# fatal error durring selinux hierarchy check

## tomekk

Hello, I report in dmesg lot of audit avc: denied errors.

For example:

```

audit(1193317686.662:4): avc:  denied  { read } for  pid=5177 comm="amavisd-maia" name="shadow" dev=sda3 ino=782491 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:shadow_t tclass=file

audit(1193317699.005:5): avc:  denied  { read write } for  pid=5515 comm="smartd" name="sda" dev=tmpfs ino=2829 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file

audit(1193317699.005:6): avc:  denied  { ioctl } for  pid=5515 comm="smartd" path="/dev/sda" dev=tmpfs ino=2829 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file

audit(1193317700.194:7): avc:  denied  { read } for  pid=5628 comm="miniserv.pl" name="shadow" dev=sda3 ino=782491 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:shadow_t tclass=file

audit(1193255187.244:140): avc:  denied  { relabelfrom } for  pid=7175 comm="setfiles" name="quotaoff" dev=sda3 ino=66582 ipaddr=82.160.43.100 scontext=root:system_r:system_chkpwd_t tcontext=root:object_r:portage_tmp_t tclass=lnk_file

audit(1193255188.580:199): avc:  denied  { unlink } for  pid=7325 comm="rm" name="quota-3.14.tar.gz" dev=sda3 ino=66152 ipaddr=82.160.43.100 scontext=root:system_r:system_chkpwd_t tcontext=root:object_r:portage_tmp_t tclass=lnk_file

audit(1193315352.300:226): avc:  denied  { getattr } for  pid=6021 comm="rsync" path="/tmp/tmpe8qyKi" dev=sda3 ino=48893 ipaddr=192.168.0.231 scontext=root:sysadm_r:portage_t.fetch tcontext=root:object_r:portage_tmp_t tclass=file

audit(1193315352.356:227): avc:  denied  { read } for  pid=6022 comm="rsync" name="tmpe8qyKi" dev=sda3 ino=48893 ipaddr=192.168.0.231 scontext=root:sysadm_r:portage_t.fetch tcontext=root:object_r:portage_tmp_t tclass=file

audit(1193315352.356:228): avc:  denied  { unlink } for  pid=6022 comm="rsync" name="tmpe8qyKi" dev=sda3 ino=48893 ipaddr=192.168.0.231 scontext=root:sysadm_r:portage_t.fetch tcontext=root:object_r:portage_tmp_t tclass=file

(...)

```

When i do "audit2allow -M local" on this log:

checkmodule  -m -o local.mod local.te

/usr/bin/audit2allow: libsepol.check_type_hierarchy_callback: type portage_t does not exist, portage_t.fetch is an orphan

libsepol.hierarchy_check_constraints: 1 total errors found during hierarchy check

checkmodule:  loading policy configuration from local.te

but after drop lines with "portage_t" audit2allow -M local, and semodule -i local.pp:

libsepol.check_assertion_helper: assertion on line 0 violated by allow initrc_t fixed_disk_device_t:blk_file { write };

libsepol.check_assertion_helper: assertion on line 0 violated by allow system_chkpwd_t fixed_disk_device_t:blk_file { read };

libsepol.check_assertion_helper: assertion on line 0 violated by allow initrc_t fixed_disk_device_t:blk_file { read };

libsepol.check_assertion_helper: assertion on line 0 violated by allow sysadm_t fixed_disk_device_t:blk_file { read };

libsepol.check_assertion_helper: assertion on line 0 violated by allow initrc_t shadow_t:file { read };

libsepol.check_assertions: 5 assertion violations occured

libsemanage.semanage_expand_sandbox: Expand module failed

semodule:  Failed!

whac can i do now?[/code]

----------

## xathin

I'm also getting this error, but with portage_t.sandbox and portage_t.merge. I'm using latest ~amd64 packages, all updated as of today (Feb 16, 2008).

Removing the corresponding lines with portage_t.* in them have no problems compiling and loading the policy. Are the portage_t types not available?

----------

## mattwood2000

Hi xathin, 

 *Quote:*   

> 
> 
> Removing the corresponding lines with portage_t.* in them have no problems compiling and loading the policy. Are the portage_t types not available?
> 
> 

 

Do you mean removing these lines from the policy module?  If so how is the module supposed to allow these accesses?  I get errors when I try to insert my module...even a simple one like below.  Can you clarify?

Thanks, Matt.

simple module:

```

policy_module(portage_,1.0.0)

require {

type portage_t;

type portage_tmp_t;

type portage_t.fetch;

}

#============= portage_t.fetch ==============

allow portage_t.fetch portage_tmp_t:file getattr;

allow portage_t.fetch self:netlink_route_socket create;

```

```

libsepol.check_avtab_hierarchy_callback: hierarchy violation between types portage_t.fetch and portage_t.fetch : netlink_route_socket {  create }

```

----------

## ferfong

 *mattwood2000 wrote:*   

> Hi xathin, 
> 
> Do you mean removing these lines from the policy module?  If so how is the module supposed to allow these accesses?  I get errors when I try to insert my module...even a simple one like below.  Can you clarify?
> 
> Thanks, Matt.
> ...

 

Hi, mattwood--  did you ever resolve this problem yourself?

I believe I caused it by accidentally installing one of my own simple modules as a base module [semodule -b instead of -i; I have no idea how I did that].

I reinstalled the selinux-base-policy as the base with semodule -b /usr/share/selinux/strict/base.pp but still there is no portage_t.  I have remerged portage as well, with selinux enabled, but still no dice...

----------

