All of lore.kernel.org
 help / color / mirror / Atom feed
* Problem with compiling refpolicy base.pp
@ 2010-03-03 14:31 AlannY
  2010-03-03 15:21 ` Stephen Smalley
  2010-03-03 15:30 ` Justin P. mattock
  0 siblings, 2 replies; 13+ messages in thread
From: AlannY @ 2010-03-03 14:31 UTC (permalink / raw)
  To: SELinux

Hi there.

I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
tools (libselinux policycoreutils). I'm trying to:

    make bare
    make conf
    make base.pp

My configuration:

TYPE=mcs
NAME=refpolicy
UNK_PERMS=allow
DIRECT_INITRC=n
MONOLITHIC=n
UBAC=n
MLS_CATS=1024
MCS_CATS=1024

But, the last command failed with the following error:

    Creating refpolicy base module base.conf
    cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
    Compiling refpolicy base module
    /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
    /usr/bin/checkmodule:  loading policy configuration from base.conf
    base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
    level s0:c0.c1023;

Seems to be, it's a good line (2032), but checkmodule can't eat it.

Where can be the probem?
-- 
   )\._.,--....,'``.
  /,   _.. \   _\  (`._ ,.
 `._.-(,_..'--(,_..'`-.;.'

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Problem with compiling refpolicy base.pp
  2010-03-03 14:31 Problem with compiling refpolicy base.pp AlannY
@ 2010-03-03 15:21 ` Stephen Smalley
  2010-03-03 15:28   ` Stephen Smalley
  2010-03-03 16:23   ` Stephen Smalley
  2010-03-03 15:30 ` Justin P. mattock
  1 sibling, 2 replies; 13+ messages in thread
From: Stephen Smalley @ 2010-03-03 15:21 UTC (permalink / raw)
  To: AlannY; +Cc: SELinux, Joshua Brindle, Chad Sellers

On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
> Hi there.
> 
> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
> tools (libselinux policycoreutils). I'm trying to:
> 
>     make bare
>     make conf
>     make base.pp
> 
> My configuration:
> 
> TYPE=mcs
> NAME=refpolicy
> UNK_PERMS=allow
> DIRECT_INITRC=n
> MONOLITHIC=n
> UBAC=n
> MLS_CATS=1024
> MCS_CATS=1024
> 
> But, the last command failed with the following error:
> 
>     Creating refpolicy base module base.conf
>     cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
>     Compiling refpolicy base module
>     /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
>     /usr/bin/checkmodule:  loading policy configuration from base.conf
>     base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
>     level s0:c0.c1023;
> 
> Seems to be, it's a good line (2032), but checkmodule can't eat it.
> 
> Where can be the probem?

Looks like a scanner problem to me.  There have been problems with some
versions of flex, e.g. see:
http://marc.info/?t=125613782400001&r=1&w=2
but no one has ever tracked it down precisely and I've never been able
to reproduce.  Modify your checkpolicy Makefile to pass -d to $(LEX) so
that it generates debug output and then capture the stderr of running
checkpolicy on base.conf.  Here I get the following output for that
line:
--accepting rule at line 55 ("
level s0:c0.c1023;")
--accepting rule at line 116 ("level")
--accepting rule at line 227 (" ")
--accepting rule at line 219 ("s0")
--accepting rule at line 235 (":")
--accepting rule at line 219 ("c0.c1023")
--accepting rule at line 236 (";")

Note that the ":" gets treated as a separate token above, as it should,
whereas your checkmodule seems to not be splitting it properly.

You can look at checkpolicy/policy_scan.l and see if anything strikes
you as problematic, but it looks sane to me.  Maybe it is matching on
ipv6_addr instead.  On second look, I'm wondering why ipv6_addr has . in
the pattern.  Does this help?

diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 48128a8..b7b8f0a 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -219,7 +219,7 @@ PERMISSIVE			{ return(PERMISSIVE); }
 {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
 {digit}+|0x{hexval}+            { return(NUMBER); }
 {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
-{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }
+{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")*  { return(IPV6_ADDR); }
 {digit}+(\.({alnum}|[_.])*)?    { return(VERSION_IDENTIFIER); }
 #line[ ]1[ ]\"[^\n]*\"		{ set_source_file(yytext+9); }
 #line[ ]{digit}+	        { source_lineno = atoi(yytext+6)-1; }


-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply related	[flat|nested] 13+ messages in thread

* Re: Problem with compiling refpolicy base.pp
  2010-03-03 15:21 ` Stephen Smalley
@ 2010-03-03 15:28   ` Stephen Smalley
  2010-03-03 15:36     ` Justin P. mattock
  2010-03-03 15:52     ` Stephen Smalley
  2010-03-03 16:23   ` Stephen Smalley
  1 sibling, 2 replies; 13+ messages in thread
From: Stephen Smalley @ 2010-03-03 15:28 UTC (permalink / raw)
  To: AlannY; +Cc: SELinux, Joshua Brindle, Chad Sellers

