[DSE-Dev] Bug#740562: policycoreutils: cannot disable modules defining types required only by disabled modules

Zack Weinberg zackw at panix.com
Sun Mar 2 22:07:34 UTC 2014

Source: policycoreutils
Version: 2.2.5-1
Severity: normal

I'm trying to set up SELinux on an unusually cut-down system - it only
has one network service installed, plus all the infrastructure required
for that, about 200 packages in total - and since this is the first time
I've done anything with SELinux, it seemed best to cut the overall policy
size down to the absolute minimum in order to make it easier to reason
about.  I managed to get it this far:

# semodule -l | grep -v Disabled
apache	2.7.3	
application	1.2.0	
authlogin	2.5.3	
clock	1.7.1	
consoletype	1.10.0	
getty	1.10.0	
inetd	1.13.0	
init	1.20.6	
libraries	2.10.1	
locallogin	1.12.1	
logging	1.20.4	
miscfiles	1.11.0	
modutils	1.14.1	
mount	1.16.5	
mta	2.7.3	

This is an intermediate stage, obviously more stuff will be turned back
on, but there are several things in here I still don't want, like 'apache'
(the machine is NOT a web server).  But look what happens when I try to
turn any of them off:

# semodule -d apache
libsepol.print_missing_requirements: yam's global requirements were not met: type/attribute httpd_sys_content_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

# semodule -l | grep yam
yam	1.5.0	Disabled

Since yam is not enabled, its requirements are irrelevant and should not be honored.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (501, 'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

More information about the SELinux-devel mailing list