# [SOLVED] SELinux module issues, failed to resolve ast

## Jara0

Hello,

(Hopefully this is the right section)

I have been troubleshooting some SELinux related errors for the last few days. Looking to migrate to a hardened+selinux configuration from just hardened. Currently this is all in a test VM so no risk for breakage. As I work my way through the audit errors I have been unable to load any of the custom policies iv created. 

IE (initrc_t.te as an example)

[code]policy_module(initrc_t, 1.0)

 gen_require(`

        type initrc_t;

        type etc_t;

        type root_t;

        type unlabeled_t;

        type file_t;

        type dir_t;

        ')

#========== initrc_t ==============

allow initrc_t etc_t:lnk_file { create unlink };

allow initrc_t root_t:dir { write remove_name add_name };

allow initrc_t root_t:file { write create unlink open };

allow initrc_t unlabeled_t:file read;[/code]

Once that is compiled "sudo make -f /usr/share/selinux/strict/include/Makefile" is creates the initrc_t.pp successfully. However when I attempt to load it ("semodule -i initrc_t.pp"), I receive

Failed to resolve typeattributeset statement at 7 of /var/lib/selinux/strict/tmp/modules/400/initrc_t/cil

Failed to resolve ast

semodule:  Failed!

I read the https://wiki.gentoo.org/wiki/SELinux/FAQ#How_to_I_load_an_entire_policy_set.3F     section which seemed relevant however have been unable to work around the "failed to resolve ast" error. I receive it with the 3 or 4 other policy modules iv tried creating and loading as well. Any help would be appreciated.

-Jara

----------

## Jara0

resolved issue myself. Needed to fix the policy. That error comes from including types that are not necessary/valid. It will still compile with them present but apparently in a way that causes issues.

In the above case it was type file_t; type dir_t;. Remove those, recompile and wala. Hope this helps someone.

----------

