* Problem with compiling refpolicy base.pp
@ 2010-03-03 14:31 AlannY
2010-03-03 15:21 ` Stephen Smalley
2010-03-03 15:30 ` Justin P. mattock
0 siblings, 2 replies; 13+ messages in thread
From: AlannY @ 2010-03-03 14:31 UTC (permalink / raw)
To: SELinux
Hi there.
I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
tools (libselinux policycoreutils). I'm trying to:
make bare
make conf
make base.pp
My configuration:
TYPE=mcs
NAME=refpolicy
UNK_PERMS=allow
DIRECT_INITRC=n
MONOLITHIC=n
UBAC=n
MLS_CATS=1024
MCS_CATS=1024
But, the last command failed with the following error:
Creating refpolicy base module base.conf
cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
Compiling refpolicy base module
/usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
level s0:c0.c1023;
Seems to be, it's a good line (2032), but checkmodule can't eat it.
Where can be the probem?
--
)\._.,--....,'``.
/, _.. \ _\ (`._ ,.
`._.-(,_..'--(,_..'`-.;.'
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp
2010-03-03 14:31 Problem with compiling refpolicy base.pp AlannY
@ 2010-03-03 15:21 ` Stephen Smalley
2010-03-03 15:28 ` Stephen Smalley
2010-03-03 16:23 ` Stephen Smalley
2010-03-03 15:30 ` Justin P. mattock
1 sibling, 2 replies; 13+ messages in thread
From: Stephen Smalley @ 2010-03-03 15:21 UTC (permalink / raw)
To: AlannY; +Cc: SELinux, Joshua Brindle, Chad Sellers
On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
> Hi there.
>
> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
> tools (libselinux policycoreutils). I'm trying to:
>
> make bare
> make conf
> make base.pp
>
> My configuration:
>
> TYPE=mcs
> NAME=refpolicy
> UNK_PERMS=allow
> DIRECT_INITRC=n
> MONOLITHIC=n
> UBAC=n
> MLS_CATS=1024
> MCS_CATS=1024
>
> But, the last command failed with the following error:
>
> Creating refpolicy base module base.conf
> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
> Compiling refpolicy base module
> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> /usr/bin/checkmodule: loading policy configuration from base.conf
> base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
> level s0:c0.c1023;
>
> Seems to be, it's a good line (2032), but checkmodule can't eat it.
>
> Where can be the probem?
Looks like a scanner problem to me. There have been problems with some
versions of flex, e.g. see:
http://marc.info/?t=125613782400001&r=1&w=2
but no one has ever tracked it down precisely and I've never been able
to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so
that it generates debug output and then capture the stderr of running
checkpolicy on base.conf. Here I get the following output for that
line:
--accepting rule at line 55 ("
level s0:c0.c1023;")
--accepting rule at line 116 ("level")
--accepting rule at line 227 (" ")
--accepting rule at line 219 ("s0")
--accepting rule at line 235 (":")
--accepting rule at line 219 ("c0.c1023")
--accepting rule at line 236 (";")
Note that the ":" gets treated as a separate token above, as it should,
whereas your checkmodule seems to not be splitting it properly.
You can look at checkpolicy/policy_scan.l and see if anything strikes
you as problematic, but it looks sane to me. Maybe it is matching on
ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in
the pattern. Does this help?
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 48128a8..b7b8f0a 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); }
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
{digit}+|0x{hexval}+ { return(NUMBER); }
{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
-{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
+{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); }
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
#line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
#line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp
2010-03-03 15:21 ` Stephen Smalley
@ 2010-03-03 15:28 ` Stephen Smalley
2010-03-03 15:36 ` Justin P. mattock
2010-03-03 15:52 ` Stephen Smalley
2010-03-03 16:23 ` Stephen Smalley
1 sibling, 2 replies; 13+ messages in thread
From: Stephen Smalley @ 2010-03-03 15:28 UTC (permalink / raw)
To: AlannY; +Cc: SELinux, Joshua Brindle, Chad Sellers
On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
> > Hi there.
> >
> > I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
> > tools (libselinux policycoreutils). I'm trying to:
> >
> > make bare
> > make conf
> > make base.pp
> >
> > My configuration:
> >
> > TYPE=mcs
> > NAME=refpolicy
> > UNK_PERMS=allow
> > DIRECT_INITRC=n
> > MONOLITHIC=n
> > UBAC=n
> > MLS_CATS=1024
> > MCS_CATS=1024
> >
> > But, the last command failed with the following error:
> >
> > Creating refpolicy base module base.conf
> > cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
> > Compiling refpolicy base module
> > /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> > /usr/bin/checkmodule: loading policy configuration from base.conf
> > base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
> > level s0:c0.c1023;
> >
> > Seems to be, it's a good line (2032), but checkmodule can't eat it.
