I tried to run the regression test for sepgsql on F28 (so I could
fix the now-obsolete expected-file therein). It fails at this
preparatory step:
$ sudo semodule -u sepgsql-regtest.pp
The --upgrade option is deprecated. Use --install instead.
neverallow check failed at
/var/lib/selinux/targeted/tmp/modules/100/base/cil:4703
(neverallow base_typeattr_6 base_typeattr_7 (process (fork transition sigchld
sigkill sigstop signull signal ptrace getsched setsched getsession getpgid
setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh
setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap
setkeycreate setsockcreate getrlimit)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/100/postgresql/cil:769
(allow sepgsql_client_type sepgsql_ranged_proc_t (process (transition)))
<root>
... lots more ...
optional at
/var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1617
optional at
/var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1676
allow at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1679
(allow sepgsql_regtest_superuser_t sepgsql_client_type (process
(dyntransition)))
Failed to generate binary
semodule: Failed!
For the moment I'll try an older Fedora release, but it seems
we have some work to do here.
regards, tom lane