On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
> > Hi there.
> > 
> > I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
> > tools (libselinux policycoreutils). I'm trying to:
> > 
> >     make bare
> >     make conf
> >     make base.pp
> > 
> > My configuration:
> > 
> > TYPE=mcs
> > NAME=refpolicy
> > UNK_PERMS=allow
> > DIRECT_INITRC=n
> > MONOLITHIC=n
> > UBAC=n
> > MLS_CATS=1024
> > MCS_CATS=1024
> > 
> > But, the last command failed with the following error:
> > 
> >     Creating refpolicy base module base.conf
> >     cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
> >     Compiling refpolicy base module
> >     /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> >     /usr/bin/checkmodule:  loading policy configuration from base.conf
> >     base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
> >     level s0:c0.c1023;
> > 
> > Seems to be, it's a good line (2032), but checkmodule can't eat it.
> > 
> > Where can be the probem?
> 
> Looks like a scanner problem to me.  There have been problems with some
> versions of flex, e.g. see:
> http://marc.info/?t=125613782400001&r=1&w=2
> but no one has ever tracked it down precisely and I've never been able
> to reproduce.  Modify your checkpolicy Makefile to pass -d to $(LEX) so
> that it generates debug output and then capture the stderr of running
> checkpolicy on base.conf.  Here I get the following output for that
> line:
> --accepting rule at line 55 ("
> level s0:c0.c1023;")
> --accepting rule at line 116 ("level")
> --accepting rule at line 227 (" ")
> --accepting rule at line 219 ("s0")
> --accepting rule at line 235 (":")
> --accepting rule at line 219 ("c0.c1023")
> --accepting rule at line 236 (";")
> 
> Note that the ":" gets treated as a separate token above, as it should,
> whereas your checkmodule seems to not be splitting it properly.
> 
> You can look at checkpolicy/policy_scan.l and see if anything strikes
> you as problematic, but it looks sane to me.  Maybe it is matching on
> ipv6_addr instead.  On second look, I'm wondering why ipv6_addr has . in
> the pattern.  Does this help?
> 
> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> index 48128a8..b7b8f0a 100644
> --- a/checkpolicy/policy_scan.l
> +++ b/checkpolicy/policy_scan.l
> @@ -219,7 +219,7 @@ PERMISSIVE			{ return(PERMISSIVE); }
>  {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
>  {digit}+|0x{hexval}+            { return(NUMBER); }
>  {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }
> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")*  { return(IPV6_ADDR); }
>  {digit}+(\.({alnum}|[_.])*)?    { return(VERSION_IDENTIFIER); }
>  #line[ ]1[ ]\"[^\n]*\"		{ set_source_file(yytext+9); }
>  #line[ ]{digit}+	        { source_lineno = atoi(yytext+6)-1; }

Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or
escaped via backslash as well?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Problem with compiling refpolicy base.pp
  2010-03-03 14:31 Problem with compiling refpolicy base.pp AlannY
  2010-03-03 15:21 ` Stephen Smalley
@ 2010-03-03 15:30 ` Justin P. mattock
  1 sibling, 0 replies; 13+ messages in thread
From: Justin P. mattock @ 2010-03-03 15:30 UTC (permalink / raw)
  To: AlannY; +Cc: SELinux

On 03/03/2010 06:31 AM, AlannY wrote:
> Hi there.
>
> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
> tools (libselinux policycoreutils). I'm trying to:
>
>      make bare
>      make conf
>      make base.pp
>
> My configuration:
>
> TYPE=mcs
> NAME=refpolicy
> UNK_PERMS=allow
> DIRECT_INITRC=n
> MONOLITHIC=n
> UBAC=n
> MLS_CATS=1024
> MCS_CATS=1024
>
> But, the last command failed with the following error:
>
>      Creating refpolicy base module base.conf
>      cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf>  base.conf
>      Compiling refpolicy base module
>      /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
>      /usr/bin/checkmodule:  loading policy configuration from base.conf
>      base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
>      level s0:c0.c1023;
>
> Seems to be, it's a good line (2032), but checkmodule can't eat it.
>
> Where can be the probem?


I think this is cause by checkmodule/checkpolicy
being compiled by flex version 2.35*
(still haven't found the bug for this), for a
a workaround downgrade to flex  v2.5.4a
compile checkmodule/chekpolicy, then you should
be able to compile the policy without a syntex error.

hope this helps.

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Problem with compiling refpolicy base.pp
  2010-03-03 15:28   ` Stephen Smalley
@ 2010-03-03 15:36     ` Justin P. mattock
  2010-03-03 15:53       ` Stephen Smalley
  2010-03-03 15:52     ` Stephen Smalley
  1 sibling, 1 reply; 13+ messages in thread
From: Justin P. mattock @ 2010-03-03 15:36 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers

On 03/03/2010 07:28 AM, Stephen Smalley wrote:
> On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
>> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
>>> Hi there.
>>>
>>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
>>> tools (libselinux policycoreutils). I'm trying to:
>>>
>>>      make bare
>>>      make conf
>>>      make base.pp
>>>
>>> My configuration:
>>>
>>> TYPE=mcs
>>> NAME=refpolicy
>>> UNK_PERMS=allow
>>> DIRECT_INITRC=n
>>> MONOLITHIC=n
>>> UBAC=n
>>> MLS_CATS=1024
>>> MCS_CATS=1024
>>>
>>> But, the last command failed with the following error:
>>>
>>>      Creating refpolicy base module base.conf
>>>      cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
>>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf>  base.conf
>>>      Compiling refpolicy base module
>>>      /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
>>>      /usr/bin/checkmodule:  loading policy configuration from base.conf
>>>      base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
>>>      level s0:c0.c1023;
>>>
>>> Seems to be, it's a good line (2032), but checkmodule can't eat it.
>>>
>>> Where can be the probem?
>>
>> Looks like a scanner problem to me.  There have been problems with some
>> versions of flex, e.g. see:
>> http://marc.info/?t=125613782400001&r=1&w=2
>> but no one has ever tracked it down precisely and I've never been able
>> to reproduce.  Modify your checkpolicy Makefile to pass -d to $(LEX) so
>> that it generates debug output and then capture the stderr of running
>> checkpolicy on base.conf.  Here I get the following output for that
>> line:
>> --accepting rule at line 55 ("
>> level s0:c0.c1023;")
>> --accepting rule at line 116 ("level")
>> --accepting rule at line 227 (" ")
>> --accepting rule at line 219 ("s0")
>> --accepting rule at line 235 (":")
>> --accepting rule at line 219 ("c0.c1023")
>> --accepting rule at line 236 (";")
>>
>> Note that the ":" gets treated as a separate token above, as it should,
>> whereas your checkmodule seems to not be splitting it properly.
>>
>> You can look at checkpolicy/policy_scan.l and see if anything strikes
>> you as problematic, but it looks sane to me.  Maybe it is matching on
>> ipv6_addr instead.  On second look, I'm wondering why ipv6_addr has . in
>> the pattern.  Does this help?
>>
>> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
>> index 48128a8..b7b8f0a 100644
>> --- a/checkpolicy/policy_scan.l
>> +++ b/checkpolicy/policy_scan.l
>> @@ -219,7 +219,7 @@ PERMISSIVE			{ return(PERMISSIVE); }
>>   {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
>>   {digit}+|0x{hexval}+            { return(NUMBER); }
>>   {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
>> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }
>> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")*  { return(IPV6_ADDR); }
>>   {digit}+(\.({alnum}|[_.])*)?    { return(VERSION_IDENTIFIER); }
>>   #line[ ]1[ ]\"[^\n]*\"		{ set_source_file(yytext+9); }
>>   #line[ ]{digit}+	        { source_lineno = atoi(yytext+6)-1; }
>
> Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or
> escaped via backslash as well?
>


if the flex version from git goes all the way
back to 2.5* I'll do a bisect on this
but if it only goes so far, then bisection
can be tricky.

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Problem with compiling refpolicy base.pp
  2010-03-03 15:28   ` Stephen Smalley
  2010-03-03 15:36     ` Justin P. mattock
@ 2010-03-03 15:52     ` Stephen Smalley
  1 sibling, 0 replies; 13+ messages in thread
From: Stephen Smalley @ 2010-03-03 15:52 UTC (permalink / raw)
  To: AlannY; +Cc: SELinux, Joshua Brindle, Chad Sellers, Christopher J. PeBenito

On Wed, 2010-03-03 at 10:28 -0500, Stephen Smalley wrote:
> On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
> > On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
> > > Hi there.
> > > 
> > > I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
> > > tools (libselinux policycoreutils). I'm trying to:
> > > 
> > >     make bare
> > >     make conf
> > >     make base.pp
> > > 
> > > My configuration:
> > > 
> > > TYPE=mcs
> > > NAME=refpolicy
> > > UNK_PERMS=allow
> > > DIRECT_INITRC=n
> > > MONOLITHIC=n
> > > UBAC=n
> > > MLS_CATS=1024
> > > MCS_CATS=1024
> > > 
> > > But, the last command failed with the following error:
> > > 
> > >     Creating refpolicy base module base.conf
> > >     cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> > > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
> > >     Compiling refpolicy base module
> > >     /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> > >     /usr/bin/checkmodule:  loading policy configuration from base.conf
> > >     base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
> > >     level s0:c0.c1023;
> > > 
> > > Seems to be, it's a good line (2032), but checkmodule can't eat it.
> > > 
> > > Where can be the probem?
> > 
> > Looks like a scanner problem to me.  There have been problems with some
> > versions of flex, e.g. see:
> > http://marc.info/?t=125613782400001&r=1&w=2
> > but no one has ever tracked it down precisely and I've never been able
> > to reproduce.  Modify your checkpolicy Makefile to pass -d to $(LEX) so
> > that it generates debug output and then capture the stderr of running
> > checkpolicy on base.conf.  Here I get the following output for that
> > line:
> > --accepting rule at line 55 ("
> > level s0:c0.c1023;")
> > --accepting rule at line 116 ("level")
> > --accepting rule at line 227 (" ")
> > --accepting rule at line 219 ("s0")
> > --accepting rule at line 235 (":")
> > --accepting rule at line 219 ("c0.c1023")
> > --accepting rule at line 236 (";")
> > 
> > Note that the ":" gets treated as a separate token above, as it should,
> > whereas your checkmodule seems to not be splitting it properly.
> > 
> > You can look at checkpolicy/policy_scan.l and see if anything strikes
> > you as problematic, but it looks sane to me.  Maybe it is matching on
> > ipv6_addr instead.  On second look, I'm wondering why ipv6_addr has . in
> > the pattern.  Does this help?
> > 
> > diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> > index 48128a8..b7b8f0a 100644
> > --- a/checkpolicy/policy_scan.l
> > +++ b/checkpolicy/policy_scan.l
> > @@ -219,7 +219,7 @@ PERMISSIVE			{ return(PERMISSIVE); }
> >  {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
> >  {digit}+|0x{hexval}+            { return(NUMBER); }
> >  {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
> > -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }
> > +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")*  { return(IPV6_ADDR); }
> >  {digit}+(\.({alnum}|[_.])*)?    { return(VERSION_IDENTIFIER); }
> >  #line[ ]1[ ]\"[^\n]*\"		{ set_source_file(yytext+9); }
> >  #line[ ]{digit}+	        { source_lineno = atoi(yytext+6)-1; }
> 
> Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or
> escaped via backslash as well?