> >
> > Where can be the probem?
>
> Looks like a scanner problem to me. There have been problems with some
> versions of flex, e.g. see:
> http://marc.info/?t=125613782400001&r=1&w=2
> but no one has ever tracked it down precisely and I've never been able
> to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so
> that it generates debug output and then capture the stderr of running
> checkpolicy on base.conf. Here I get the following output for that
> line:
> --accepting rule at line 55 ("
> level s0:c0.c1023;")
> --accepting rule at line 116 ("level")
> --accepting rule at line 227 (" ")
> --accepting rule at line 219 ("s0")
> --accepting rule at line 235 (":")
> --accepting rule at line 219 ("c0.c1023")
> --accepting rule at line 236 (";")
>
> Note that the ":" gets treated as a separate token above, as it should,
> whereas your checkmodule seems to not be splitting it properly.
>
> You can look at checkpolicy/policy_scan.l and see if anything strikes
> you as problematic, but it looks sane to me. Maybe it is matching on
> ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in
> the pattern. Does this help?
>
> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> index 48128a8..b7b8f0a 100644
> --- a/checkpolicy/policy_scan.l
> +++ b/checkpolicy/policy_scan.l
> @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); }
> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
> {digit}+|0x{hexval}+ { return(NUMBER); }
> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); }
> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
> #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or
escaped via backslash as well?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp
2010-03-03 14:31 Problem with compiling refpolicy base.pp AlannY
2010-03-03 15:21 ` Stephen Smalley
@ 2010-03-03 15:30 ` Justin P. mattock
1 sibling, 0 replies; 13+ messages in thread
From: Justin P. mattock @ 2010-03-03 15:30 UTC (permalink / raw)
To: AlannY; +Cc: SELinux
On 03/03/2010 06:31 AM, AlannY wrote:
> Hi there.
>
> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
> tools (libselinux policycoreutils). I'm trying to:
>
> make bare
> make conf
> make base.pp
>
> My configuration:
>
> TYPE=mcs
> NAME=refpolicy
> UNK_PERMS=allow
> DIRECT_INITRC=n
> MONOLITHIC=n
> UBAC=n
> MLS_CATS=1024
> MCS_CATS=1024
>
> But, the last command failed with the following error:
>
> Creating refpolicy base module base.conf
> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf
> Compiling refpolicy base module
> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> /usr/bin/checkmodule: loading policy configuration from base.conf
> base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
> level s0:c0.c1023;
>
> Seems to be, it's a good line (2032), but checkmodule can't eat it.
>
> Where can be the probem?
I think this is cause by checkmodule/checkpolicy
being compiled by flex version 2.35*
(still haven't found the bug for this), for a
a workaround downgrade to flex v2.5.4a
compile checkmodule/chekpolicy, then you should
be able to compile the policy without a syntex error.
hope this helps.
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp
2010-03-03 15:28 ` Stephen Smalley
@ 2010-03-03 15:36 ` Justin P. mattock
2010-03-03 15:53 ` Stephen Smalley
2010-03-03 15:52 ` Stephen Smalley
1 sibling, 1 reply; 13+ messages in thread
From: Justin P. mattock @ 2010-03-03 15:36 UTC (permalink / raw)
To: Stephen Smalley; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers
On 03/03/2010 07:28 AM, Stephen Smalley wrote:
> On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
>> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
>>> Hi there.
>>>
>>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
>>> tools (libselinux policycoreutils). I'm trying to:
>>>
>>> make bare
>>> make conf
>>> make base.pp
>>>
>>> My configuration:
>>>
>>> TYPE=mcs
>>> NAME=refpolicy
>>> UNK_PERMS=allow
>>> DIRECT_INITRC=n
>>> MONOLITHIC=n
>>> UBAC=n
>>> MLS_CATS=1024
>>> MCS_CATS=1024
>>>
>>> But, the last command failed with the following error:
>>>
>>> Creating refpolicy base module base.conf
>>> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
>>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf
>>> Compiling refpolicy base module
>>> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
>>> /usr/bin/checkmodule: loading policy configuration from base.conf
>>> base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
>>> level s0:c0.c1023;
>>>
>>> Seems to be, it's a good line (2032), but checkmodule can't eat it.
>>>
>>> Where can be the probem?
