How can I handle an error on installing SELinux policy

Question

Now I'm trying to install SELinux policy that I made. But I met error like follow:

Failed to resolve filecon statement at /var/lib/selinux/targeted/tmp/modules/400/mypolicy/cil:303 semodule: Failed! install failed :

I hope to know how can I handle this error. How can I find the error point in the .te or .fc file? What does the number '303' mean? Is it a line number? But cil file is binary. Could you please let me know a way to handle this error?

Thanks.

Answer 1

The transformation of your .te .if and .fc files into the actual policy is a multi-step process.

When the system builds a policy module, first, checkmodule is used to construct a .mod intermediate file. Next, semodule_package is called, transforming this intermediate file and the corresponding file-context file into a .pp file.

In your error, semodule now complains about some problem in the policy package and gives the corresponding Common Intermediate Language line number as a reference. If you want to know more about CIL, see here: https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/README.md

To get the failing line within the CIL file, locate your pp file and call the pp compiler to get the CIL code. The pp compiler is in the High-Level Language Infrastructure folder called hll (see https://github.com/SELinuxProject/selinux/wiki/High-Level-Language-Infrastructure).

/recipe-sysroot-native/usr/libexec/selinux/hll/pp ./refpolicy/mypolicy.pp > mypolicy.txt

Now you can check the given line number in the mypolicy.txt.

Answer 2

I found a reason. In RH8, umask is added to /etc/pam.d/postlogin. So, for sFtp, the UMASK value in /etc/login.defs is pulled and it is applied to umask value for sFtp. It was 077.

Redhat link