Bugzilla – Bug 1216452
selinux-policy: non-determinism in index.html
Last modified: 2023-11-20 08:41:05 UTC
While working on reproducible builds for openSUSE, I found that our selinux-policy package varied in /usr/share/selinux/devel/html/index.html even when keeping the environment very similar. This is probably generated during build by cd ~/rpmbuild/BUILD/selinux-policy* && python3 -E support/sedoctool.py -d doc/html -T doc/templates -x doc/policy.xml but that call itself seems to be deterministic, so maybe there are other inputs that vary during a build.
index.html has order issues. These can occur when a hash map with a random hash-seed is used to produce the output. If that is the issue, the fix would be to sort the entries during output.
thanks, will take a look next week
Created attachment 870378 [details] diff from build-compare
Hmm okay, i found the issue, it is caused by: > 418: %{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} (Test with: > /usr/bin/sepolicy manpage -a -p foo -w -r /home/abuild/rpmbuild/BUILDROOT/selinux-policy-*/ ) The issue is caused here: https://github.com/SELinuxProject/selinux/blob/main/python/sepolicy/sepolicy/manpage.py#L159 > alphabet_manpages[i] = temp should be > alphabet_manpages[i] = sorted(temp) sepolicy is packaged in policycoreutils, not selinux-policy, I will try to bring this upstream and prepare a fix for our packages later this week
- Fix is now in factory: https://build.opensuse.org/request/show/1120220 - Patch for upstream was sent to list and got acked. - ALP is still in review, but I think it should be okay Closing
fix is upstream: https://github.com/SELinuxProject/selinux/commit/84e0884260c550ef840de6d09573444d93fb209a