>>
>> Looks like a scanner problem to me. There have been problems with some
>> versions of flex, e.g. see:
>> http://marc.info/?t=125613782400001&r=1&w=2
>> but no one has ever tracked it down precisely and I've never been able
>> to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so
>> that it generates debug output and then capture the stderr of running
>> checkpolicy on base.conf. Here I get the following output for that
>> line:
>> --accepting rule at line 55 ("
>> level s0:c0.c1023;")
>> --accepting rule at line 116 ("level")
>> --accepting rule at line 227 (" ")
>> --accepting rule at line 219 ("s0")
>> --accepting rule at line 235 (":")
>> --accepting rule at line 219 ("c0.c1023")
>> --accepting rule at line 236 (";")
>>
>> Note that the ":" gets treated as a separate token above, as it should,
>> whereas your checkmodule seems to not be splitting it properly.
>>
>> You can look at checkpolicy/policy_scan.l and see if anything strikes
>> you as problematic, but it looks sane to me. Maybe it is matching on
>> ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in
>> the pattern. Does this help?
>>
>> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
>> index 48128a8..b7b8f0a 100644
>> --- a/checkpolicy/policy_scan.l
>> +++ b/checkpolicy/policy_scan.l
>> @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); }
>> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
>> {digit}+|0x{hexval}+ { return(NUMBER); }
>> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
>> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
>> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); }
>> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
>> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
>> #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
>
> Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or
> escaped via backslash as well?
>
if the flex version from git goes all the way
back to 2.5* I'll do a bisect on this
but if it only goes so far, then bisection
can be tricky.
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp
2010-03-03 15:28 ` Stephen Smalley
2010-03-03 15:36 ` Justin P. mattock
@ 2010-03-03 15:52 ` Stephen Smalley
1 sibling, 0 replies; 13+ messages in thread
From: Stephen Smalley @ 2010-03-03 15:52 UTC (permalink / raw)
To: AlannY; +Cc: SELinux, Joshua Brindle, Chad Sellers, Christopher J. PeBenito
On Wed, 2010-03-03 at 10:28 -0500, Stephen Smalley wrote:
> On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
> > On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
> > > Hi there.
> > >
> > > I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
> > > tools (libselinux policycoreutils). I'm trying to:
> > >
> > > make bare
> > > make conf
> > > make base.pp
> > >
> > > My configuration:
> > >
> > > TYPE=mcs
> > > NAME=refpolicy
> > > UNK_PERMS=allow
> > > DIRECT_INITRC=n
> > > MONOLITHIC=n
> > > UBAC=n
> > > MLS_CATS=1024
> > > MCS_CATS=1024
> > >
> > > But, the last command failed with the following error:
> > >
> > > Creating refpolicy base module base.conf
> > > cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> > > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
> > > Compiling refpolicy base module
> > > /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> > > /usr/bin/checkmodule: loading policy configuration from base.conf
> > > base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
> > > level s0:c0.c1023;
> > >
> > > Seems to be, it's a good line (2032), but checkmodule can't eat it.
> > >
> > > Where can be the probem?
> >
> > Looks like a scanner problem to me. There have been problems with some
> > versions of flex, e.g. see:
> > http://marc.info/?t=125613782400001&r=1&w=2
> > but no one has ever tracked it down precisely and I've never been able
> > to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so
> > that it generates debug output and then capture the stderr of running
> > checkpolicy on base.conf. Here I get the following output for that
> > line:
> > --accepting rule at line 55 ("
> > level s0:c0.c1023;")
> > --accepting rule at line 116 ("level")
> > --accepting rule at line 227 (" ")
> > --accepting rule at line 219 ("s0")
> > --accepting rule at line 235 (":")
> > --accepting rule at line 219 ("c0.c1023")
> > --accepting rule at line 236 (";")
> >
> > Note that the ":" gets treated as a separate token above, as it should,
> > whereas your checkmodule seems to not be splitting it properly.
> >
> > You can look at checkpolicy/policy_scan.l and see if anything strikes
> > you as problematic, but it looks sane to me. Maybe it is matching on
> > ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in
> > the pattern. Does this help?
> >
> > diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> > index 48128a8..b7b8f0a 100644
> > --- a/checkpolicy/policy_scan.l
> > +++ b/checkpolicy/policy_scan.l
> > @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); }
> > {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
> > {digit}+|0x{hexval}+ { return(NUMBER); }
> > {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
> > -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
> > +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); }
> > {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
> > #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
> > #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
>
> Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or
> escaped via backslash as well?
According to prior discussion, it does not (different interpretation of
characters within []). Which would mean that IDENTIFIER and PATH are
wrong too. Patch below should fix all three definitions. This needs
some wider testing - I don't think we even have nodecons by default in
refpolicy anymore.
