Hello,
I maintain SELinux packages for Arch Linux and recently I came to an error when building refpolicy:
Creating refpolicy bootloader.pp policy package
Creating refpolicy brctl.pp policy package
Creating refpolicy bugzilla.pp policy package
/usr/bin/semodule_package -o bootloader.pp -m tmp/bootloader.mod -f tmp/bootloader.mod.fc
/usr/bin/semodule_package -o brctl.pp -m tmp/brctl.mod -f tmp/brctl.mod.fc
/usr/bin/semodule_package -o bugzilla.pp -m tmp/bugzilla.mod -f tmp/bugzilla.mod.fc
Creating refpolicy canna.pp policy package
Creating refpolicy calamaris.pp policy package
Creating refpolicy ccs.pp policy package
/usr/bin/semodule_package -o calamaris.pp -m tmp/calamaris.mod -f tmp/calamaris.mod.fc
/usr/bin/semodule_package -o ccs.pp -m tmp/ccs.mod -f tmp/ccs.mod.fc
/usr/bin/semodule_package -o canna.pp -m tmp/canna.mod -f tmp/canna.mod.fc
Creating refpolicy cdrecord.pp policy package
Creating refpolicy certmaster.pp policy package
/usr/bin/semodule_package -o cdrecord.pp -m tmp/cdrecord.mod -f tmp/cdrecord.mod.fc
Creating refpolicy certmonger.pp policy package
/usr/bin/semodule_package -o certmaster.pp -m tmp/certmaster.mod -f tmp/certmaster.mod.fc
/usr/bin/semodule_package -o certmonger.pp -m tmp/certmonger.mod -f tmp/certmonger.mod.fc
Creating refpolicy base module base.conf
cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
Compiling refpolicy base module
/usr/bin/checkmodule base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
tmp/rolemap.conf":1687:ERROR 'syntax error' at token 'fs_use_trans' on line 22466:
fs_use_trans devtmpfs system_u:object_r:device_t;
genfscon securityfs / system_u:object_r:security_t
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/base.mod] Error 1
==> CHYBA: Do?lo k chyb? v build().
This happens when building the 20110726 release, it happenes also with the previous release and current git for some time, so I'd say Arch has some
"compiler" or library at too recent version or with wrong build options. Also I have to use some fairly outdated flex package to get this far in the build
proces, or I get some other error message earlier in the build. Could you please help me resolve these issuese, as currently SELinux is not usable on Arch.
I will provide any other information, but currently I am lost with this. I didn't find any list of build-dependencies others than checkpolicy and libsepol,
nor did me any good looking into the fedora's src rpm.
Thanx, Nicky
On 08/19/11 08:00, Nicky726 wrote:
> Hello,
>
> I maintain SELinux packages for Arch Linux and recently I came to an error when building refpolicy:
>
> Creating refpolicy bootloader.pp policy package
> Creating refpolicy brctl.pp policy package
> Creating refpolicy bugzilla.pp policy package
> /usr/bin/semodule_package -o bootloader.pp -m tmp/bootloader.mod -f tmp/bootloader.mod.fc
> /usr/bin/semodule_package -o brctl.pp -m tmp/brctl.mod -f tmp/brctl.mod.fc
> /usr/bin/semodule_package -o bugzilla.pp -m tmp/bugzilla.mod -f tmp/bugzilla.mod.fc
> Creating refpolicy canna.pp policy package
> Creating refpolicy calamaris.pp policy package
> Creating refpolicy ccs.pp policy package
> /usr/bin/semodule_package -o calamaris.pp -m tmp/calamaris.mod -f tmp/calamaris.mod.fc
> /usr/bin/semodule_package -o ccs.pp -m tmp/ccs.mod -f tmp/ccs.mod.fc
> /usr/bin/semodule_package -o canna.pp -m tmp/canna.mod -f tmp/canna.mod.fc
> Creating refpolicy cdrecord.pp policy package
> Creating refpolicy certmaster.pp policy package
> /usr/bin/semodule_package -o cdrecord.pp -m tmp/cdrecord.mod -f tmp/cdrecord.mod.fc
> Creating refpolicy certmonger.pp policy package
> /usr/bin/semodule_package -o certmaster.pp -m tmp/certmaster.mod -f tmp/certmaster.mod.fc
> /usr/bin/semodule_package -o certmonger.pp -m tmp/certmonger.mod -f tmp/certmonger.mod.fc
> Creating refpolicy base module base.conf
> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf
> Compiling refpolicy base module
> /usr/bin/checkmodule base.conf -o tmp/base.mod
> /usr/bin/checkmodule: loading policy configuration from base.conf
> tmp/rolemap.conf":1687:ERROR 'syntax error' at token 'fs_use_trans' on line 22466:
> fs_use_trans devtmpfs system_u:object_r:device_t;
> genfscon securityfs / system_u:object_r:security_t
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/base.mod] Error 1
> ==> CHYBA: Do??lo k chyb?? v build().