According to prior discussion, it does not (different interpretation of
characters within []).  Which would mean that IDENTIFIER and PATH are
wrong too.  Patch below should fix all three definitions.  This needs
some wider testing - I don't think we even have nodecons by default in
refpolicy anymore.

diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 48128a8..87c7278 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -215,11 +215,11 @@ policycap |
 POLICYCAP			{ return(POLICYCAP); }
 permissive |
 PERMISSIVE			{ return(PERMISSIVE); }
-"/"({alnum}|[_\.\-/])*	        { return(PATH); }
-{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
+"/"({alnum}|[_./-])*	        { return(PATH); }
+{letter}({alnum}|[_-])*([.]?({alnum}|[_-]))*	{ return(IDENTIFIER); }
 {digit}+|0x{hexval}+            { return(NUMBER); }
 {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
-{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }
+{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")*  { return(IPV6_ADDR); }
 {digit}+(\.({alnum}|[_.])*)?    { return(VERSION_IDENTIFIER); }
 #line[ ]1[ ]\"[^\n]*\"		{ set_source_file(yytext+9); }
 #line[ ]{digit}+	        { source_lineno = atoi(yytext+6)-1; }

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply related	[flat|nested] 13+ messages in thread

* Re: Problem with compiling refpolicy base.pp
  2010-03-03 15:36     ` Justin P. mattock
@ 2010-03-03 15:53       ` Stephen Smalley
  2010-03-03 16:24         ` Justin P. mattock
  0 siblings, 1 reply; 13+ messages in thread
From: Stephen Smalley @ 2010-03-03 15:53 UTC (permalink / raw)
  To: Justin P. mattock; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers

On Wed, 2010-03-03 at 07:36 -0800, Justin P. mattock wrote:
> On 03/03/2010 07:28 AM, Stephen Smalley wrote:
> > On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
> >> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
> >>> Hi there.
> >>>
> >>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
> >>> tools (libselinux policycoreutils). I'm trying to:
> >>>
> >>>      make bare
> >>>      make conf
> >>>      make base.pp
> >>>
> >>> My configuration:
> >>>
> >>> TYPE=mcs
> >>> NAME=refpolicy
> >>> UNK_PERMS=allow
> >>> DIRECT_INITRC=n
> >>> MONOLITHIC=n
> >>> UBAC=n
> >>> MLS_CATS=1024
> >>> MCS_CATS=1024
> >>>
> >>> But, the last command failed with the following error:
> >>>
> >>>      Creating refpolicy base module base.conf
> >>>      cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> >>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf>  base.conf
> >>>      Compiling refpolicy base module
> >>>      /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> >>>      /usr/bin/checkmodule:  loading policy configuration from base.conf
> >>>      base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
> >>>      level s0:c0.c1023;
> >>>
> >>> Seems to be, it's a good line (2032), but checkmodule can't eat it.
> >>>
> >>> Where can be the probem?
> >>
> >> Looks like a scanner problem to me.  There have been problems with some
> >> versions of flex, e.g. see:
> >> http://marc.info/?t=125613782400001&r=1&w=2
> >> but no one has ever tracked it down precisely and I've never been able
> >> to reproduce.  Modify your checkpolicy Makefile to pass -d to $(LEX) so
> >> that it generates debug output and then capture the stderr of running
> >> checkpolicy on base.conf.  Here I get the following output for that
> >> line:
> >> --accepting rule at line 55 ("
> >> level s0:c0.c1023;")
> >> --accepting rule at line 116 ("level")
> >> --accepting rule at line 227 (" ")
> >> --accepting rule at line 219 ("s0")
> >> --accepting rule at line 235 (":")
> >> --accepting rule at line 219 ("c0.c1023")
> >> --accepting rule at line 236 (";")
> >>
> >> Note that the ":" gets treated as a separate token above, as it should,
> >> whereas your checkmodule seems to not be splitting it properly.
> >>
> >> You can look at checkpolicy/policy_scan.l and see if anything strikes
> >> you as problematic, but it looks sane to me.  Maybe it is matching on
> >> ipv6_addr instead.  On second look, I'm wondering why ipv6_addr has . in
> >> the pattern.  Does this help?
> >>
> >> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> >> index 48128a8..b7b8f0a 100644
> >> --- a/checkpolicy/policy_scan.l
> >> +++ b/checkpolicy/policy_scan.l
> >> @@ -219,7 +219,7 @@ PERMISSIVE			{ return(PERMISSIVE); }
> >>   {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
> >>   {digit}+|0x{hexval}+            { return(NUMBER); }
> >>   {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
> >> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }
> >> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")*  { return(IPV6_ADDR); }
> >>   {digit}+(\.({alnum}|[_.])*)?    { return(VERSION_IDENTIFIER); }
> >>   #line[ ]1[ ]\"[^\n]*\"		{ set_source_file(yytext+9); }
> >>   #line[ ]{digit}+	        { source_lineno = atoi(yytext+6)-1; }
> >
> > Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or
> > escaped via backslash as well?
> >
> 
> 
> if the flex version from git goes all the way
> back to 2.5* I'll do a bisect on this
> but if it only goes so far, then bisection
> can be tricky.

