[DSE-Dev] Bug#849552: policycoreutils: semodule aborts on corrupted installation, how can user solve this?

Russell Coker russell at coker.com.au
Wed Dec 28 14:56:16 UTC 2016 

Package: policycoreutils
Version: 2.6-2
Severity: normal

After a system crash I found my policy database corrupted, here are some
examples:

# dpkg -i selinux-policy-default_2.20161023.1-5_all.deb 
(Reading database ... 244796 files and directories currently installed.)
Preparing to unpack .../selinux-policy-default_2.20161023.1-5_all.deb ...
Unpacking selinux-policy-default (2:2.20161023.1-5) over (2:2.20161023.1-5) ...
Setting up selinux-policy-default (2:2.20161023.1-5) ...
Updating selinux default policy (this step might take a moment)...libsemanage.semanage_direct_get_module_info: Unable to read abrt module lang ext file.
semodule:  Failed on full!
libsemanage.semanage_direct_get_module_info: Unable to read abrt module lang ext file.
libsemanage.semanage_direct_get_module_info: Unable to read accountsd module lang ext file.
libsemanage.semanage_direct_get_module_info: Unable to read accountsd module lang ext file.
semodule:  Failed on /usr/share/selinux/default/abrt.pp.bz2!
 failed.
dpkg: error processing package selinux-policy-default (--install):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 selinux-policy-default
# semodule -l
libsemanage.semanage_direct_get_module_info: Unable to read abrt module lang ext file.
semodule:  Failed on list!

Here is the tail end of stracing "semodule -l":
open("/var/lib/selinux/default/active/modules/100/abrt/lang_ext", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
read(4, "", 4096)                       = 0
write(2, "libsemanage.semanage_direct_get_"..., 45libsemanage.semanage_direct_get_module_info: ) = 45
write(2, "Unable to read abrt module lang "..., 41Unable to read abrt module lang ext file.) = 41
write(2, "\n", 1
)                       = 1
close(4)                                = 0
flock(3, LOCK_UN)                       = 0
close(3)                                = 0
write(2, "semodule:  Failed on list!\n", 27semodule:  Failed on list!
) = 27
exit_group(1)

I think that in this case semodule could reasonably recover from that situation
if we ran things properly.  But even in situations that it can't reasonably
recover from it should at least give a suggestion to the user as to what
they should do.

Maybe we need a semodule-recover script or something.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages policycoreutils depends on:
ii  libaudit1      1:2.6.7-1
ii  libc6          2.24-8
ii  libselinux1    2.6-3
ii  libsemanage1   2.6-1
ii  libsepol1      2.6-2
ii  lsb-base       9.20161125
ii  selinux-utils  2.6-3

policycoreutils recommends no packages.

policycoreutils suggests no packages.

-- no debconf information

More information about the SELinux-devel mailing list