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 48128a8..87c7278 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -215,11 +215,11 @@ policycap |
POLICYCAP { return(POLICYCAP); }
permissive |
PERMISSIVE { return(PERMISSIVE); }
-"/"({alnum}|[_\.\-/])* { return(PATH); }
-{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
+"/"({alnum}|[_./-])* { return(PATH); }
+{letter}({alnum}|[_-])*([.]?({alnum}|[_-]))* { return(IDENTIFIER); }
{digit}+|0x{hexval}+ { return(NUMBER); }
{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
-{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
+{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); }
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
#line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
#line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp
2010-03-03 15:36 ` Justin P. mattock
@ 2010-03-03 15:53 ` Stephen Smalley
2010-03-03 16:24 ` Justin P. mattock
0 siblings, 1 reply; 13+ messages in thread
From: Stephen Smalley @ 2010-03-03 15:53 UTC (permalink / raw)
To: Justin P. mattock; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers
On Wed, 2010-03-03 at 07:36 -0800, Justin P. mattock wrote:
> On 03/03/2010 07:28 AM, Stephen Smalley wrote:
> > On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
> >> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
> >>> Hi there.
> >>>
> >>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
> >>> tools (libselinux policycoreutils). I'm trying to:
> >>>
> >>> make bare
> >>> make conf
> >>> make base.pp
> >>>
> >>> My configuration:
> >>>
> >>> TYPE=mcs
> >>> NAME=refpolicy
> >>> UNK_PERMS=allow
> >>> DIRECT_INITRC=n
> >>> MONOLITHIC=n
> >>> UBAC=n
> >>> MLS_CATS=1024
> >>> MCS_CATS=1024
> >>>
> >>> But, the last command failed with the following error:
> >>>
> >>> Creating refpolicy base module base.conf
> >>> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> >>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf
> >>> Compiling refpolicy base module
> >>> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> >>> /usr/bin/checkmodule: loading policy configuration from base.conf
> >>> base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
> >>> level s0:c0.c1023;
> >>>
> >>> Seems to be, it's a good line (2032), but checkmodule can't eat it.
> >>>
> >>> Where can be the probem?
> >>
> >> Looks like a scanner problem to me. There have been problems with some
> >> versions of flex, e.g. see:
> >> http://marc.info/?t=125613782400001&r=1&w=2
> >> but no one has ever tracked it down precisely and I've never been able
> >> to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so
> >> that it generates debug output and then capture the stderr of running
> >> checkpolicy on base.conf. Here I get the following output for that
> >> line:
> >> --accepting rule at line 55 ("
> >> level s0:c0.c1023;")
> >> --accepting rule at line 116 ("level")
> >> --accepting rule at line 227 (" ")
> >> --accepting rule at line 219 ("s0")
> >> --accepting rule at line 235 (":")
> >> --accepting rule at line 219 ("c0.c1023")
> >> --accepting rule at line 236 (";")
> >>
> >> Note that the ":" gets treated as a separate token above, as it should,
> >> whereas your checkmodule seems to not be splitting it properly.
> >>
> >> You can look at checkpolicy/policy_scan.l and see if anything strikes
> >> you as problematic, but it looks sane to me. Maybe it is matching on
> >> ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in
> >> the pattern. Does this help?
> >>
> >> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> >> index 48128a8..b7b8f0a 100644
> >> --- a/checkpolicy/policy_scan.l
> >> +++ b/checkpolicy/policy_scan.l
> >> @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); }
> >> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
> >> {digit}+|0x{hexval}+ { return(NUMBER); }
> >> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
> >> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
> >> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); }
> >> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
> >> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
> >> #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
> >
> > Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or
> > escaped via backslash as well?
> >
>
>
> if the flex version from git goes all the way
> back to 2.5* I'll do a bisect on this
> but if it only goes so far, then bisection
> can be tricky.
If my patch fixes the problem, it was a bug in checkpolicy, not a bug in
flex.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp
2010-03-03 15:21 ` Stephen Smalley
2010-03-03 15:28 ` Stephen Smalley
@ 2010-03-03 16:23 ` Stephen Smalley
2010-03-03 18:16 ` Justin P. mattock
` (2 more replies)
1 sibling, 3 replies; 13+ messages in thread
From: Stephen Smalley @ 2010-03-03 16:23 UTC (permalink / raw)
To: AlannY; +Cc: SELinux, Joshua Brindle, Chad Sellers
On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
> > Hi there.
> >
> > I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
> > tools (libselinux policycoreutils). I'm trying to:
> >
> > make bare
> > make conf
> > make base.pp
> >
> > My configuration:
> >
> > TYPE=mcs
> > NAME=refpolicy
> > UNK_PERMS=allow
> > DIRECT_INITRC=n
> > MONOLITHIC=n
> > UBAC=n
> > MLS_CATS=1024
> > MCS_CATS=1024
> >
> > But, the last command failed with the following error:
> >
> > Creating refpolicy base module base.conf
> > cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> > tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
> > Compiling refpolicy base module
> > /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> > /usr/bin/checkmodule: loading policy configuration from base.conf
> > base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
> > level s0:c0.c1023;
> >
> > Seems to be, it's a good line (2032), but checkmodule can't eat it.
