Skip to content

Instantly share code, notes, and snippets.

@Caesurus

Caesurus/SELinux_cryptic_messages.md

Last active June 30, 2025 11:54
Show Gist options
  • Save Caesurus/4f6721c9f8aad55de98f87877683fcd3 to your computer and use it in GitHub Desktop.
Save Caesurus/4f6721c9f8aad55de98f87877683fcd3 to your computer and use it in GitHub Desktop.
Download ZIP
SELinux policy Load Errors
Raw
SELinux_cryptic_messages.md

Recently started working on policy migration to a new system. The following errors are cryptic and it took some digging to figure out what was going on. I saw others online had the same errors but the general fix seemed to be "load the new policy". But didn't really go into details of how policies are fixed.

Compiling targeted netmgr module
Creating targeted netmgr.pp policy package
Loading targeted modules: netmgr
Failed to resolve filecon statement at /var/lib/selinux/targeted/tmp/modules/400/netmgr/cil:50
/usr/sbin/semodule:  Failed!
make: *** [/usr/share/selinux/devel/include/Makefile:145: reload] Error 1

Cause: fc file contains a type that it can't resolve. So using: system_u:object_r:netmgr_conf_t instead of system_u:object_r:netmgr_conf_t:s0 or system_u:object_r:notdefined_yet_t:s0 will cause this error

Compiling targeted netmgr module
Creating targeted netmgr.pp policy package
Loading targeted modules: netmgr
Problems processing filecon rules
Failed post db handling
/usr/sbin/semodule:  Failed!
make: *** [/usr/share/selinux/devel/include/Makefile:145: reload] Error 1

Cause: fc file contains an entry that duplicates another entry elsewhere. EG: /bin/myscript\.sh -- system_u:object_r:policy_script_t:s0 and another entry elsewhere: /bin/myscript\.sh -- system_u:object_r:otherpolicy_t:s0

The semanage fcontext command can be useful to find these conflicts semanage fcontext -l |grep /bin/myscript

Compiling targeted netmgr module
Creating targeted netmgr.pp policy package
Loading targeted modules: netmgr
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/netmgr/cil:14
/usr/sbin/semodule:  Failed!
make: *** [/usr/share/selinux/devel/include/Makefile:145: reload] Error 1

Cause: require{ type }, includes a type that doesn't exist or isn't loaded yet

Hope this helps save someone else out there some time.

@centerboy88
Copy link

hi, your are the one and only who documented such stuff. i working currently also on creating a module for wazuh-agentd and got the same error you got in your first example
`

  • /usr/sbin/semodule -X 400 -i wazuh_agentd.pp
    Failed to resolve filecon statement at /var/lib/selinux/targeted/tmp/modules/400/wazuh_agentd/cil:170
    Failed to resolve AST
    /usr/sbin/semodule: Failed!
    `
    you proposed to delete the mls definition at the end of the label 's0' or did i miss something ?

@Caesurus
Copy link
Author

hi, your are the one and only who documented such stuff. i working currently also on creating a module for wazuh-agentd and got the same error you got in your first example `

  • /usr/sbin/semodule -X 400 -i wazuh_agentd.pp
    Failed to resolve filecon statement at /var/lib/selinux/targeted/tmp/modules/400/wazuh_agentd/cil:170
    Failed to resolve AST
    /usr/sbin/semodule: Failed!
    `
    you proposed to delete the mls definition at the end of the label 's0' or did i miss something ?

Sorry this was many years ago, so I'm not sure how relevant they still are. It looks like you have a "Fail to resolve AST" which I did not run into. I believe the first error I documented indicates that one of the rules was missing a :s0 or referred to a type that had not been defined yet eg notdefined_yet_t. Sorry for the late response.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment