[DSE-Dev] Bug#1064421: refpolicy: show CIL warnings within semodule command
Christian Göttsche
cgzones at googlemail.com
Wed Feb 21 21:05:55 GMT 2024
Package: selinux-policy-default
Version: 2:2.20240202-1
Tags: patch
The invocation of semodule in the postinst maintanier script might
fail, e.g. due to conflicts with local modifications.
Since by default the CIL log level is error and those error messages
are rather generic the actual cause is most of the time not shown.
A solution is to run semodule in verbose mode, which increases the
verbosity of CIL from error to warning, see
https://github.com/SELinuxProject/selinux/blob/82195e77e317d322dd9b5fc31d402462d6845357/policycoreutils/semodule/semodule.c#L419:
--- debian/postinst.policy.bak 2024-02-21 21:56:04.383102610 +0100
+++ debian/postinst.policy 2024-02-21 21:56:09.307157364 +0100
@@ -117,7 +117,7 @@
fi
ret=0
- semodule -X $priority $noreload -s $flavour $to_remove
$to_install $to_disable || ret=$?
+ semodule -v -X $priority $noreload -s $flavour $to_remove
$to_install $to_disable || ret=$?
if [ $ret -eq 0 ]; then
echo " done."
else
More information about the SELinux-devel
mailing list