If my patch fixes the problem, it was a bug in checkpolicy, not a bug in
flex.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Problem with compiling refpolicy base.pp
  2010-03-03 15:21 ` Stephen Smalley
  2010-03-03 15:28   ` Stephen Smalley
@ 2010-03-03 16:23   ` Stephen Smalley
  2010-03-03 18:16     ` Justin P. mattock
                       ` (2 more replies)
  1 sibling, 3 replies; 13+ messages in thread
From: Stephen Smalley @ 2010-03-03 16:23 UTC (permalink / raw)
  To: AlannY; +Cc: SELinux, Joshua Brindle, Chad Sellers

On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
> > Hi there.
> > 
> > I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
> > tools (libselinux policycoreutils). I'm trying to:
> > 
> >     make bare
> >     make conf
> >     make base.pp
> > 
> > My configuration:
> > 
> > TYPE=mcs
> > NAME=refpolicy
> > UNK_PERMS=allow
> > DIRECT_INITRC=n
> > MONOLITHIC=n
> > UBAC=n
> > MLS_CATS=1024
> > MCS_CATS=1024
> > 
> > But, the last command failed with the following error:
> > 
> >     Creating refpolicy base module base.conf
> >     cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
> >     Compiling refpolicy base module
> >     /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> >     /usr/bin/checkmodule:  loading policy configuration from base.conf
> >     base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
> >     level s0:c0.c1023;
> > 
> > Seems to be, it's a good line (2032), but checkmodule can't eat it.
> > 
> > Where can be the probem?
> 
> Looks like a scanner problem to me.  There have been problems with some
> versions of flex, e.g. see:
> http://marc.info/?t=125613782400001&r=1&w=2
> but no one has ever tracked it down precisely and I've never been able
> to reproduce.  Modify your checkpolicy Makefile to pass -d to $(LEX) so
> that it generates debug output and then capture the stderr of running
> checkpolicy on base.conf.  Here I get the following output for that
> line:
> --accepting rule at line 55 ("
> level s0:c0.c1023;")
> --accepting rule at line 116 ("level")
> --accepting rule at line 227 (" ")
> --accepting rule at line 219 ("s0")
> --accepting rule at line 235 (":")
> --accepting rule at line 219 ("c0.c1023")
> --accepting rule at line 236 (";")
> 
> Note that the ":" gets treated as a separate token above, as it should,
> whereas your checkmodule seems to not be splitting it properly.
> 
> You can look at checkpolicy/policy_scan.l and see if anything strikes
> you as problematic, but it looks sane to me.  Maybe it is matching on
> ipv6_addr instead.  On second look, I'm wondering why ipv6_addr has . in
> the pattern.  Does this help?
> 
> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> index 48128a8..b7b8f0a 100644
> --- a/checkpolicy/policy_scan.l
> +++ b/checkpolicy/policy_scan.l
> @@ -219,7 +219,7 @@ PERMISSIVE			{ return(PERMISSIVE); }
>  {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
>  {digit}+|0x{hexval}+            { return(NUMBER); }
>  {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }
> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")*  { return(IPV6_ADDR); }
>  {digit}+(\.({alnum}|[_.])*)?    { return(VERSION_IDENTIFIER); }
>  #line[ ]1[ ]\"[^\n]*\"		{ set_source_file(yytext+9); }
>  #line[ ]{digit}+	        { source_lineno = atoi(yytext+6)-1; }

It turns out there was a reason why we originally allowed "." in the
ipv6_addr pattern - for embedded ipv4 addresses,
http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm

Re-considering this, I don't see why we'd match on ipv6_addr anyway
(":c0.c1023" doesn't match the pattern as it lacks two colons), so
perhaps this is still a bug in flex.

It did first seem to manifest after the ipv6_addr pattern was added
though, so I think that the ipv6_addr pattern is the trigger for the
bug.
http://marc.info/?t=109338686200002&r=1&w=2


-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Problem with compiling refpolicy base.pp
  2010-03-03 15:53       ` Stephen Smalley
@ 2010-03-03 16:24         ` Justin P. mattock
  2010-03-03 16:27           ` Stephen Smalley
  0 siblings, 1 reply; 13+ messages in thread
From: Justin P. mattock @ 2010-03-03 16:24 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers

On 03/03/2010 07:53 AM, Stephen Smalley wrote:
> On Wed, 2010-03-03 at 07:36 -0800, Justin P. mattock wrote:
>> On 03/03/2010 07:28 AM, Stephen Smalley wrote:
>>> On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
>>>> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
>>>>> Hi there.
>>>>>
>>>>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
>>>>> tools (libselinux policycoreutils). I'm trying to:
>>>>>
>>>>>       make bare
>>>>>       make conf
>>>>>       make base.pp
>>>>>
>>>>> My configuration:
>>>>>
>>>>> TYPE=mcs
>>>>> NAME=refpolicy
>>>>> UNK_PERMS=allow
>>>>> DIRECT_INITRC=n
>>>>> MONOLITHIC=n
>>>>> UBAC=n
>>>>> MLS_CATS=1024
>>>>> MCS_CATS=1024
>>>>>
>>>>> But, the last command failed with the following error:
>>>>>
>>>>>       Creating refpolicy base module base.conf
>>>>>       cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
>>>>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf>   base.conf
>>>>>       Compiling refpolicy base module
>>>>>       /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
>>>>>       /usr/bin/checkmodule:  loading policy configuration from base.conf
>>>>>       base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
>>>>>       level s0:c0.c1023;
>>>>>
>>>>> Seems to be, it's a good line (2032), but checkmodule can't eat it.
>>>>>
>>>>> Where can be the probem?
>>>>
>>>> Looks like a scanner problem to me.  There have been problems with some
>>>> versions of flex, e.g. see:
>>>> http://marc.info/?t=125613782400001&r=1&w=2
>>>> but no one has ever tracked it down precisely and I've never been able
>>>> to reproduce.  Modify your checkpolicy Makefile to pass -d to $(LEX) so
>>>> that it generates debug output and then capture the stderr of running
>>>> checkpolicy on base.conf.  Here I get the following output for that
>>>> line:
>>>> --accepting rule at line 55 ("
>>>> level s0:c0.c1023;")
>>>> --accepting rule at line 116 ("level")
>>>> --accepting rule at line 227 (" ")
>>>> --accepting rule at line 219 ("s0")
>>>> --accepting rule at line 235 (":")
>>>> --accepting rule at line 219 ("c0.c1023")
>>>> --accepting rule at line 236 (";")
>>>>
>>>> Note that the ":" gets treated as a separate token above, as it should,
>>>> whereas your checkmodule seems to not be splitting it properly.
>>>>
>>>> You can look at checkpolicy/policy_scan.l and see if anything strikes
>>>> you as problematic, but it looks sane to me.  Maybe it is matching on
>>>> ipv6_addr instead.  On second look, I'm wondering why ipv6_addr has . in
>>>> the pattern.  Does this help?
>>>>
>>>> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
>>>> index 48128a8..b7b8f0a 100644
>>>> --- a/checkpolicy/policy_scan.l
>>>> +++ b/checkpolicy/policy_scan.l
>>>> @@ -219,7 +219,7 @@ PERMISSIVE			{ return(PERMISSIVE); }
>>>>    {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
>>>>    {digit}+|0x{hexval}+            { return(NUMBER); }
>>>>    {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
>>>> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }
>>>> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")*  { return(IPV6_ADDR); }
>>>>    {digit}+(\.({alnum}|[_.])*)?    { return(VERSION_IDENTIFIER); }
>>>>    #line[ ]1[ ]\"[^\n]*\"		{ set_source_file(yytext+9); }
>>>>    #line[ ]{digit}+	        { source_lineno = atoi(yytext+6)-1; }
>>>
>>> Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or
>>> escaped via backslash as well?
>>>
>>
>>
>> if the flex version from git goes all the way
>> back to 2.5* I'll do a bisect on this
>> but if it only goes so far, then bisection
>> can be tricky.
>
> If my patch fixes the problem, it was a bug in checkpolicy, not a bug in
> flex.
>


heres what I get:


  flex --version
flex 2.5.35

(without the patch applied).

Compiling mcs  base module
/usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod
/usr/bin/checkmodule:  loading policy configuration from base.conf
base.conf:1265:ERROR 'syntax error' at token ':c0.c255' on line 1265:

level s0:c0.c255;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/base.mod] Error 1


(after applying patch):

Compiling mcs  base module
/usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod
/usr/bin/checkmodule:  loading policy configuration from base.conf
base.conf:1265:ERROR 'syntax error' at token ':c0' on line 1265:

level s0:c0.c255;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/base.mod] Error 1


as soon as I compile checkpolicy/checkmodule with the older version of 
flex the policy will compile without the syntax error.

but if this is userspace(SELinux) issue, I can try a bisect with 
checkpolicy/checkmodule.


Justin P. Mattock




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Problem with compiling refpolicy base.pp
  2010-03-03 16:24         ` Justin P. mattock
@ 2010-03-03 16:27           ` Stephen Smalley
  0 siblings, 0 replies; 13+ messages in thread
From: Stephen Smalley @ 2010-03-03 16:27 UTC (permalink / raw)
  To: Justin P. mattock; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers

On Wed, 2010-03-03 at 08:24 -0800, Justin P. mattock wrote:
> On 03/03/2010 07:53 AM, Stephen Smalley wrote:
> > On Wed, 2010-03-03 at 07:36 -0800, Justin P. mattock wrote:
> >> On 03/03/2010 07:28 AM, Stephen Smalley wrote:
> >>> On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
> >>>> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
> >>>>> Hi there.
> >>>>>
> >>>>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
> >>>>> tools (libselinux policycoreutils). I'm trying to:
> >>>>>
> >>>>>       make bare
> >>>>>       make conf
> >>>>>       make base.pp
> >>>>>
> >>>>> My configuration:
> >>>>>
> >>>>> TYPE=mcs
> >>>>> NAME=refpolicy
> >>>>> UNK_PERMS=allow
> >>>>> DIRECT_INITRC=n
> >>>>> MONOLITHIC=n
> >>>>> UBAC=n
> >>>>> MLS_CATS=1024
> >>>>> MCS_CATS=1024
> >>>>>
> >>>>> But, the last command failed with the following error:
> >>>>>
> >>>>>       Creating refpolicy base module base.conf
> >>>>>       cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> >>>>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf>   base.conf
> >>>>>       Compiling refpolicy base module
> >>>>>       /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> >>>>>       /usr/bin/checkmodule:  loading policy configuration from base.conf
> >>>>>       base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
> >>>>>       level s0:c0.c1023;
> >>>>>
> >>>>> Seems to be, it's a good line (2032), but checkmodule can't eat it.
> >>>>>
> >>>>> Where can be the probem?
> >>>>
> >>>> Looks like a scanner problem to me.  There have been problems with some
> >>>> versions of flex, e.g. see:
> >>>> http://marc.info/?t=125613782400001&r=1&w=2
> >>>> but no one has ever tracked it down precisely and I've never been able
> >>>> to reproduce.  Modify your checkpolicy Makefile to pass -d to $(LEX) so
> >>>> that it generates debug output and then capture the stderr of running
> >>>> checkpolicy on base.conf.  Here I get the following output for that
> >>>> line:
> >>>> --accepting rule at line 55 ("
> >>>> level s0:c0.c1023;")
> >>>> --accepting rule at line 116 ("level")
> >>>> --accepting rule at line 227 (" ")
> >>>> --accepting rule at line 219 ("s0")
> >>>> --accepting rule at line 235 (":")
> >>>> --accepting rule at line 219 ("c0.c1023")
> >>>> --accepting rule at line 236 (";")
> >>>>
> >>>> Note that the ":" gets treated as a separate token above, as it should,
> >>>> whereas your checkmodule seems to not be splitting it properly.
> >>>>
> >>>> You can look at checkpolicy/policy_scan.l and see if anything strikes
> >>>> you as problematic, but it looks sane to me.  Maybe it is matching on
> >>>> ipv6_addr instead.  On second look, I'm wondering why ipv6_addr has . in
> >>>> the pattern.  Does this help?
> >>>>
> >>>> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> >>>> index 48128a8..b7b8f0a 100644
> >>>> --- a/checkpolicy/policy_scan.l
> >>>> +++ b/checkpolicy/policy_scan.l
> >>>> @@ -219,7 +219,7 @@ PERMISSIVE			{ return(PERMISSIVE); }
> >>>>    {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
> >>>>    {digit}+|0x{hexval}+            { return(NUMBER); }
> >>>>    {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
> >>>> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }
> >>>> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")*  { return(IPV6_ADDR); }
> >>>>    {digit}+(\.({alnum}|[_.])*)?    { return(VERSION_IDENTIFIER); }
> >>>>    #line[ ]1[ ]\"[^\n]*\"		{ set_source_file(yytext+9); }
> >>>>    #line[ ]{digit}+	        { source_lineno = atoi(yytext+6)-1; }
> >>>
> >>> Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or
> >>> escaped via backslash as well?
> >>>
> >>
> >>
> >> if the flex version from git goes all the way
> >> back to 2.5* I'll do a bisect on this
> >> but if it only goes so far, then bisection
> >> can be tricky.
> >
> > If my patch fixes the problem, it was a bug in checkpolicy, not a bug in
> > flex.
> >
> 
> 
> heres what I get:
> 
> 
>   flex --version
> flex 2.5.35
> 
> (without the patch applied).
> 
> Compiling mcs  base module
> /usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod
> /usr/bin/checkmodule:  loading policy configuration from base.conf
> base.conf:1265:ERROR 'syntax error' at token ':c0.c255' on line 1265:
> 
> level s0:c0.c255;
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> make: *** [tmp/base.mod] Error 1
> 
> 
> (after applying patch):
> 
> Compiling mcs  base module
> /usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod
> /usr/bin/checkmodule:  loading policy configuration from base.conf
> base.conf:1265:ERROR 'syntax error' at token ':c0' on line 1265:
> 
> level s0:c0.c255;
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> make: *** [tmp/base.mod] Error 1
> 
> 
> as soon as I compile checkpolicy/checkmodule with the older version of 
> flex the policy will compile without the syntax error.
> 
> but if this is userspace(SELinux) issue, I can try a bisect with 
> checkpolicy/checkmodule.

No, your test result confirms that the bug lies in flex.  The ipv6_addr
pattern is just the trigger.  It should not match (requires at least two
colons), but appears to be doing so.  See my other email.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Problem with compiling refpolicy base.pp
  2010-03-03 16:23   ` Stephen Smalley
@ 2010-03-03 18:16     ` Justin P. mattock
  2010-03-03 20:52     ` Justin P. mattock
  2010-03-03 21:14     ` Justin P. mattock
  2 siblings, 0 replies; 13+ messages in thread
From: Justin P. mattock @ 2010-03-03 18:16 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers

On 03/03/2010 08:23 AM, Stephen Smalley wrote:
> On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
>> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
>>> Hi there.
>>>
>>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
>>> tools (libselinux policycoreutils). I'm trying to:
>>>
>>>      make bare
>>>      make conf
>>>      make base.pp
>>>
>>> My configuration:
>>>
>>> TYPE=mcs
>>> NAME=refpolicy
>>> UNK_PERMS=allow
>>> DIRECT_INITRC=n
>>> MONOLITHIC=n
>>> UBAC=n
>>> MLS_CATS=1024
>>> MCS_CATS=1024
>>>
>>> But, the last command failed with the following error:
>>>
>>>      Creating refpolicy base module base.conf
>>>      cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
>>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf>  base.conf
>>>      Compiling refpolicy base module
>>>      /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
>>>      /usr/bin/checkmodule:  loading policy configuration from base.conf
>>>      base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
>>>      level s0:c0.c1023;
>>>
>>> Seems to be, it's a good line (2032), but checkmodule can't eat it.
>>>
>>> Where can be the probem?
>>
>> Looks like a scanner problem to me.  There have been problems with some
>> versions of flex, e.g. see:
>> http://marc.info/?t=125613782400001&r=1&w=2
>> but no one has ever tracked it down precisely and I've never been able
>> to reproduce.  Modify your checkpolicy Makefile to pass -d to $(LEX) so
>> that it generates debug output and then capture the stderr of running
>> checkpolicy on base.conf.  Here I get the following output for that
>> line:
>> --accepting rule at line 55 ("
>> level s0:c0.c1023;")
>> --accepting rule at line 116 ("level")
>> --accepting rule at line 227 (" ")
>> --accepting rule at line 219 ("s0")
>> --accepting rule at line 235 (":")
>> --accepting rule at line 219 ("c0.c1023")
>> --accepting rule at line 236 (";")
>>
>> Note that the ":" gets treated as a separate token above, as it should,
>> whereas your checkmodule seems to not be splitting it properly.
>>
>> You can look at checkpolicy/policy_scan.l and see if anything strikes
>> you as problematic, but it looks sane to me.  Maybe it is matching on
>> ipv6_addr instead.  On second look, I'm wondering why ipv6_addr has . in
>> the pattern.  Does this help?
>>
>> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
>> index 48128a8..b7b8f0a 100644
>> --- a/checkpolicy/policy_scan.l
>> +++ b/checkpolicy/policy_scan.l
>> @@ -219,7 +219,7 @@ PERMISSIVE			{ return(PERMISSIVE); }
>>   {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
>>   {digit}+|0x{hexval}+            { return(NUMBER); }
>>   {digit}{1,3}(\.{digit}{1,3}){3}    { return(IPV4_ADDR); }
>> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }
>> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")*  { return(IPV6_ADDR); }
>>   {digit}+(\.({alnum}|[_.])*)?    { return(VERSION_IDENTIFIER); }
>>   #line[ ]1[ ]\"[^\n]*\"		{ set_source_file(yytext+9); }
>>   #line[ ]{digit}+	        { source_lineno = atoi(yytext+6)-1; }
>
> It turns out there was a reason why we originally allowed "." in the
> ipv6_addr pattern - for embedded ipv4 addresses,
> http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm
>
> Re-considering this, I don't see why we'd match on ipv6_addr anyway
> (":c0.c1023" doesn't match the pattern as it lacks two colons), so
> perhaps this is still a bug in flex.
>
> It did first seem to manifest after the ipv6_addr pattern was added
> though, so I think that the ipv6_addr pattern is the trigger for the
> bug.
> http://marc.info/?t=109338686200002&r=1&w=2
>
>


