Policy fails to build due to unconfined role move

[cgzones]

Commit ca3698d changed the definition of the unconfined_r role from the base module kernel to the non-base module unconfined.
While directly linking the policy via make validate works, loading such policy on an actual systems fails with the following error message:

...
Creating refpolicy base module base.conf                                                                                                                      
Compiling refpolicy base module                                                                                                                               
Creating refpolicy base module package                                                                                                                        
Installing refpolicy base.pp policy package.                                                                                                                  
Loading configured modules.                                                                                                                                   
Failed to resolve roletype statement at /var/lib/selinux/refpolicy/tmp/modules/400/unconfined/cil:5                                                           
Failed to resolve AST                                                                                                                                         
/usr/sbin/semodule:  Failed!                                                                                                                                  
make: *** [Rules.modular:59: load] Error 1

I don't think role definitions are supported in non-base modular policies (only role statements associating them to types).

[yizhao1]

I also encountered this issue.

[pebenito]

First, we need to fix the discrepancy between the two SELinux userspace behaviors. Then we can update refpolicy, if necessary.

cc @jwcart2

[jwcart2]

I am not sure what is going on here. Roles most definitely can be in modules. It looks like a problem converting the module pp file to CIL (creating a roletype rule instead of a role), but I have test policy which has roles in modules and pp converted them to CIL just fine. I will investigate.

[jwcart2]

I found the issue. It is in module_to_cil.c. It will not create user_r, staff_r, sysadm_r, system_r, or unconfined_r, so that duplicate role definitions are not created. I can remove unconfined_r from the list in module_to_cil.c, but I am worried that that would break other policies.

[pebenito]

Each project's special case behavior is co-dependent on each other, making this a difficult cycle to break. I see the options as:

1. revert the policy change, live with co-dependence until refpolicy3 stops using module to cil in favor of cascade (cc @dburgener )
2. change refpolicy to emit cil instead of modules, bypassing module_to_cil.c behavior(?)
3. ?

[jwcart2]

We already allow types and type attributes to have duplicates if the multiple_decls field is set by calling cil_set_multiple_decls(). In secilc, this happens when you use the "-m" command-line option.

I could remove unconfined_r from the list in module_to_cil.c, allow multiple roles in CIL when the multiple_decls field is set, and change libsemanage to always call cil_set_multiple_decls() before calling cil_compile(). This should prevent problems with previous policies. Allowing multiple decls should be harmless.

[jwcart2]

I sent a patch series to the SELinux list which will fix this.