> >
> > Where can be the probem?
>
> Looks like a scanner problem to me. There have been problems with some
> versions of flex, e.g. see:
> http://marc.info/?t=125613782400001&r=1&w=2
> but no one has ever tracked it down precisely and I've never been able
> to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so
> that it generates debug output and then capture the stderr of running
> checkpolicy on base.conf. Here I get the following output for that
> line:
> --accepting rule at line 55 ("
> level s0:c0.c1023;")
> --accepting rule at line 116 ("level")
> --accepting rule at line 227 (" ")
> --accepting rule at line 219 ("s0")
> --accepting rule at line 235 (":")
> --accepting rule at line 219 ("c0.c1023")
> --accepting rule at line 236 (";")
>
> Note that the ":" gets treated as a separate token above, as it should,
> whereas your checkmodule seems to not be splitting it properly.
>
> You can look at checkpolicy/policy_scan.l and see if anything strikes
> you as problematic, but it looks sane to me. Maybe it is matching on
> ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in
> the pattern. Does this help?
>
> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> index 48128a8..b7b8f0a 100644
> --- a/checkpolicy/policy_scan.l
> +++ b/checkpolicy/policy_scan.l
> @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); }
> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
> {digit}+|0x{hexval}+ { return(NUMBER); }
> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); }
> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
> #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
It turns out there was a reason why we originally allowed "." in the
ipv6_addr pattern - for embedded ipv4 addresses,
http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm
Re-considering this, I don't see why we'd match on ipv6_addr anyway
(":c0.c1023" doesn't match the pattern as it lacks two colons), so
perhaps this is still a bug in flex.
It did first seem to manifest after the ipv6_addr pattern was added
though, so I think that the ipv6_addr pattern is the trigger for the
bug.
http://marc.info/?t=109338686200002&r=1&w=2
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp
2010-03-03 15:53 ` Stephen Smalley
@ 2010-03-03 16:24 ` Justin P. mattock
2010-03-03 16:27 ` Stephen Smalley
0 siblings, 1 reply; 13+ messages in thread
From: Justin P. mattock @ 2010-03-03 16:24 UTC (permalink / raw)
To: Stephen Smalley; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers
On 03/03/2010 07:53 AM, Stephen Smalley wrote:
> On Wed, 2010-03-03 at 07:36 -0800, Justin P. mattock wrote:
>> On 03/03/2010 07:28 AM, Stephen Smalley wrote:
>>> On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
>>>> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
>>>>> Hi there.
>>>>>
>>>>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
>>>>> tools (libselinux policycoreutils). I'm trying to:
>>>>>
>>>>> make bare
>>>>> make conf
>>>>> make base.pp
>>>>>
>>>>> My configuration:
>>>>>
>>>>> TYPE=mcs
>>>>> NAME=refpolicy
>>>>> UNK_PERMS=allow
>>>>> DIRECT_INITRC=n
>>>>> MONOLITHIC=n
>>>>> UBAC=n
>>>>> MLS_CATS=1024
>>>>> MCS_CATS=1024
>>>>>
>>>>> But, the last command failed with the following error:
>>>>>
>>>>> Creating refpolicy base module base.conf
>>>>> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
>>>>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf
>>>>> Compiling refpolicy base module
>>>>> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
>>>>> /usr/bin/checkmodule: loading policy configuration from base.conf
>>>>> base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
>>>>> level s0:c0.c1023;
>>>>>
>>>>> Seems to be, it's a good line (2032), but checkmodule can't eat it.
>>>>>
>>>>> Where can be the probem?
>>>>
>>>> Looks like a scanner problem to me. There have been problems with some
>>>> versions of flex, e.g. see:
>>>> http://marc.info/?t=125613782400001&r=1&w=2
>>>> but no one has ever tracked it down precisely and I've never been able
>>>> to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so
>>>> that it generates debug output and then capture the stderr of running
>>>> checkpolicy on base.conf. Here I get the following output for that
>>>> line:
>>>> --accepting rule at line 55 ("
>>>> level s0:c0.c1023;")
>>>> --accepting rule at line 116 ("level")
>>>> --accepting rule at line 227 (" ")
>>>> --accepting rule at line 219 ("s0")
>>>> --accepting rule at line 235 (":")
>>>> --accepting rule at line 219 ("c0.c1023")
>>>> --accepting rule at line 236 (";")
>>>>
>>>> Note that the ":" gets treated as a separate token above, as it should,
>>>> whereas your checkmodule seems to not be splitting it properly.