man!! seeing all of the bickering towards the end
really looks bad.

Anyways I made a wrapper with the -l option and tried other options
as well, and still am able to reproduce this syntax error.

FWIW here's the -v option while building checkmodule/checkpolicy with 
new/older
versions of flex:

  scanner options: -lvI8 -Cem
   1677/2000 NFA states
   944/1000 DFA states (8671 words)
   188 rules
   Compressed tables always back-up
   1/40 start conditions
   494 epsilon states, 252 double epsilon states
   28/100 character classes needed 458/500 words of storage, 0 reused
   50312 state/nextstate pairs created
   3621/46691 unique/duplicate transitions
   988/1000 base-def entries created
   2182/4000 (peak 5221) nxt-chk entries created
   396/5000 (peak 3520) template nxt-chk entries created
   0 empty table entries
   49 protos created
   44 templates created, 98 uses
   80/256 equivalence classes created
   9/256 meta-equivalence classes created
   0 (17 saved) hash collisions, 2680 DFAs equal
   3 sets of reallocations needed
   6676 total table entries needed


and the -v option with the older version of flex that
works:

/flex version 2.5.4 usage statistics:
   scanner options: -lvI8 -Cem
   1621/2000 NFA states
   891/1000 DFA states (8396 words)
   188 rules
   Compressed tables always back-up
   1/40 start conditions
   465 epsilon states, 236 double epsilon states
   13/100 character classes needed 161/500 words of storage, 14 reused
   48957 state/nextstate pairs created
   3506/45451 unique/duplicate transitions
   907/1000 base-def entries created
   2038/4000 (peak 2927) nxt-chk entries created
   144/2500 (peak 1280) template nxt-chk entries created
   0 empty table entries
   21 protos created
   16 templates created, 48 uses
   80/256 equivalence classes created
   9/256 meta-equivalence classes created
   1 (15 saved) hash collisions, 2618 DFAs equal
   2 sets of reallocations needed
   6226 total table entries needed



I thinking I'll try a go at bisecting flex(if possible),and see,
but might take some time.

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Problem with compiling refpolicy base.pp
  2010-03-03 16:23   ` Stephen Smalley
  2010-03-03 18:16     ` Justin P. mattock
@ 2010-03-03 20:52     ` Justin P. mattock
  2010-03-03 21:14     ` Justin P. mattock
  2 siblings, 0 replies; 13+ messages in thread
From: Justin P. mattock @ 2010-03-03 20:52 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers

ahh.. with the git interface for flex
I reset to the last commit, which makes
checkmodule/checkpolicy work. I'll have a go
at the bisect and see if I comeup
with anything of use.

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: Problem with compiling refpolicy base.pp
  2010-03-03 16:23   ` Stephen Smalley
  2010-03-03 18:16     ` Justin P. mattock
  2010-03-03 20:52     ` Justin P. mattock
@ 2010-03-03 21:14     ` Justin P. mattock
  2 siblings, 0 replies; 13+ messages in thread
From: Justin P. mattock @ 2010-03-03 21:14 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers

ouch.. now I see the dilema with a bisect
this might take some time..

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2010-03-03 21:14 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-03 14:31 Problem with compiling refpolicy base.pp AlannY
2010-03-03 15:21 ` Stephen Smalley
2010-03-03 15:28   ` Stephen Smalley
2010-03-03 15:36     ` Justin P. mattock
2010-03-03 15:53       ` Stephen Smalley
2010-03-03 16:24         ` Justin P. mattock
2010-03-03 16:27           ` Stephen Smalley
2010-03-03 15:52     ` Stephen Smalley
2010-03-03 16:23   ` Stephen Smalley
2010-03-03 18:16     ` Justin P. mattock
2010-03-03 20:52     ` Justin P. mattock
2010-03-03 21:14     ` Justin P. mattock
2010-03-03 15:30 ` Justin P. mattock

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.