* Problem with compiling refpolicy base.pp @ 2010-03-03 14:31 AlannY 2010-03-03 15:21 ` Stephen Smalley 2010-03-03 15:30 ` Justin P. mattock 0 siblings, 2 replies; 13+ messages in thread From: AlannY @ 2010-03-03 14:31 UTC (permalink / raw) To: SELinux Hi there. I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc tools (libselinux policycoreutils). I'm trying to: make bare make conf make base.pp My configuration: TYPE=mcs NAME=refpolicy UNK_PERMS=allow DIRECT_INITRC=n MONOLITHIC=n UBAC=n MLS_CATS=1024 MCS_CATS=1024 But, the last command failed with the following error: Creating refpolicy base module base.conf cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf Compiling refpolicy base module /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod /usr/bin/checkmodule: loading policy configuration from base.conf base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032: level s0:c0.c1023; Seems to be, it's a good line (2032), but checkmodule can't eat it. Where can be the probem? -- )\._.,--....,'``. /, _.. \ _\ (`._ ,. `._.-(,_..'--(,_..'`-.;.' -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp 2010-03-03 14:31 Problem with compiling refpolicy base.pp AlannY @ 2010-03-03 15:21 ` Stephen Smalley 2010-03-03 15:28 ` Stephen Smalley 2010-03-03 16:23 ` Stephen Smalley 2010-03-03 15:30 ` Justin P. mattock 1 sibling, 2 replies; 13+ messages in thread From: Stephen Smalley @ 2010-03-03 15:21 UTC (permalink / raw) To: AlannY; +Cc: SELinux, Joshua Brindle, Chad Sellers On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote: > Hi there. > > I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc > tools (libselinux policycoreutils). I'm trying to: > > make bare > make conf > make base.pp > > My configuration: > > TYPE=mcs > NAME=refpolicy > UNK_PERMS=allow > DIRECT_INITRC=n > MONOLITHIC=n > UBAC=n > MLS_CATS=1024 > MCS_CATS=1024 > > But, the last command failed with the following error: > > Creating refpolicy base module base.conf > cat tmp/pre_te_files.conf tmp/all_attrs_types.conf > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf > Compiling refpolicy base module > /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod > /usr/bin/checkmodule: loading policy configuration from base.conf > base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032: > level s0:c0.c1023; > > Seems to be, it's a good line (2032), but checkmodule can't eat it. > > Where can be the probem? Looks like a scanner problem to me. There have been problems with some versions of flex, e.g. see: http://marc.info/?t=125613782400001&r=1&w=2 but no one has ever tracked it down precisely and I've never been able to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so that it generates debug output and then capture the stderr of running checkpolicy on base.conf. Here I get the following output for that line: --accepting rule at line 55 (" level s0:c0.c1023;") --accepting rule at line 116 ("level") --accepting rule at line 227 (" ") --accepting rule at line 219 ("s0") --accepting rule at line 235 (":") --accepting rule at line 219 ("c0.c1023") --accepting rule at line 236 (";") Note that the ":" gets treated as a separate token above, as it should, whereas your checkmodule seems to not be splitting it properly. You can look at checkpolicy/policy_scan.l and see if anything strikes you as problematic, but it looks sane to me. Maybe it is matching on ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in the pattern. Does this help? diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l index 48128a8..b7b8f0a 100644 --- a/checkpolicy/policy_scan.l +++ b/checkpolicy/policy_scan.l @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); } {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } {digit}+|0x{hexval}+ { return(NUMBER); } {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); } {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp 2010-03-03 15:21 ` Stephen Smalley @ 2010-03-03 15:28 ` Stephen Smalley 2010-03-03 15:36 ` Justin P. mattock 2010-03-03 15:52 ` Stephen Smalley 2010-03-03 16:23 ` Stephen Smalley 1 sibling, 2 replies; 13+ messages in thread From: Stephen Smalley @ 2010-03-03 15:28 UTC (permalink / raw) To: AlannY; +Cc: SELinux, Joshua Brindle, Chad Sellers On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote: > On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote: > > Hi there. > > > > I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc > > tools (libselinux policycoreutils). I'm trying to: > > > > make bare > > make conf > > make base.pp > > > > My configuration: > > > > TYPE=mcs > > NAME=refpolicy > > UNK_PERMS=allow > > DIRECT_INITRC=n > > MONOLITHIC=n > > UBAC=n > > MLS_CATS=1024 > > MCS_CATS=1024 > > > > But, the last command failed with the following error: > > > > Creating refpolicy base module base.conf > > cat tmp/pre_te_files.conf tmp/all_attrs_types.conf > > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf > > Compiling refpolicy base module > > /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod > > /usr/bin/checkmodule: loading policy configuration from base.conf > > base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032: > > level s0:c0.c1023; > > > > Seems