>>>>
>>>> You can look at checkpolicy/policy_scan.l and see if anything strikes
>>>> you as problematic, but it looks sane to me. Maybe it is matching on
>>>> ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in
>>>> the pattern. Does this help?
>>>>
>>>> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
>>>> index 48128a8..b7b8f0a 100644
>>>> --- a/checkpolicy/policy_scan.l
>>>> +++ b/checkpolicy/policy_scan.l
>>>> @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); }
>>>> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
>>>> {digit}+|0x{hexval}+ { return(NUMBER); }
>>>> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
>>>> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
>>>> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); }
>>>> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
>>>> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
>>>> #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
>>>
>>> Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or
>>> escaped via backslash as well?
>>>
>>
>>
>> if the flex version from git goes all the way
>> back to 2.5* I'll do a bisect on this
>> but if it only goes so far, then bisection
>> can be tricky.
>
> If my patch fixes the problem, it was a bug in checkpolicy, not a bug in
> flex.
>
heres what I get:
flex --version
flex 2.5.35
(without the patch applied).
Compiling mcs base module
/usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
base.conf:1265:ERROR 'syntax error' at token ':c0.c255' on line 1265:
level s0:c0.c255;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/base.mod] Error 1
(after applying patch):
Compiling mcs base module
/usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
base.conf:1265:ERROR 'syntax error' at token ':c0' on line 1265:
level s0:c0.c255;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/base.mod] Error 1
as soon as I compile checkpolicy/checkmodule with the older version of
flex the policy will compile without the syntax error.
but if this is userspace(SELinux) issue, I can try a bisect with
checkpolicy/checkmodule.
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp
2010-03-03 16:24 ` Justin P. mattock
@ 2010-03-03 16:27 ` Stephen Smalley
0 siblings, 0 replies; 13+ messages in thread
From: Stephen Smalley @ 2010-03-03 16:27 UTC (permalink / raw)
To: Justin P. mattock; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers
On Wed, 2010-03-03 at 08:24 -0800, Justin P. mattock wrote:
> On 03/03/2010 07:53 AM, Stephen Smalley wrote:
> > On Wed, 2010-03-03 at 07:36 -0800, Justin P. mattock wrote:
> >> On 03/03/2010 07:28 AM, Stephen Smalley wrote:
> >>> On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
> >>>> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
> >>>>> Hi there.
> >>>>>
> >>>>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
> >>>>> tools (libselinux policycoreutils). I'm trying to:
> >>>>>
> >>>>> make bare
> >>>>> make conf
> >>>>> make base.pp
> >>>>>
> >>>>> My configuration:
> >>>>>
> >>>>> TYPE=mcs
> >>>>> NAME=refpolicy
> >>>>> UNK_PERMS=allow
> >>>>> DIRECT_INITRC=n
> >>>>> MONOLITHIC=n
> >>>>> UBAC=n
> >>>>> MLS_CATS=1024
> >>>>> MCS_CATS=1024
> >>>>>
> >>>>> But, the last command failed with the following error:
> >>>>>
> >>>>> Creating refpolicy base module base.conf
> >>>>> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
> >>>>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf
> >>>>> Compiling refpolicy base module
> >>>>> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
> >>>>> /usr/bin/checkmodule: loading policy configuration from base.conf
> >>>>> base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
> >>>>> level s0:c0.c1023;
> >>>>>
> >>>>> Seems to be, it's a good line (2032), but checkmodule can't eat it.
> >>>>>
> >>>>> Where can be the probem?
> >>>>
> >>>> Looks like a scanner problem to me. There have been problems with some
> >>>> versions of flex, e.g. see:
> >>>> http://marc.info/?t=125613782400001&r=1&w=2
> >>>> but no one has ever tracked it down precisely and I've never been able
> >>>> to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so
> >>>> that it generates debug output and then capture the stderr of running
> >>>> checkpolicy on base.conf. Here I get the following output for that
> >>>> line:
> >>>> --accepting rule at line 55 ("
> >>>> level s0:c0.c1023;")
> >>>> --accepting rule at line 116 ("level")
> >>>> --accepting rule at line 227 (" ")
> >>>> --accepting rule at line 219 ("s0")
> >>>> --accepting rule at line 235 (":")
> >>>> --accepting rule at line 219 ("c0.c1023")
> >>>> --accepting rule at line 236 (";")
> >>>>
> >>>> Note that the ":" gets treated as a separate token above, as it should,
> >>>> whereas your checkmodule seems to not be splitting it properly.
