the following problem:
> 
> Migrating from /etc/selinux/mcs/modules/active to /var/lib/selinux/mcs/active
> Attempting to rebuild policy from /var/lib/selinux
> sysnetwork: Warning: 'else' blocks in optional statements are
> unsupported in CIL. Dropping from output.
> Segmentation fault
> 
> The segmentation fault comes up at the following python code:
> 
> rc = semanage.semanage_commit(handle)
> 
> In the logs, I get:
> 
> [ 2403.250065] semanage_migrat[25752]: segfault at 28 ip
> 000003044dd14c5b sp 000003d2272a1140 error 4 in
> libsepol.so.1[3044dcb2000+8f000]
> 
> The system has grsecurity enabled as well, but grsecurity should give
> more output if it was preventing something. I'll investigate this more
> tomorrow-evening.

Can you provide a copy of your original policy prior to conversion?

Re: SELinux Userspace Release: 20140826-rc1

[Sven Vermeulen]

On Thu, Aug 28, 2014 at 10:15 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> When running the semanage_migrate_script I get the following problem:
>>
>> Migrating from /etc/selinux/mcs/modules/active to /var/lib/selinux/mcs/active
>> Attempting to rebuild policy from /var/lib/selinux
>> sysnetwork: Warning: 'else' blocks in optional statements are
>> unsupported in CIL. Dropping from output.
>> Segmentation fault
[...]
> Can you provide a copy of your original policy prior to conversion?

If you mean the policy.29 file, certainly. You can wget it from
http://dev.gentoo.org/~swift/tmp/20140828-policy.29

Wkr,
  Sven Vermeulen

Re: SELinux Userspace Release: 20140826-rc1

[Stephen Smalley]

On 08/28/2014 04:52 PM, Sven Vermeulen wrote:
> On Thu, Aug 28, 2014 at 10:15 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>> When running the semanage_migrate_script I get the following problem:
>>>
>>> Migrating from /etc/selinux/mcs/modules/active to /var/lib/selinux/mcs/active
>>> Attempting to rebuild policy from /var/lib/selinux
>>> sysnetwork: Warning: 'else' blocks in optional statements are
>>> unsupported in CIL. Dropping from output.
>>> Segmentation fault
> [...]
>> Can you provide a copy of your original policy prior to conversion?
> 
> If you mean the policy.29 file, certainly. You can wget it from
> http://dev.gentoo.org/~swift/tmp/20140828-policy.29

No, the contents of /etc/selinux/mcs.  The migration script converts the
old policy module store, not the final kernel policy file.

Re: SELinux Userspace Release: 20140826-rc1

[Steve Lawrence]

On 08/29/2014 08:11 AM, Stephen Smalley wrote:
> On 08/28/2014 04:52 PM, Sven Vermeulen wrote:
>> On Thu, Aug 28, 2014 at 10:15 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>> When running the semanage_migrate_script I get the following problem:
>>>>
>>>> Migrating from /etc/selinux/mcs/modules/active to /var/lib/selinux/mcs/active
>>>> Attempting to rebuild policy from /var/lib/selinux
>>>> sysnetwork: Warning: 'else' blocks in optional statements are
>>>> unsupported in CIL. Dropping from output.
>>>> Segmentation fault
>> [...]
>>> Can you provide a copy of your original policy prior to conversion?
>>
>> If you mean the policy.29 file, certainly. You can wget it from
>> http://dev.gentoo.org/~swift/tmp/20140828-policy.29
> 
> No, the contents of /etc/selinux/mcs.  The migration script converts the
> old policy module store, not the final kernel policy file.
> 

Hmm, I'm unable to reproduce this. I think the policy store that Stephen
mentions will be help to reproduce it.

Re: SELinux Userspace Release: 20140826-rc1

[Sven Vermeulen]

On Fri, Aug 29, 2014 at 2:56 PM, Steve Lawrence <slawrence@tresys.com> wrote:
>>>>> Segmentation fault
>>> [...]
>>>> Can you provide a copy of your original policy prior to conversion?
>>>
>>> If you mean the policy.29 file, certainly. You can wget it from
>>> http://dev.gentoo.org/~swift/tmp/20140828-policy.29
>>
>> No, the contents of /etc/selinux/mcs.  The migration script converts the
>> old policy module store, not the final kernel policy file.
>>
>
> Hmm, I'm unable to reproduce this. I think the policy store that Stephen
> mentions will be help to reproduce it.
>

Certainly.