to be, it's a good line (2032), but checkmodule can't eat it. > > > > Where can be the probem? > > Looks like a scanner problem to me. There have been problems with some > versions of flex, e.g. see: > http://marc.info/?t=125613782400001&r=1&w=2 > but no one has ever tracked it down precisely and I've never been able > to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so > that it generates debug output and then capture the stderr of running > checkpolicy on base.conf. Here I get the following output for that > line: > --accepting rule at line 55 (" > level s0:c0.c1023;") > --accepting rule at line 116 ("level") > --accepting rule at line 227 (" ") > --accepting rule at line 219 ("s0") > --accepting rule at line 235 (":") > --accepting rule at line 219 ("c0.c1023") > --accepting rule at line 236 (";") > > Note that the ":" gets treated as a separate token above, as it should, > whereas your checkmodule seems to not be splitting it properly. > > You can look at checkpolicy/policy_scan.l and see if anything strikes > you as problematic, but it looks sane to me. Maybe it is matching on > ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in > the pattern. Does this help? > > diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l > index 48128a8..b7b8f0a 100644 > --- a/checkpolicy/policy_scan.l > +++ b/checkpolicy/policy_scan.l > @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); } > {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } > {digit}+|0x{hexval}+ { return(NUMBER); } > {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } > -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } > +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); } > {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } > #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } > #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or escaped via backslash as well? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp 2010-03-03 15:28 ` Stephen Smalley @ 2010-03-03 15:36 ` Justin P. mattock 2010-03-03 15:53 ` Stephen Smalley 2010-03-03 15:52 ` Stephen Smalley 1 sibling, 1 reply; 13+ messages in thread From: Justin P. mattock @ 2010-03-03 15:36 UTC (permalink / raw) To: Stephen Smalley; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers On 03/03/2010 07:28 AM, Stephen Smalley wrote: > On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote: >> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote: >>> Hi there. >>> >>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc >>> tools (libselinux policycoreutils). I'm trying to: >>> >>> make bare >>> make conf >>> make base.pp >>> >>> My configuration: >>> >>> TYPE=mcs >>> NAME=refpolicy >>> UNK_PERMS=allow >>> DIRECT_INITRC=n >>> MONOLITHIC=n >>> UBAC=n >>> MLS_CATS=1024 >>> MCS_CATS=1024 >>> >>> But, the last command failed with the following error: >>> >>> Creating refpolicy base module base.conf >>> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf >>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf >>> Compiling refpolicy base module >>> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod >>> /usr/bin/checkmodule: loading policy configuration from base.conf >>> base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032: >>> level s0:c0.c1023; >>> >>> Seems to be, it's a good line (2032), but checkmodule can't eat it. >>> >>> Where can be the probem? >> >> Looks like a scanner problem to me. There have been problems with some >> versions of flex, e.g. see: >> http://marc.info/?t=125613782400001&r=1&w=2 >> but no one has ever tracked it down precisely and I've never been able >> to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so >> that it generates debug output and then capture the stderr of running >> checkpolicy on base.conf. Here I get the following output for that >> line: >> --accepting rule at line 55 (" >> level s0:c0.c1023;") >> --accepting rule at line 116 ("level") >> --accepting rule at line 227 (" ") >> --accepting rule at line 219 ("s0") >> --accepting rule at line 235 (":") >> --accepting rule at line 219 ("c0.c1023") >> --accepting rule at line 236 (";") >> >> Note that the ":" gets treated as a separate token above, as it should, >> whereas your checkmodule seems to not be splitting it properly. >> >> You can look at checkpolicy/policy_scan.l and see if anything strikes >> you as problematic, but it looks sane to me. Maybe it is matching on >> ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in >> the pattern. Does this help? >> >> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l >> index 48128a8..b7b8f0a 100644 >> --- a/checkpolicy/policy_scan.l >> +++ b/checkpolicy/policy_scan.l >> @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); } >> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } >> {digit}+|0x{hexval}+ { return(NUMBER); } >> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } >> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } >> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); } >> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } >> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } >> #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } > > Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or > escaped via backslash as well? > if the flex version from git goes all the way back to 2.5* I'll do a bisect on this but if it only goes so far, then bisection can be tricky. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp 2010-03-03 15:36 ` Justin P. mattock @ 2010-03-03 15:53 ` Stephen Smalley 2010-03-03 16:24 ` Justin P. mattock 0 siblings, 1 reply; 13+ messages in thread From: Stephen Smalley @ 2010-03-03 15:53 UTC (permalink / raw) To: Justin P. mattock; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers On Wed, 2010-03-03 at 07:36 -0800, Justin P. mattock wrote: > On 03/03/2010 07:28 AM, Stephen Smalley wrote: > > On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote: > >> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote: > >>> Hi there. > >>> > >>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc > >>> tools (libselinux policycoreutils). I'm trying to: > >>> > >>> make bare > >>> make conf > >>> make base.pp > >>> > >>> My configuration: > >>> > >>> TYPE=mcs > >>> NAME=refpolicy > >>> UNK_PERMS=allow > >>> DIRECT_INITRC=n > >>> MONOLITHIC=n > >>> UBAC=n > >>> MLS_CATS=1024 > >>> MCS_CATS=1024 > >>> > >>> But, the last command failed with the following error: > >>> > >>> Creating refpolicy base module base.conf > >>> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf > >>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf > >>> Compiling refpolicy base module > >>> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod > >>> /usr/bin/checkmodule: loading policy configuration from base.conf > >>> base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032: > >>> level s0:c0.c1023; > >>> > >>> Seems to be, it's a good line (2032), but checkmodule can't eat it. > >>> > >>> Where can be the probem? > >> > >> Looks like a scanner problem to me. There have been problems with some > >> versions of flex, e.g. see: > >> http://marc.info/?t=125613782400001&r=1&w=2 > >> but no one has ever tracked it down precisely and I've never been able > >> to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so > >> that it generates debug output and then capture the stderr of running > >> checkpolicy on base.conf. Here I get the following output for that > >> line: > >> --accepting rule at line 55 (" > >> level s0:c0.c1023;") > >> --accepting rule at line 116 ("level") > >> --accepting rule at line 227 (" ") > >> --accepting rule at line 219 ("s0") > >> --accepting rule at line 235 (":") > >> --accepting rule at line 219 ("c0.c1023") > >> --accepting rule at line 236 (";") > >> > >> Note that the ":" gets treated as a separate token above, as it should, > >> whereas your checkmodule seems to not be splitting it properly. > >> > >> You can look at checkpolicy/policy_scan.l and see if anything strikes > >> you as problematic, but it looks sane to me. Maybe it is matching on > >> ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in > >> the pattern. Does this help? > >> > >> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l > >> index 48128a8..b7b8f0a 100644 > >> --- a/checkpolicy/policy_scan.l > >> +++ b/checkpolicy/policy_scan.l > >> @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); } > >> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } > >> {digit}+|0x{hexval}+ { return(NUMBER); } > >> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } > >> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } > >> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); } > >> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } > >> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } > >> #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } > > > > Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or > > escaped via backslash as well? > > > > > if the flex version from git goes all the way > back to 2.5* I'll do a bisect on this > but if it only goes so far, then bisection > can be tricky. If my patch fixes the problem, it was a bug in checkpolicy, not a bug in flex. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp 2010-03-03 15:53 ` Stephen Smalley @ 2010-03-03 16:24 ` Justin P. mattock 2010-03-03 16:27 ` Stephen Smalley 0 siblings, 1 reply; 13+ messages in thread From: Justin P. mattock @ 2010-03-03 16:24 UTC (permalink / raw) To: Stephen Smalley; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers On 03/03/2010 07:53 AM, Stephen Smalley wrote: > On Wed, 2010-03-03 at 07:36 -0800, Justin P. mattock wrote: >> On 03/03/2010 07:28 AM, Stephen Smalley wrote: >>> On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote: >>>> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote: >>>>> Hi there. >>>>> >>>>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc >>>>> tools (libselinux policycoreutils). I'm trying to: >>>>> >>>>> make bare >>>>> make conf >>>>> make base.pp >>>>> >>>>> My configuration: >>>>> >>>>> TYPE=mcs >>>>> NAME=refpolicy >>>>> UNK_PERMS=allow >>>>> DIRECT_INITRC=n >>>>> MONOLITHIC=n >>>>> UBAC=n >>>>> MLS_CATS=1024 >>>>> MCS_CATS=1024 >>>>> >>>>> But, the last command failed with the following error: >>>>> >>>>> Creating refpolicy base module base.conf >>>>> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf >>>>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf >>>>> Compiling refpolicy base module >>>>> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod >>>>> /usr/bin/checkmodule: loading policy configuration from base.conf >>>>> base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032: >>>>> level s0:c0.c1023; >>>>> >>>>> Seems to be, it's a good line (2032), but checkmodule can't eat it. >>>>> >>>>> Where can be the probem? >>>> >>>> Looks like a scanner problem to me. There have been problems with some >>>> versions of flex, e.g. see: >>>> http://marc.info/?t=125613782400001&r=1&w=2 >>>> but no one has ever tracked it down precisely and I've never been able >>>> to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so >>>> that it generates debug output and then capture the stderr of running >>>> checkpolicy on base.conf. Here I get the following output for that >>>> line: >>>> --accepting rule at line 55 (" >>>> level s0:c0.c1023;") >>>> --accepting rule at line 116 ("level") >>>> --accepting rule at line 227 (" ") >>>> --accepting rule at line 219 ("s0") >>>> --accepting rule at line 235 (":") >>>> --accepting rule at line 219 ("c0.c1023") >>>> --accepting rule at line 236 (";") >>>> >>>> Note that the ":" gets treated as a separate token above, as it should, >>>> whereas your checkmodule seems to not be splitting it properly. >>>> >>>> You can look at checkpolicy/policy_scan.l and see if anything strikes >>>> you as problematic, but it looks sane to me. Maybe it is matching on >>>> ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in >>>> the pattern. Does this help? >>>> >>>> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l >>>> index 48128a8..b7b8f0a 100644 >>>> --- a/checkpolicy/policy_scan.l >>>> +++ b/checkpolicy/policy_scan.l >>>> @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); } >>>> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } >>>> {digit}+|0x{hexval}+ { return(NUMBER); } >>>> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } >>>> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } >>>> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); } >>>> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } >>>> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } >>>> #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } >>> >>> Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or >>> escaped via backslash as well? >>> >> >> >> if the flex version from git goes all the way >> back to 2.5* I'll do a bisect on this >> but if it only goes so far, then bisection >> can be tricky. > > If my patch fixes the problem, it was a bug in checkpolicy, not a bug in > flex. > heres what I get: flex --version flex 2.5.35 (without the patch applied). Compiling mcs base module /usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod /usr/bin/checkmodule: loading policy configuration from base.conf base.conf:1265:ERROR 'syntax error' at token ':c0.c255' on line 1265: level s0:c0.c255; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/base.mod] Error 1 (after applying patch): Compiling mcs base module /usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod /usr/bin/checkmodule: loading policy configuration from base.conf base.conf:1265:ERROR 'syntax error' at token ':c0' on line 1265: level s0:c0.c255; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/base.mod] Error 1 as soon as I compile checkpolicy/checkmodule with the older version of flex the policy will compile without the syntax error. but if this is userspace(SELinux) issue, I can try a bisect with checkpolicy/checkmodule. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp 2010-03-03 16:24 ` Justin P. mattock @ 2010-03-03 16:27 ` Stephen Smalley 0 siblings, 0 replies; 13+ messages in thread From: Stephen Smalley @ 2010-03-03 16:27 UTC (permalink / raw) To: Justin P. mattock; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers On Wed, 2010-03-03 at 08:24 -0800, Justin P. mattock wrote: > On 03/03/2010 07:53 AM, Stephen Smalley wrote: > > On Wed, 2010-03-03 at 07:36 -0800, Justin P. mattock wrote: > >> On 03/03/2010 07:28 AM, Stephen Smalley wrote: > >>> On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote: > >>>> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote: > >>>>> Hi there. > >>>>> > >>>>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc > >>>>> tools (libselinux policycoreutils). I'm trying to: > >>>>> > >>>>> make bare > >>>>> make conf > >>>>> make base.pp > >>>>> > >>>>> My configuration: > >>>>> > >>>>> TYPE=mcs > >>>>> NAME=refpolicy > >>>>> UNK_PERMS=allow > >>>>> DIRECT_INITRC=n > >>>>> MONOLITHIC=n > >>>>> UBAC=n > >>>>> MLS_CATS=1024 > >>>>> MCS_CATS=1024 > >>>>> > >>>>> But, the last command failed with the following error: > >>>>> > >>>>> Creating refpolicy base module base.conf > >>>>> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf > >>>>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf > >>>>> Compiling refpolicy base module > >>>>> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod > >>>>> /usr/bin/checkmodule: loading policy configuration from base.conf > >>>>> base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032: > >>>>> level s0:c0.c1023; > >>>>> > >>>>> Seems to be, it's a good line (2032), but checkmodule can't eat it. > >>>>> > >>>>> Where can be the probem? > >>>> > >>>> Looks like a scanner problem to me. There have been problems with some > >>>> versions of flex, e.g. see: > >>>> http://marc.info/?t=125613782400001&r=1&w=2 > >>>> but no one has ever tracked it down precisely and I've never been able > >>>> to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so > >>>> that it generates debug output and then capture the stderr of running > >>>> checkpolicy on base.conf. Here I get the following output for that > >>>> line: > >>>> --accepting rule at line 55 (" > >>>> level s0:c0.c1023;") > >>>> --accepting rule at line 116 ("level") > >>>> --accepting rule at line 227 (" ") > >>>> --accepting rule at line 219 ("s0") > >>>> --accepting rule at line 235 (":") > >>>> --accepting rule at line 219 ("c0.c1023") > >>>> --accepting rule at line 236 (";") > >>>> > >>>> Note that the ":" gets treated as a separate token above, as it should, > >>>> whereas your checkmodule seems to not be splitting it properly. > >>>> > >>>> You can look at checkpolicy/policy_scan.l and see if anything strikes > >>>> you as problematic, but it looks sane to me. Maybe it is matching on > >>>> ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in > >>>> the pattern. Does this help? > >>>> > >>>> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l > >>>> index 48128a8..b7b8f0a 100644 > >>>> --- a/checkpolicy/policy_scan.l > >>>> +++ b/checkpolicy/policy_scan.l > >>>> @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); } > >>>> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } > >>>> {digit}+|0x{hexval}+ { return(NUMBER); } > >>>> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } > >>>> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } > >>>> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); } > >>>> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } > >>>> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } > >>>> #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } > >>> > >>> Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or > >>> escaped via backslash as well? > >>> > >> > >> > >> if the flex version from git goes all the way > >> back to 2.5* I'll do a bisect on this > >> but if it only goes so far, then bisection > >> can be tricky. > > > > If my patch fixes the problem, it was a bug in checkpolicy, not a bug in > > flex. > > > > > heres what I get: > > > flex --version > flex 2.5.35 > > (without the patch applied). > > Compiling mcs base module > /usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod > /usr/bin/checkmodule: loading policy configuration from base.conf > base.conf:1265:ERROR 'syntax error' at token ':c0.c255' on line 1265: > > level s0:c0.c255; > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/base.mod] Error 1 > > > (after applying patch): > > Compiling mcs base module > /usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod > /usr/bin/checkmodule: loading policy configuration from base.conf > base.conf:1265:ERROR 'syntax error' at token ':c0' on line 1265: > > level s0:c0.c255; > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/base.mod] Error 1 > > > as soon as I compile checkpolicy/checkmodule with the older version of > flex the policy will compile without the syntax error. > > but if this is userspace(SELinux) issue, I can try a bisect with > checkpolicy/checkmodule. No, your test result confirms that the bug lies in flex. The ipv6_addr pattern is just the trigger. It should not match (requires at least two colons), but appears to be doing so. See my other email. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp 2010-03-03 15:28 ` Stephen Smalley 2010-03-03 15:36 ` Justin P. mattock @ 2010-03-03 15:52 ` Stephen Smalley 1 sibling, 0 replies; 13+ messages in thread From: Stephen Smalley @ 2010-03-03 15:52 UTC (permalink / raw) To: AlannY; +Cc: SELinux, Joshua Brindle, Chad Sellers, Christopher J. PeBenito On Wed, 2010-03-03 at 10:28 -0500, Stephen Smalley wrote: > On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote: > > On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote: > > > Hi there. > > > > > > I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc > > > tools (libselinux policycoreutils). I'm trying to: > > > > > > make bare > > > make conf > > > make base.pp > > > > > > My configuration: > > > > > > TYPE=mcs > > > NAME=refpolicy > > > UNK_PERMS=allow > > > DIRECT_INITRC=n > > > MONOLITHIC=n > > > UBAC=n > > > MLS_CATS=1024 > > > MCS_CATS=1024 > > > > > > But, the last command failed with the following error: > > > > > > Creating refpolicy base module base.conf > > > cat tmp/pre_te_files.conf tmp/all_attrs_types.conf > > > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf > > > Compiling refpolicy base module > > > /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod > > > /usr/bin/checkmodule: loading policy configuration from base.conf > > > base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032: > > > level s0:c0.c1023; > > > > > > Seems to be, it's a good line (2032), but checkmodule can't eat it. > > > > > > Where can