commit: c9c2899e8587e666eac4c409151695c859b61cfd Author: Rahul Sandhu <nvraxn <AT> gmail <DOT> com> AuthorDate: Mon Dec 22 11:55:18 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Mon Dec 29 19:18:53 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9c2899e
selinux-policy-2.eclass: unconditionally load all modules in the store In selinux-policy-2_pkg_postinst(), the installation of the unconfined policy module is already gated for the strict module store. This means there is no valid situation where the unconfined module is installed into the strict module store by portage. Hence — if a full reload is attempted — don't bother trying to filter out the unconfined module in any case: it shouldn't be there at all. Nevertheless, the existing logic to filter out the unconfined module is broken. The unconfined module is filtered for all policy types apart from the targeted store. This however is inaccurate; both the mcs and mls stores support usage of the unconfined module, and it's actually enabled by default[1]! This has exacerbated the issues of the module ordering surrounding the unconfined policy module such that it is expected for a full reload of the policy store where the unconfined module is used can be reliably expected to fail. Various mappings for USE="unconfined" for the base policy module depend on having the unconfined policy module available (such as the default login mappings[2]). This patch may not entirely fix the issues surrounding the unconfined module loading however. It only comes in effect if the initial policy load fails. This may be related to bug 891963? While we're at it, also update our ewarn message — which is displayed when we fail to reload all policy modules — to both use a full path to the policy modules, such that the user is not required to cd into the policy store first, and also follow the above recommendation and not filter out the unconfined module. [1] https://github.com/gentoo/gentoo/blob/71c44ac5699be0b924fc42cb473a2e2872d1f59c/sec-policy/selinux-base/selinux-base-2.20250618-r1.ebuild#L23 [2] https://github.com/gentoo/gentoo/blob/71c44ac5699be0b924fc42cb473a2e2872d1f59c/sec-policy/selinux-base/selinux-base-2.20250618-r1.ebuild#L102-L106 Bug: https://bugs.gentoo.org/891963 Signed-off-by: Rahul Sandhu <nvraxn <AT> gmail.com> Signed-off-by: Sam James <sam <AT> gentoo.org> eclass/selinux-policy-2.eclass | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass index 739acc695cf3..d79c97d096c4 100644 --- a/eclass/selinux-policy-2.eclass +++ b/eclass/selinux-policy-2.eclass @@ -359,11 +359,8 @@ selinux-policy-2_pkg_postinst() { if [[ $? -ne 0 ]]; then ewarn "SELinux module load failed. Trying full reload..."; - if [[ "${1}" == "targeted" ]]; then - semodule ${root_opts} -s ${1} -i *.pp - else - semodule ${root_opts} -s ${1} -i $(ls *.pp | grep -v unconfined.pp); - fi + semodule ${root_opts} -s ${1} -i *.pp + if [[ $? -ne 0 ]]; then ewarn "Failed to reload SELinux policies." ewarn "" @@ -376,11 +373,8 @@ selinux-policy-2_pkg_postinst() { ewarn "action since the new SELinux policies are not loaded until the" ewarn "command finished successfully." ewarn "" - ewarn "To reload, run the following command from within /usr/share/selinux/${1}:" - ewarn " semodule -i *.pp" - ewarn "or" - ewarn " semodule -i \$(ls *.pp | grep -v unconfined.pp)" - ewarn "depending on if you need the unconfined domain loaded as well or not." + ewarn "To reload, run the following command:" + ewarn " semodule -i /usr/share/selinux/${1}/*.pp" else einfo "SELinux modules reloaded successfully." fi