> >>>>
> >>>> You can look at checkpolicy/policy_scan.l and see if anything strikes
> >>>> you as problematic, but it looks sane to me. Maybe it is matching on
> >>>> ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in
> >>>> the pattern. Does this help?
> >>>>
> >>>> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> >>>> index 48128a8..b7b8f0a 100644
> >>>> --- a/checkpolicy/policy_scan.l
> >>>> +++ b/checkpolicy/policy_scan.l
> >>>> @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); }
> >>>> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
> >>>> {digit}+|0x{hexval}+ { return(NUMBER); }
> >>>> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
> >>>> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
> >>>> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); }
> >>>> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
> >>>> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
> >>>> #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
> >>>
> >>> Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or
> >>> escaped via backslash as well?
> >>>
> >>
> >>
> >> if the flex version from git goes all the way
> >> back to 2.5* I'll do a bisect on this
> >> but if it only goes so far, then bisection
> >> can be tricky.
> >
> > If my patch fixes the problem, it was a bug in checkpolicy, not a bug in
> > flex.
> >
>
>
> heres what I get:
>
>
> flex --version
> flex 2.5.35
>
> (without the patch applied).
>
> Compiling mcs base module
> /usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod
> /usr/bin/checkmodule: loading policy configuration from base.conf
> base.conf:1265:ERROR 'syntax error' at token ':c0.c255' on line 1265:
>
> level s0:c0.c255;
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/base.mod] Error 1
>
>
> (after applying patch):
>
> Compiling mcs base module
> /usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod
> /usr/bin/checkmodule: loading policy configuration from base.conf
> base.conf:1265:ERROR 'syntax error' at token ':c0' on line 1265:
>
> level s0:c0.c255;
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/base.mod] Error 1
>
>
> as soon as I compile checkpolicy/checkmodule with the older version of
> flex the policy will compile without the syntax error.
>
> but if this is userspace(SELinux) issue, I can try a bisect with
> checkpolicy/checkmodule.
No, your test result confirms that the bug lies in flex. The ipv6_addr
pattern is just the trigger. It should not match (requires at least two
colons), but appears to be doing so. See my other email.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp
2010-03-03 16:23 ` Stephen Smalley
@ 2010-03-03 18:16 ` Justin P. mattock
2010-03-03 20:52 ` Justin P. mattock
2010-03-03 21:14 ` Justin P. mattock
2 siblings, 0 replies; 13+ messages in thread
From: Justin P. mattock @ 2010-03-03 18:16 UTC (permalink / raw)
To: Stephen Smalley; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers
On 03/03/2010 08:23 AM, Stephen Smalley wrote:
> On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
>> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
>>> Hi there.
>>>
>>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
>>> tools (libselinux policycoreutils). I'm trying to:
>>>
>>> make bare
>>> make conf
>>> make base.pp
>>>
>>> My configuration:
>>>
>>> TYPE=mcs
>>> NAME=refpolicy
>>> UNK_PERMS=allow
>>> DIRECT_INITRC=n
>>> MONOLITHIC=n
>>> UBAC=n
>>> MLS_CATS=1024
>>> MCS_CATS=1024
>>>
>>> But, the last command failed with the following error:
>>>
>>> Creating refpolicy base module base.conf
>>> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
>>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf
>>> Compiling refpolicy base module
>>> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
>>> /usr/bin/checkmodule: loading policy configuration from base.conf
>>> base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
>>> level s0:c0.c1023;
>>>
>>> Seems to be, it's a good line (2032), but checkmodule can't eat it.
>>>
>>> Where can be the probem?
>>
>> Looks like a scanner problem to me. There have been problems with some
>> versions of flex, e.g. see:
>> http://marc.info/?t=125613782400001&r=1&w=2
>> but no one has ever tracked it down precisely and I've never been able
>> to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so
>> that it generates debug output and then capture the stderr of running
>> checkpolicy on base.conf. Here I get the following output for that
>> line:
>> --accepting rule at line 55 ("
>> level s0:c0.c1023;")
>> --accepting rule at line 116 ("level")
>> --accepting rule at line 227 (" ")
>> --accepting rule at line 219 ("s0")
>> --accepting rule at line 235 (":")
>> --accepting rule at line 219 ("c0.c1023")
>> --accepting rule at line 236 (";")
>>
>> Note that the ":" gets treated as a separate token above, as it should,
>> whereas your checkmodule seems to not be splitting it properly.
>>
>> You can look at checkpolicy/policy_scan.l and see if anything strikes
>> you as problematic, but it looks sane to me. Maybe it is matching on
>> ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in
>> the pattern. Does this help?