The policy store can be found at
http://dev.gentoo.org/~swift/tmp/20140829-etc-selinux-mcs.tar.gz

Wkr,
  Sven Vermeulen

Re: SELinux Userspace Release: 20140826-rc1

[Stephen Smalley]

On 08/29/2014 10:00 AM, Sven Vermeulen wrote:
> On Fri, Aug 29, 2014 at 2:56 PM, Steve Lawrence <slawrence@tresys.com> wrote:
>>>>>> Segmentation fault
>>>> [...]
>>>>> Can you provide a copy of your original policy prior to conversion?
>>>>
>>>> If you mean the policy.29 file, certainly. You can wget it from
>>>> http://dev.gentoo.org/~swift/tmp/20140828-policy.29
>>>
>>> No, the contents of /etc/selinux/mcs.  The migration script converts the
>>> old policy module store, not the final kernel policy file.
>>>
>>
>> Hmm, I'm unable to reproduce this. I think the policy store that Stephen
>> mentions will be help to reproduce it.
>>
> 
> Certainly.
> 
> The policy store can be found at
> http://dev.gentoo.org/~swift/tmp/20140829-etc-selinux-mcs.tar.gz

Hmm...semanage_migrate_store worked for me on that policy store.

Can you reproduce the fault?  If so, can you get debug info?
Build with debug flags and run semanage_migrate_store under valgrind,
perhaps?

Re: SELinux Userspace Release: 20140826-rc1

[Stephen Smalley]

On 08/29/2014 10:14 AM, Stephen Smalley wrote:
> On 08/29/2014 10:00 AM, Sven Vermeulen wrote:
>> On Fri, Aug 29, 2014 at 2:56 PM, Steve Lawrence <slawrence@tresys.com> wrote:
>>>>>>> Segmentation fault
>>>>> [...]
>>>>>> Can you provide a copy of your original policy prior to conversion?
>>>>>
>>>>> If you mean the policy.29 file, certainly. You can wget it from
>>>>> http://dev.gentoo.org/~swift/tmp/20140828-policy.29
>>>>
>>>> No, the contents of /etc/selinux/mcs.  The migration script converts the
>>>> old policy module store, not the final kernel policy file.
>>>>
>>>
>>> Hmm, I'm unable to reproduce this. I think the policy store that Stephen
>>> mentions will be help to reproduce it.
>>>
>>
>> Certainly.
>>
>> The policy store can be found at
>> http://dev.gentoo.org/~swift/tmp/20140829-etc-selinux-mcs.tar.gz
> 
> Hmm...semanage_migrate_store worked for me on that policy store.
> 
> Can you reproduce the fault?  If so, can you get debug info?
> Build with debug flags and run semanage_migrate_store under valgrind,
> perhaps?

Ok, I got it to fault (had to change my /etc/selinux/config
SELINUXTYPE=mcs to make it the active policy).

==18786== Invalid write of size 8
==18786==    at 0xD83EC95: cil_reset_level (cil_reset_ast.c:214)
==18786==    by 0xD83E9FE: cil_reset_user (cil_reset_ast.c:102)
==18786==    by 0xD83F243: __cil_reset_node (cil_reset_ast.c:345)
==18786==    by 0xD847FA0: cil_tree_walk_core (cil_tree.c:172)
==18786==    by 0xD848109: cil_tree_walk (cil_tree.c:216)
==18786==    by 0xD83F52C: cil_reset_ast (cil_reset_ast.c:471)
==18786==    by 0xD84644A: cil_resolve_ast (cil_resolve_ast.c:3493)
==18786==    by 0xD8179B6: cil_compile (cil.c:338)
==18786==    by 0xE14E212: semanage_direct_commit (direct_api.c:1107)
==18786==    by 0xE15C205: semanage_commit (handle.c:426)
==18786==    by 0xDEF7264: _wrap_semanage_commit (semanageswig_wrap.c:4098)
==18786==    by 0x31E68E0BD3: PyEval_EvalFrameEx (in
/usr/lib64/libpython2.7.so.1.0)
==18786==  Address 0x20 is not stack'd, malloc'd or (recently) free'd

Re: SELinux Userspace Release: 20140826-rc1

[Steve Lawrence]

On 08/29/2014 10:14 AM, Stephen Smalley wrote:
> On 08/29/2014 10:00 AM, Sven Vermeulen wrote:
>> On Fri, Aug 29, 2014 at 2:56 PM, Steve Lawrence <slawrence@tresys.com> wrote:
>>>>>>> Segmentation fault
>>>>> [...]
>>>>>> Can you provide a copy of your original policy prior to conversion?
>>>>>
>>>>> If you mean the policy.29 file, certainly. You can wget it from
>>>>> http://dev.gentoo.org/~swift/tmp/20140828-policy.29
>>>>
>>>> No, the contents of /etc/selinux/mcs.  The migration script converts the
>>>> old policy module store, not the final kernel policy file.
>>>>
>>>
>>> Hmm, I'm unable to reproduce this. I think the policy store that Stephen
>>> mentions will be help to reproduce it.
>>>
>>
>> Certainly.
>>
>> The policy store can be found at
>> http://dev.gentoo.org/~swift/tmp/20140829-etc-selinux-mcs.tar.gz
> 
> Hmm...semanage_migrate_store worked for me on that policy store.
> 
> Can you reproduce the fault?  If so, can you get debug info?
> Build with debug flags and run semanage_migrate_store under valgrind,
> perhaps?
> 

We are able to get the segfault and have gotten a backtrace. It looks
like it has to do with how optionals are handled and how we reset state
when an optional is disabled. The fix in this particular case is pretty
simple, but I think we need to go through the rest of the reset state
code and ensure we aren't making similar mistakes. Might take a little
bit of time.

