Unable to build .pp file or RPM from RHEL branch or latest tag

[mlcooper]

My build server, where I'm trying to build the PP file or RPM package has these components:

[root@n7-z01-0a2a0576 yum.repos.d]# uname -r
3.10.0-514.10.2.el7.x86_64
[root@n7-z01-0a2a0576 yum.repos.d]# yum list installed|grep selinux
libselinux.x86_64               2.5-6.el7                          @os/7.0
libselinux-python.x86_64        2.5-6.el7                          @os/7.0
libselinux-utils.x86_64         2.5-6.el7                          @os/7.0
selinux-policy.noarch           3.13.1-102.el7_3.15                @base
selinux-policy-devel.noarch     3.13.1-102.el7_3.15                @base
selinux-policy-targeted.noarch  3.13.1-102.el7_3.15                @base
[root@n7-z01-0a2a0576 yum.repos.d]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)

However when I try to build the RPM from either of the RHEL branches, or master, I get a syntax error and the .bz2 file will got build. Here's an example:

[root@n7-z01-0a2a0576 container-selinux-0.1.0]# git checkout RHEL-1.12
Previous HEAD position was 8f8caa6... Bump to v2.10
Switched to branch 'RHEL-1.12'
[root@n7-z01-0a2a0576 container-selinux-0.1.0]# git pull
Already up-to-date.
[root@n7-z01-0a2a0576 container-selinux-0.1.0]# make clean
rm -f *~  *.tc *.pp *.pp.bz2
rm -rf tmp *.tar.gz
[root@n7-z01-0a2a0576 container-selinux-0.1.0]# make
make -f /usr/share/selinux/devel/Makefile container.pp
make[1]: Entering directory `/root/container-selinux-0.1.0'
container.if:548: Error: duplicate definition of docker_exec_lib(). Original definition on 71.
container.if:552: Error: duplicate definition of docker_read_share_files(). Original definition on 109.
container.if:556: Error: duplicate definition of docker_exec_share_files(). Original definition on 131.
container.if:560: Error: duplicate definition of docker_manage_lib_files(). Original definition on 149.
container.if:565: Error: duplicate definition of docker_manage_lib_dirs(). Original definition on 169.
container.if:569: Error: duplicate definition of docker_lib_filetrans(). Original definition on 205.
container.if:573: Error: duplicate definition of docker_read_pid_files(). Original definition on 223.
container.if:577: Error: duplicate definition of docker_systemctl(). Original definition on 242.
container.if:581: Error: duplicate definition of docker_use_ptys(). Original definition on 285.
container.if:585: Error: duplicate definition of docker_stream_connect(). Original definition on 336.
container.if:589: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 355.
Compiling targeted container module
/usr/bin/checkmodule:  loading policy configuration from tmp/container.tmp
container.te:270:ERROR 'syntax error' at token 'init_stop' on line 9368:
init_stop(container_runtime_t)

/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make[1]: *** [tmp/container.mod] Error 1
make[1]: Leaving directory `/root/container-selinux-0.1.0'
make: *** [container.pp] Error 2
[root@n7-z01-0a2a0576 container-selinux-0.1.0]# ll
total 88
-rw------- 1 root root  3953 Mar  6 09:13 container.fc
-rw------- 1 root root 13989 Mar  6 09:13 container.if
-rw------- 1 root root  3045 Mar  6 09:47 container-selinux.spec
-rw------- 1 root root 26679 Mar  6 09:47 container.te
-rw------- 1 root root 17987 Mar  6 05:48 LICENSE
-rw------- 1 root root   669 Mar  6 09:13 Makefile
-rw------- 1 root root    38 Mar  6 09:13 README.md
drwx------ 2 root root  4096 Mar  6 09:48 tmp
-rw------- 1 root root     5 Mar  6 09:13 VERSION

I expected the .bz2 file to get built and then I can run an rpmbuild -ba container-selinux.spec to build the RPM file.

Do you see anything I could be doing incorrect?

[mlcooper]

Also, just so I am clear, which branch/tag should I be using to build from to use on a RHEL 7.3 box running docker-engine 1.13.1?

[lsm5]

@mlcooper can you please check if your RHEL-1.12 branch is on commit 7a17443 (the latest on that branch). That builds just fine for me on RHEL 7.3.

[mlcooper]

The latest commit 7a17443 now does build on my RHEL7.3 box. I am sure I did a git pull late yesterday to ensure I had the latest on this branch, but today when I did the git pull I did receive a newer commit.

I am now checking to see if I can build an RPM and deploy it on a rhel7.3 box

[rhatdan]

Yes I fixed the issues you were seeing yesterday. Sorry about breaking your build.

[lsm5]

@mlcooper just a headsup, make sure to update the commit id in container-selinux.spec on line 8 to the latest on RHEL-1.12 before you build it. Else it will probably complain. I think I can mirror the RHEL dist-git for container-selinux on github if people feel the need.

I'm not a fan of the rpm specfile living in the upstream repo itself, but whatever makes @rhatdan happy.

[mlcooper]

@lsm5 I'm not sure I follow where to put the commit id on line 8:
https://github.com/projectatomic/container-selinux/blob/RHEL-1.12/container-selinux.spec#L8

It is a comment line at the moment.

[lsm5]

That file is way too old. Much preferable to fetch and use https://src.fedoraproject.org/cgit/rpms/container-selinux.git/tree/container-selinux.spec . Change line 9 to the latest commit id on RHEL-1.12 branch.

Then spectool -g container-selinux.spec followed by rpmbuild.

specfiles in the upstream repo often end up being stale, coz all updates usually go to the dist-git repos. Hence me not being a fan of it.

[lsm5]

That's actually fedora's specfile, but does include conditions for RHEL. If it doesn't work like expected, let me know

[mlcooper]

Thanks for the further instructions/clarification there, @lsm5

I built the rpm, and it installed successfully:

[root@n7-z01-0a2a0576 yum.repos.d]# yum list installed|grep container
container-selinux.noarch           2.10-1.el7                      @eat-rhel7

Is this the actual module it installs?

[root@n7-z01-0a2a0576 yum.repos.d]# semodule -l|grep container
container       1.0.0

[rhatdan]

@lsm5 I agree, I also think the spec file should just be an example. The real spec file should live in the rhel/fedora dist-gits.

[rhatdan]

BTW We have been asked to move this project to OCI/selinux repo. So all things SELinux for containers would be under one repo.

Go bindings and selinux policy.

[lsm5]

@mlcooper yes, that's the installed module.

@rhatdan is the spec file better under something like an example dir or similar? Just that I feel having the spec file listed the way like it is now, gives the impression that it's current, specially to new users. Or maybe just a comment in this file that it's most likely out of date and the user should proceed with caution / fetch from dist-gits.

[rhatdan]

Sure I will move it to a sample directory.

[rhatdan]

Moved it to a contrib directory in master branch.