Re: Problem with compiling refpolicy base.pp

[Stephen Smalley <sds@tycho.nsa.gov>]

On Wed, 2010-03-03 at 07:36 -0800, Justin P. mattock wrote:
> On 03/03/2010 07:28 AM, Stephen Smalley wrote:
> > On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
> >> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
> >>> Hi there.
> >>>
> >>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
> >>> tools (libselinux policycoreutils). I'm trying to:
> >>>
> >>>      make bare
> >>>      make conf
> >>>      make base.pp
> >>>
> >>> My configuration:
> >>>
> >>> TYPE=mcs
> >>> NAME=refpolicy
> >>> UNK_PERMS=allow
> >>> DIRECT_INITRC=n
> >>> MONOLITHIC=n
> >>> UBAC=n
> >>> MLS_CATS=1024
> >>> MCS_CATS=1024
> >>>
> >>> But, the last command failed with the following error:
> >>>
> >>>      Creating refpolicy base module base.conf
> >>>      cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> >>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf>  base.conf
> >>>      Compiling refpolicy base module
> >>>      /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> >>>      /usr/bin/checkmodule:  loading policy configuration from base.conf
> >>>      base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
> >>>      level s0:c0.c1023;
> >>>
> >>> Seems to be, it's a good line (2032), but checkmodule can't eat it.
> >>>
> >>> Where can be the probem?
> >>
> >> Looks like a scanner problem to me.  There have been problems with some
> >> versions of flex, e.g. see:
> >> http://marc.info/?t=125613782400001&r=1&w=2
> >> but no one has ever tracked it down precisely and I've never been able
> >> to reproduce.  Modify your checkpolicy Makefile to pass -d to $(LEX) so
> >> that it generates debug output and then capture the stderr of running
> >> checkpolicy on base.conf.  Here I get the following output for that
> >> line:
> >> --accepting rule at line 55 ("
> >> level s0:c0.c1023;")
> >> --accepting rule at line 116 ("level")
> >> --accepting rule at line 227 (" ")
> >> --accepting rule at line 219 ("s0")
> >> --accepting rule at line 235 (":")
> >> --accepting rule at line 219 ("c0.c1023")
> >> --accepting rule at line 236 (";")
> >>
> >> Note that the ":" gets treated as a separate token above, as it should,
> >> whereas your checkmodule seems to not be splitting it properly.
> >>
> >> You can look at checkpolicy/policy_scan.l and see if anything strikes
> >> you as problematic, but it looks sane to me.  Maybe it is matching on
> >> ipv6_addr instead.  On second look, I'm wondering why ipv6_addr has . in
> >> the pattern.  Does this help?
> >>
> >> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> >> index 48128a8..b7b8f0a 100644
> >> --- a/checkpolicy/policy_scan.l
> >> +++ b/checkpolicy/policy_scan.l
> >> @@ -219,7 +219,7 @@ PERMISSIVE			{ return(PERMISSIVE); }
> >>   {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
> >>   {digit}+|0x{hexval}+            { return(NUMBER); }
> >>   {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
> >> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }
> >> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")*  { return(IPV6_ADDR); }
> >>   {digit}+(\.({alnum}|[_.])*)?    { return(VERSION_IDENTIFIER); }
> >>   #line[ ]1[ ]\"[^\n]*\"		{ set_source_file(yytext+9); }
> >>   #line[ ]{digit}+	        { source_lineno = atoi(yytext+6)-1; }
> >
> > Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or
> > escaped via backslash as well?
> >
> 
> 
> if the flex version from git goes all the way
> back to 2.5* I'll do a bisect on this
> but if it only goes so far, then bisection
> can be tricky.

If my patch fixes the problem, it was a bug in checkpolicy, not a bug in
flex.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.