Re: SELinux Userspace Release: 20140826-rc1

[Sven Vermeulen]

Hi Steve & co

Will you be pushing out an rc3 release? If not, can I get the fix for
this particular situation so I can continue testing?

Wkr,
  Sven Vermeulen

On Fri, Aug 29, 2014 at 4:22 PM, Steve Lawrence <slawrence@tresys.com> wrote:
> On 08/29/2014 10:14 AM, Stephen Smalley wrote:
>> On 08/29/2014 10:00 AM, Sven Vermeulen wrote:
>>> On Fri, Aug 29, 2014 at 2:56 PM, Steve Lawrence <slawrence@tresys.com> wrote:
>>>>>>>> Segmentation fault
>>>>>> [...]
>>>>>>> Can you provide a copy of your original policy prior to conversion?
>>>>>>
>>>>>> If you mean the policy.29 file, certainly. You can wget it from
>>>>>> http://dev.gentoo.org/~swift/tmp/20140828-policy.29
>>>>>
>>>>> No, the contents of /etc/selinux/mcs.  The migration script converts the
>>>>> old policy module store, not the final kernel policy file.
>>>>>
>>>>
>>>> Hmm, I'm unable to reproduce this. I think the policy store that Stephen
>>>> mentions will be help to reproduce it.
>>>>
>>>
>>> Certainly.
>>>
>>> The policy store can be found at
>>> http://dev.gentoo.org/~swift/tmp/20140829-etc-selinux-mcs.tar.gz
>>
>> Hmm...semanage_migrate_store worked for me on that policy store.
>>
>> Can you reproduce the fault?  If so, can you get debug info?
>> Build with debug flags and run semanage_migrate_store under valgrind,
>> perhaps?
>>
>
> We are able to get the segfault and have gotten a backtrace. It looks
> like it has to do with how optionals are handled and how we reset state
> when an optional is disabled. The fix in this particular case is pretty
> simple, but I think we need to go through the rest of the reset state
> code and ensure we aren't making similar mistakes. Might take a little
> bit of time.
>

Re: SELinux Userspace Release: 20140826-rc1

[Steve Lawrence]

We will definitely push out an rc3. We have some fixes in the CIL and
userspace repos that we just need to finalize and clean up. We should
have an rc3 out this week.

Thanks,
- Steve

On 09/14/2014 05:31 AM, Sven Vermeulen wrote:
> Hi Steve & co
> 
> Will you be pushing out an rc3 release? If not, can I get the fix for
> this particular situation so I can continue testing?
> 
> Wkr,
>   Sven Vermeulen
> 
> On Fri, Aug 29, 2014 at 4:22 PM, Steve Lawrence <slawrence@tresys.com> wrote:
>> On 08/29/2014 10:14 AM, Stephen Smalley wrote:
>>> On 08/29/2014 10:00 AM, Sven Vermeulen wrote:
>>>> On Fri, Aug 29, 2014 at 2:56 PM, Steve Lawrence <slawrence@tresys.com> wrote:
>>>>>>>>> Segmentation fault
>>>>>>> [...]
>>>>>>>> Can you provide a copy of your original policy prior to conversion?
>>>>>>>
>>>>>>> If you mean the policy.29 file, certainly. You can wget it from
>>>>>>> http://dev.gentoo.org/~swift/tmp/20140828-policy.29
>>>>>>
>>>>>> No, the contents of /etc/selinux/mcs.  The migration script converts the
>>>>>> old policy module store, not the final kernel policy file.
>>>>>>
>>>>>
>>>>> Hmm, I'm unable to reproduce this. I think the policy store that Stephen
>>>>> mentions will be help to reproduce it.
>>>>>
>>>>
>>>> Certainly.
>>>>
>>>> The policy store can be found at
>>>> http://dev.gentoo.org/~swift/tmp/20140829-etc-selinux-mcs.tar.gz
>>>
>>> Hmm...semanage_migrate_store worked for me on that policy store.
>>>
>>> Can you reproduce the fault?  If so, can you get debug info?
>>> Build with debug flags and run semanage_migrate_store under valgrind,
>>> perhaps?
>>>
>>
>> We are able to get the segfault and have gotten a backtrace. It looks
>> like it has to do with how optionals are handled and how we reset state
>> when an optional is disabled. The fix in this particular case is pretty
>> simple, but I think we need to go through the rest of the reset state
>> code and ensure we aren't making similar mistakes. Might take a little
>> bit of time.
>>