be the probem? > > > > Looks like a scanner problem to me. There have been problems with some > > versions of flex, e.g. see: > > http://marc.info/?t=125613782400001&r=1&w=2 > > but no one has ever tracked it down precisely and I've never been able > > to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so > > that it generates debug output and then capture the stderr of running > > checkpolicy on base.conf. Here I get the following output for that > > line: > > --accepting rule at line 55 (" > > level s0:c0.c1023;") > > --accepting rule at line 116 ("level") > > --accepting rule at line 227 (" ") > > --accepting rule at line 219 ("s0") > > --accepting rule at line 235 (":") > > --accepting rule at line 219 ("c0.c1023") > > --accepting rule at line 236 (";") > > > > Note that the ":" gets treated as a separate token above, as it should, > > whereas your checkmodule seems to not be splitting it properly. > > > > You can look at checkpolicy/policy_scan.l and see if anything strikes > > you as problematic, but it looks sane to me. Maybe it is matching on > > ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in > > the pattern. Does this help? > > > > diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l > > index 48128a8..b7b8f0a 100644 > > --- a/checkpolicy/policy_scan.l > > +++ b/checkpolicy/policy_scan.l > > @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); } > > {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } > > {digit}+|0x{hexval}+ { return(NUMBER); } > > {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } > > -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } > > +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); } > > {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } > > #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } > > #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } > > Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or > escaped via backslash as well? According to prior discussion, it does not (different interpretation of characters within []). Which would mean that IDENTIFIER and PATH are wrong too. Patch below should fix all three definitions. This needs some wider testing - I don't think we even have nodecons by default in refpolicy anymore. diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l index 48128a8..87c7278 100644 --- a/checkpolicy/policy_scan.l +++ b/checkpolicy/policy_scan.l @@ -215,11 +215,11 @@ policycap | POLICYCAP { return(POLICYCAP); } permissive | PERMISSIVE { return(PERMISSIVE); } -"/"({alnum}|[_\.\-/])* { return(PATH); } -{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } +"/"({alnum}|[_./-])* { return(PATH); } +{letter}({alnum}|[_-])*([.]?({alnum}|[_-]))* { return(IDENTIFIER); } {digit}+|0x{hexval}+ { return(NUMBER); } {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); } {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp 2010-03-03 15:21 ` Stephen Smalley 2010-03-03 15:28 ` Stephen Smalley @ 2010-03-03 16:23 ` Stephen Smalley 2010-03-03 18:16 ` Justin P. mattock ` (2 more replies) 1 sibling, 3 replies; 13+ messages in thread From: Stephen Smalley @ 2010-03-03 16:23 UTC (permalink / raw) To: AlannY; +Cc: SELinux, Joshua Brindle, Chad Sellers On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote: > On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote: > > Hi there. > > > > I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc > > tools (libselinux policycoreutils). I'm trying to: > > > > make bare > > make conf > > make base.pp > > > > My configuration: > > > > TYPE=mcs > > NAME=refpolicy > > UNK_PERMS=allow > > DIRECT_INITRC=n > > MONOLITHIC=n > > UBAC=n > > MLS_CATS=1024 > > MCS_CATS=1024 > > > > But, the last command failed with the following error: > > > > Creating refpolicy base module base.conf > > cat tmp/pre_te_files.conf tmp/all_attrs_types.conf > > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf > > Compiling refpolicy base module > > /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod > > /usr/bin/checkmodule: loading policy configuration from base.conf > > base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032: > > level s0:c0.c1023; > > > > Seems to be, it's a good line (2032), but checkmodule can't eat it. > > > > Where can be the probem? > > Looks like a scanner problem to me. There have been problems with some > versions of flex, e.g. see: > http://marc.info/?t=125613782400001&r=1&w=2 > but no one has ever tracked it down precisely and I've never been able > to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so > that it generates debug output and then capture the stderr of running > checkpolicy on base.conf. Here I get the following output for that > line: > --accepting rule at line 55 (" > level s0:c0.c1023;") > --accepting rule at line 116 ("level") > --accepting rule at line 227 (" ") > --accepting rule at line 219 ("s0") > --accepting rule at line 235 (":") > --accepting rule at line 219 ("c0.c1023") > --accepting rule at line 236 (";") > > Note that the ":" gets treated as a separate token above, as it should, > whereas your checkmodule seems to not be splitting it properly. > > You can look at checkpolicy/policy_scan.l and see if anything