>>
>> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
>> index 48128a8..b7b8f0a 100644
>> --- a/checkpolicy/policy_scan.l
>> +++ b/checkpolicy/policy_scan.l
>> @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); }
>> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
>> {digit}+|0x{hexval}+ { return(NUMBER); }
>> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
>> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
>> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); }
>> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
>> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
>> #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
>
> It turns out there was a reason why we originally allowed "." in the
> ipv6_addr pattern - for embedded ipv4 addresses,
> http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm
>
> Re-considering this, I don't see why we'd match on ipv6_addr anyway
> (":c0.c1023" doesn't match the pattern as it lacks two colons), so
> perhaps this is still a bug in flex.
>
> It did first seem to manifest after the ipv6_addr pattern was added
> though, so I think that the ipv6_addr pattern is the trigger for the
> bug.
> http://marc.info/?t=109338686200002&r=1&w=2
>
>
man!! seeing all of the bickering towards the end
really looks bad.
Anyways I made a wrapper with the -l option and tried other options
as well, and still am able to reproduce this syntax error.
FWIW here's the -v option while building checkmodule/checkpolicy with
new/older
versions of flex:
scanner options: -lvI8 -Cem
1677/2000 NFA states
944/1000 DFA states (8671 words)
188 rules
Compressed tables always back-up
1/40 start conditions
494 epsilon states, 252 double epsilon states
28/100 character classes needed 458/500 words of storage, 0 reused
50312 state/nextstate pairs created
3621/46691 unique/duplicate transitions
988/1000 base-def entries created
2182/4000 (peak 5221) nxt-chk entries created
396/5000 (peak 3520) template nxt-chk entries created
0 empty table entries
49 protos created
44 templates created, 98 uses
80/256 equivalence classes created
9/256 meta-equivalence classes created
0 (17 saved) hash collisions, 2680 DFAs equal
3 sets of reallocations needed
6676 total table entries needed
and the -v option with the older version of flex that
works:
/flex version 2.5.4 usage statistics:
scanner options: -lvI8 -Cem
1621/2000 NFA states
891/1000 DFA states (8396 words)
188 rules
Compressed tables always back-up
1/40 start conditions
465 epsilon states, 236 double epsilon states
13/100 character classes needed 161/500 words of storage, 14 reused
48957 state/nextstate pairs created
3506/45451 unique/duplicate transitions
907/1000 base-def entries created
2038/4000 (peak 2927) nxt-chk entries created
144/2500 (peak 1280) template nxt-chk entries created
0 empty table entries
21 protos created
16 templates created, 48 uses
80/256 equivalence classes created
9/256 meta-equivalence classes created
1 (15 saved) hash collisions, 2618 DFAs equal
2 sets of reallocations needed
6226 total table entries needed
I thinking I'll try a go at bisecting flex(if possible),and see,
but might take some time.
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp
2010-03-03 16:23 ` Stephen Smalley
2010-03-03 18:16 ` Justin P. mattock
@ 2010-03-03 20:52 ` Justin P. mattock
2010-03-03 21:14 ` Justin P. mattock
2 siblings, 0 replies; 13+ messages in thread
From: Justin P. mattock @ 2010-03-03 20:52 UTC (permalink / raw)
To: Stephen Smalley; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers
ahh.. with the git interface for flex
I reset to the last commit, which makes
checkmodule/checkpolicy work. I'll have a go
at the bisect and see if I comeup
with anything of use.
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Problem with compiling refpolicy base.pp
2010-03-03 16:23 ` Stephen Smalley
2010-03-03 18:16 ` Justin P. mattock
2010-03-03 20:52 ` Justin P. mattock
@ 2010-03-03 21:14 ` Justin P. mattock
2 siblings, 0 replies; 13+ messages in thread
From: Justin P. mattock @ 2010-03-03 21:14 UTC (permalink / raw)
To: Stephen Smalley; +Cc: AlannY, SELinux, Joshua Brindle, Chad Sellers
ouch.. now I see the dilema with a bisect
this might take some time..
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2010-03-03 21:14 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-03 14:31 Problem with compiling refpolicy base.pp AlannY
2010-03-03 15:21 ` Stephen Smalley
2010-03-03 15:28 ` Stephen Smalley
2010-03-03 15:36 ` Justin P. mattock
2010-03-03 15:53 ` Stephen Smalley
2010-03-03 16:24 ` Justin P. mattock
2010-03-03 16:27 ` Stephen Smalley
2010-03-03 15:52 ` Stephen Smalley
2010-03-03 16:23 ` Stephen Smalley
2010-03-03 18:16 ` Justin P. mattock
2010-03-03 20:52 ` Justin P. mattock
2010-03-03 21:14 ` Justin P. mattock
2010-03-03 15:30 ` Justin P. mattock
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.