[SOLVED] SELinux module issues, failed to resolve ast

[Jara0]

Hello,

(Hopefully this is the right section)
I have been troubleshooting some SELinux related errors for the last few days. Looking to migrate to a hardened+selinux configuration from just hardened. Currently this is all in a test VM so no risk for breakage. As I work my way through the audit errors I have been unable to load any of the custom policies iv created.

IE (initrc_t.te as an example)
[code]policy_module(initrc_t, 1.0)
gen_require(`
type initrc_t;
type etc_t;
type root_t;
type unlabeled_t;
type file_t;
type dir_t;
')

#========== initrc_t ==============
allow initrc_t etc_t:lnk_file { create unlink };
allow initrc_t root_t:dir { write remove_name add_name };
allow initrc_t root_t:file { write create unlink open };
allow initrc_t unlabeled_t:file read;[/code]

Once that is compiled "sudo make -f /usr/share/selinux/strict/include/Makefile" is creates the initrc_t.pp successfully. However when I attempt to load it ("semodule -i initrc_t.pp"), I receive

Failed to resolve typeattributeset statement at 7 of /var/lib/selinux/strict/tmp/modules/400/initrc_t/cil
Failed to resolve ast
semodule: Failed!

I read the https://wiki.gentoo.org/wiki/SELinux/FAQ#How_to_I_load_an_entire_policy_set.3F section which seemed relevant however have been unable to work around the "failed to resolve ast" error. I receive it with the 3 or 4 other policy modules iv tried creating and loading as well. Any help would be appreciated.

-Jara

[Jara0]

resolved issue myself. Needed to fix the policy. That error comes from including types that are not necessary/valid. It will still compile with them present but apparently in a way that causes issues.

In the above case it was type file_t; type dir_t;. Remove those, recompile and wala. Hope this helps someone.