strikes > you as problematic, but it looks sane to me. Maybe it is matching on > ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in > the pattern. Does this help? > > diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l > index 48128a8..b7b8f0a 100644 > --- a/checkpolicy/policy_scan.l > +++ b/checkpolicy/policy_scan.l > @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); } > {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } > {digit}+|0x{hexval}+ { return(NUMBER); } > {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } > -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } > +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); } > {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } > #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } > #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } It turns out there was a reason why we originally allowed "." in the ipv6_addr pattern - for embedded ipv4 addresses, http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm Re-considering this, I don't see why we'd match on ipv6_addr anyway (":c0.c1023" doesn't match the pattern as it lacks two colons), so perhaps this is still a bug in flex. It did first seem to manifest after the ipv6_addr pattern was added though, so I think that the ipv6_addr pattern is the trigger for the bug. http://marc.info/?t=109338686200002&r=1&w=2 -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp 2010-03-03 16:23 ` Stephen Smalley @ 2010-03-03 18:16 ` Justin P. mattock 2010-03-03 20:52 ` Justin P. mattock 2010-03-03 21:14 ` Justin P. mattock 2 siblings, 0 replies; 13+ messages in thread From: Justin P. mattock @ 2010-03-03 18:16 UTC (permalink / raw) To: Stephen Smalley; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers On 03/03/2010 08:23 AM, Stephen Smalley wrote: > On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote: >> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote: >>> Hi there. >>> >>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc >>> tools (libselinux policycoreutils). I'm trying to: >>> >>> make bare >>> make conf >>> make base.pp >>> >>> My configuration: >>> >>> TYPE=mcs >>> NAME=refpolicy >>> UNK_PERMS=allow >>> DIRECT_INITRC=n >>> MONOLITHIC=n >>> UBAC=n >>> MLS_CATS=1024 >>> MCS_CATS=1024 >>> >>> But, the last command failed with the following error: >>> >>> Creating refpolicy base module base.conf >>> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf >>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf >>> Compiling refpolicy base module >>> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod >>> /usr/bin/checkmodule: loading policy configuration from base.conf >>> base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032: >>> level s0:c0.c1023; >>> >>> Seems to be, it's a good line (2032), but checkmodule can't eat it. >>> >>> Where can be the probem? >> >> Looks like a scanner problem to me. There have been problems with some >> versions of flex, e.g. see: >> http://marc.info/?t=125613782400001&r=1&w=2 >> but no one has ever tracked it down precisely and I've never been able >> to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so >> that it generates debug output and then capture the stderr of running >> checkpolicy on base.conf. Here I get the following output for that >> line: >> --accepting rule at line 55 (" >> level s0:c0.c1023;") >> --accepting rule at line 116 ("level") >> --accepting rule at line 227 (" ") >> --accepting rule at line 219 ("s0") >> --accepting rule at line 235 (":") >> --accepting rule at line 219 ("c0.c1023") >> --accepting rule at line 236 (";") >> >> Note that the ":" gets treated as a separate token above, as it should, >> whereas your checkmodule seems to not be splitting it properly. >> >> You can look at checkpolicy/policy_scan.l and see if anything strikes >> you as problematic, but it looks sane to me. Maybe it is matching on >> ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in >> the pattern. Does this help? >> >> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l >> index 48128a8..b7b8f0a 100644 >> --- a/checkpolicy/policy_scan.l >> +++ b/checkpolicy/policy_scan.l >> @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); } >> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } >> {digit}+|0x{hexval}+ { return(NUMBER); } >> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } >> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } >> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); } >> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } >> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } >> #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } > > It turns out there was a reason why we originally allowed "." in the > ipv6_addr pattern - for embedded ipv4 addresses, > http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm > > Re-considering this, I don't see why we'd match on ipv6_addr anyway > (":c0.c1023" doesn't match the pattern as it lacks two colons), so > perhaps this is still a bug in flex. > > It did first seem to manifest after the ipv6_addr pattern was added > though, so I think that the ipv6_addr pattern is the trigger for the > bug. > http://marc.info/?t=109338686200002&r=1&w=2 > > man!! seeing all of the bickering towards the end really looks bad. Anyways I made a wrapper with the -l option and tried other options as well, and still am able to reproduce this syntax error. FWIW here's the -v option while building checkmodule/checkpolicy with new/older versions of flex: scanner options: -lvI8 -Cem 1677/2000 NFA states 944/1000 DFA states (8671 words) 188 rules Compressed tables always back-up 1/40 start conditions 494 epsilon states, 252 double epsilon states 28/100 character classes needed 458/500 words of storage, 0 reused 50312 state/nextstate pairs created 3621/46691 unique/duplicate transitions 988/1000 base-def entries created 2182/4000 (peak 5221) nxt-chk entries created 396/5000 (peak 3520) template nxt-chk entries created 0 empty table entries 49 protos created 44 templates created, 98 uses 80/256 equivalence classes created 9/256 meta-equivalence classes created 0 (17 saved) hash collisions, 2680 DFAs equal 3 sets of reallocations needed 6676 total table entries needed and the -v option with the older version of flex that works: /flex version 2.5.4 usage statistics: scanner options: -lvI8 -Cem 1621/2000 NFA states 891/1000 DFA states (8396 words) 188 rules Compressed tables always back-up 1/40 start conditions 465 epsilon states, 236 double epsilon states 13/100 character classes needed 161/500 words of storage, 14 reused 48957 state/nextstate pairs created 3506/45451 unique/duplicate transitions 907/1000 base-def entries created 2038/4000 (peak 2927) nxt-chk entries created 144/2500 (peak 1280) template nxt-chk entries created 0 empty table entries 21 protos created 16 templates created, 48 uses 80/256 equivalence classes created 9/256 meta-equivalence classes created 1 (15 saved) hash collisions, 2618 DFAs equal 2 sets of reallocations needed 6226 total table entries needed I thinking I'll try a go at bisecting flex(if possible),and see, but might take some time. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp 2010-03-03 16:23 ` Stephen Smalley 2010-03-03 18:16 ` Justin P. mattock @ 2010-03-03 20:52 ` Justin P. mattock 2010-03-03 21:14 ` Justin P. mattock 2 siblings, 0 replies; 13+ messages in thread From: Justin P. mattock @ 2010-03-03 20:52 UTC (permalink / raw) To: Stephen Smalley; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers ahh.. with the git interface for flex I reset to the last commit, which makes checkmodule/checkpolicy work. I'll have a go at the bisect and see if I comeup with anything of use. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp 2010-03-03 16:23 ` Stephen Smalley 2010-03-03 18:16 ` Justin P. mattock 2010-03-03 20:52 ` Justin P. mattock @ 2010-03-03 21:14 ` Justin P. mattock 2 siblings, 0 replies; 13+ messages in thread From: Justin P. mattock @ 2010-03-03 21:14 UTC (permalink / raw) To: Stephen Smalley; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers ouch.. now I see the dilema with a bisect this might take some time.. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp 2010-03-03 14:31 Problem with compiling refpolicy base.pp AlannY 2010-03-03 15:21 ` Stephen Smalley @ 2010-03-03 15:30 ` Justin P. mattock 1 sibling, 0 replies; 13+ messages in thread From: Justin P. mattock @ 2010-03-03 15:30 UTC (permalink / raw) To: AlannY; +Cc: SELinux On 03/03/2010 06:31 AM, AlannY wrote: > Hi there. > > I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc > tools (libselinux policycoreutils). I'm trying to: > > make bare > make conf > make base.pp > > My configuration: > > TYPE=mcs > NAME=refpolicy > UNK_PERMS=allow > DIRECT_INITRC=n > MONOLITHIC=n > UBAC=n > MLS_CATS=1024 > MCS_CATS=1024 > > But, the last command failed with the following error: > > Creating refpolicy base module base.conf > cat tmp/pre_te_files.conf tmp/all_attrs_types.conf > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf > Compiling refpolicy base module > /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod > /usr/bin/checkmodule: loading policy configuration from base.conf > base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032: > level s0:c0.c1023; > > Seems to be, it's a good line (2032), but checkmodule can't eat it. > > Where can be the probem? I think this is cause by checkmodule/checkpolicy being compiled by flex version 2.35* (still haven't found the bug for this), for a a workaround downgrade to flex v2.5.4a compile checkmodule/chekpolicy, then you should be able to compile the policy without a syntex error. hope this helps. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2010-03-03 21:14 UTC | newest] Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2010-03-03 14:31 Problem with compiling refpolicy base.pp AlannY 2010-03-03 15:21 ` Stephen Smalley 2010-03-03 15:28 ` Stephen Smalley 2010-03-03 15:36 ` Justin P. mattock 2010-03-03 15:53 ` Stephen Smalley 2010-03-03 16:24 ` Justin P. mattock 2010-03-03 16:27 ` Stephen Smalley 2010-03-03 15:52 ` Stephen Smalley 2010-03-03 16:23 ` Stephen Smalley 2010-03-03 18:16 ` Justin P. mattock 2010-03-03 20:52 ` Justin P. mattock 2010-03-03 21:14 ` Justin P. mattock 2010-03-03 15:30 ` Justin P. mattock
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.