Building freeipa rpms fails on Fedora This affects nightly runs in PR-CI
# cat /etc/fedora-release Fedora release 30 (Thirty)
yum -y update yum-builddep -y freeipa-server yum -y install selinux-policy-devel yum -y install rpm-build git clone https://github.com/freeipa/freeipa.git cd freeipa/ ./makerpms.sh
Making all in selinux make[4]: Entering directory '/root/freeipa/rpmbuild/BUILD/freeipa-4.9.0.dev202003241452+git312d00df9/selinux' make -f /usr/share/selinux/devel/Makefile ipa.pp make[5]: Entering directory '/root/freeipa/rpmbuild/BUILD/freeipa-4.9.0.dev202003241452+git312d00df9/selinux' ipa.if:13: Error: duplicate definition of ipa_domtrans_otpd(). Original definition on 13. ipa.if:32: Error: duplicate definition of ipa_stream_connect_otpd(). Original definition on 32. ipa.if:49: Error: duplicate definition of ipa_stream_connect_ods_exporter(). Original definition on 49. ipa.if:66: Error: duplicate definition of ipa_domtrans_helper(). Original definition on 66. ipa.if:89: Error: duplicate definition of ipa_run_helper(). Original definition on 89. ipa.if:109: Error: duplicate definition of ipa_search_lib(). Original definition on 109. ipa.if:127: Error: duplicate definition of ipa_manage_lib(). Original definition on 127. ipa.if:146: Error: duplicate definition of ipa_manage_log(). Original definition on 146. ipa.if:165: Error: duplicate definition of ipa_read_lib(). Original definition on 165. ipa.if:184: Error: duplicate definition of ipa_manage_pid_files(). Original definition on 184. ipa.if:208: Error: duplicate definition of ipa_filetrans_pid(). Original definition on 208. ipa.if:226: Error: duplicate definition of ipa_delete_tmp(). Original definition on 226. ipa.if:246: Error: duplicate definition of ipa_named_filetrans_log_dir(). Original definition on 246. ipa.if:264: Error: duplicate definition of ipa_filetrans_named_content(). Original definition on 264. ipa.if:284: Error: duplicate definition of ipa_cert_filetrans_named_content(). Original definition on 284. ipa.if:304: Error: duplicate definition of ipa_read_tmp(). Original definition on 304. Compiling targeted ipa module ipa.te:355:ERROR 'syntax error' at token 'apache_manage_pid_files' on line 17539: #line 355 apache_manage_pid_files(ipa_custodia_t) /usr/bin/checkmodule: error(s) encountered while parsing configuration make[5]: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/ipa.mod] Error 1 make[5]: Leaving directory '/root/freeipa/rpmbuild/BUILD/freeipa-4.9.0.dev202003241452+git312d00df9/selinux' make[4]: *** [Makefile:630: ipa.pp] Error 2 make[4]: Leaving directory '/root/freeipa/rpmbuild/BUILD/freeipa-4.9.0.dev202003241452+git312d00df9/selinux' make[3]: *** [Makefile:677: all-recursive] Error 1 make[3]: Leaving directory '/root/freeipa/rpmbuild/BUILD/freeipa-4.9.0.dev202003241452+git312d00df9' make[2]: *** [Makefile:573: all] Error 2 make[2]: Leaving directory '/root/freeipa/rpmbuild/BUILD/freeipa-4.9.0.dev202003241452+git312d00df9' error: Bad exit status from /var/tmp/rpm-tmp.cKyagw (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.cKyagw (%build) make[1]: *** [Makefile:1174: _rpms-body] Error 1 make[1]: Leaving directory '/root/freeipa' make: *** [Makefile:1171: rpms] Error 2
master branch at commit 312d00d
The build runs successively on Fedora 31.
Metadata Update from @cheimes: - Issue assigned to cheimes - Issue priority set to: important - Issue set to the milestone: FreeIPA 4.8.5
The interface apache_manage_pid_files is not available on F30. The SELinux team helped me to figure out the correct syntax and verify the result. It turns out that ifdef() also works for interfaces.
apache_manage_pid_files
ifdef()
$ macro-expander "apache_manage_pid_files(ipa_custodia_t)" allow ipa_custodia_t var_t:lnk_file { getattr read }; allow ipa_custodia_t var_run_t:lnk_file { getattr read }; allow ipa_custodia_t var_t:dir { getattr search open }; allow ipa_custodia_t var_run_t:dir { getattr search open }; allow ipa_custodia_t httpd_var_run_t:dir { open read getattr lock search ioctl add_name remove_name write }; allow ipa_custodia_t httpd_var_run_t:dir { create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }; allow ipa_custodia_t httpd_var_run_t:dir { open read getattr lock search ioctl add_name remove_name write }; allow ipa_custodia_t httpd_var_run_t:file { create open getattr setattr read write append rename link unlink ioctl lock }; allow ipa_custodia_t httpd_var_run_t:dir { open read getattr lock search ioctl add_name remove_name write }; allow ipa_custodia_t httpd_var_run_t:sock_file { create open getattr setattr read write rename link unlink ioctl lock append };
With ifdef the CIL representation still references httpd_var_run_t on F31.
ifdef
httpd_var_run_t
$ bunzip2 -c ipa.pp.bz2 | /usr/libexec/selinux/hll/pp | grep httpd_var_run_t (typeattributeset cil_gen_require httpd_var_run_t) (allow ipa_custodia_t httpd_var_run_t (dir (ioctl read write getattr lock add_name remove_name search open)))
On F30 the same call returns no mention of httpd_var_run_t, which is to be expected.
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4435
It occurred to me that ipa-custodia requires the rules. I have modified the PR to define the interface conditionally.
master:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-8:
Metadata Update from @abbra: - Custom field knownissue adjusted to on
Metadata Update from @abbra: - Custom field changelog adjusted to SELinux rules for ipa-custodia were merged into FreeIPA SELinux policy. - Custom field knownissue reset (from on)
Metadata Update from @abbra: - Custom field changelog adjusted to SELinux rules for ipa-custodia were merged into FreeIPA SELinux policy. The policy relied on an SELinux interface that is not available in Fedora 30. The logic was changed to allow better portability across SELinux versions. (was: SELinux rules for ipa-custodia were merged into FreeIPA SELinux policy.) - Custom field knownissue reset (from false)
Login to comment on this ticket.