>
> This happens when building the 20110726 release, it happenes also with the previous release and current git for some time, so I'd say Arch has some
> "compiler" or library at too recent version or with wrong build options. Also I have to use some fairly outdated flex package to get this far in the build
> proces, or I get some other error message earlier in the build. Could you please help me resolve these issuese, as currently SELinux is not usable on Arch.
> I will provide any other information, but currently I am lost with this. I didn't find any list of build-dependencies others than checkpolicy and libsepol,
> nor did me any good looking into the fedora's src rpm.
Its likely a toolchain problem. I could compile the policy with the
previous release toolchain and current release toolchain with flex
2.5.35_p10 and bison 2.5. IIRC buggy flex causes problems like this.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Dne P? 19. srpna 2011 08.14:26 Chris PeBenito napsal(a):
> Its likely a toolchain problem. I could compile the policy with the
> previous release toolchain and current release toolchain with flex
> 2.5.35_p10 and bison 2.5. IIRC buggy flex causes problems like this.
Hi, thanx. What do you mean by toolchain? The SELinux userspace? I I use Arch's flex 2.5.35-4 and bison 2.5-1 the build process end earlier with:
m4 -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -s support/divert.m4
policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt
policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4
tmp/generated_definitions.conf tmp/all_interfaces.conf policy/modules/services/cipe.te tmp/cipe.mod.role > tmp/cipe.tmp
/usr/bin/checkmodule -m tmp/cgroup.tmp -o tmp/cgroup.mod
/usr/bin/checkmodule: loading policy configuration from tmp/cgroup.tmp
policy/modules/services/cgroup.te":10:ERROR 'syntax error' at token ':' on line 486:
allow cgclear_t init_t:process sigchld;
#line 10
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/cgroup.mod] Error 1
make: *** Waiting for unfinished jobs....
/usr/bin/checkmodule -m tmp/cipe.tmp -o tmp/cipe.mod
/usr/bin/checkmodule: loading policy configuration from tmp/cipe.tmp
policy/modules/services/cipe.te":10:ERROR 'syntax error' at token ':' on line 486:
allow ciped_t init_t:process sigchld;
#line 10
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/cipe.mod] Error 1
/usr/bin/checkmodule -m tmp/chronyd.tmp -o tmp/chronyd.mod
/usr/bin/checkmodule: loading policy configuration from tmp/chronyd.tmp
policy/modules/services/chronyd.te":10:ERROR 'syntax error' at token ':' on line 486:
allow chronyd_t init_t:process sigchld;
#line 10
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/chronyd.mod] Error 1
==> CHYBA: Do?lo k chyb? v build().
This version of package flex you are refering to is fedoras version?
Nicky
Don't it always seem to go
That you don't know what you've got
Till it's gone
(Joni Mitchell)
On 08/19/11 09:21, Nicky726 wrote:
> Dne P?? 19. srpna 2011 08.14:26 Chris PeBenito napsal(a):
>> Its likely a toolchain problem. I could compile the policy with the
>> previous release toolchain and current release toolchain with flex
>> 2.5.35_p10 and bison 2.5. IIRC buggy flex causes problems like this.
>
> Hi, thanx. What do you mean by toolchain? The SELinux userspace? I I use Arch's flex 2.5.35-4 and bison 2.5-1 the build process end earlier with:
The SELinux userspace.
> m4 -D enable_ubac -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -D hide_broken_symptoms -s support/divert.m4
> policy/support/file_patterns.spt policy/support/ipc_patterns.spt policy/support/obj_perm_sets.spt policy/support/misc_patterns.spt
> policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/loadable_module.spt support/undivert.m4
> tmp/generated_definitions.conf tmp/all_interfaces.conf policy/modules/services/cipe.te tmp/cipe.mod.role > tmp/cipe.tmp
> /usr/bin/checkmodule -m tmp/cgroup.tmp -o tmp/cgroup.mod
> /usr/bin/checkmodule: loading policy configuration from tmp/cgroup.tmp
> policy/modules/services/cgroup.te":10:ERROR 'syntax error' at token ':' on line 486:
> allow cgclear_t init_t:process sigchld;
> #line 10
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/cgroup.mod] Error 1
> make: *** Waiting for unfinished jobs....
> /usr/bin/checkmodule -m tmp/cipe.tmp -o tmp/cipe.mod
> /usr/bin/checkmodule: loading policy configuration from tmp/cipe.tmp
> policy/modules/services/cipe.te":10:ERROR 'syntax error' at token ':' on line 486:
> allow ciped_t init_t:process sigchld;
> #line 10
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/cipe.mod] Error 1
> /usr/bin/checkmodule -m tmp/chronyd.tmp -o tmp/chronyd.mod
> /usr/bin/checkmodule: loading policy configuration from tmp/chronyd.tmp
> policy/modules/services/chronyd.te":10:ERROR 'syntax error' at token ':' on line 486:
> allow chronyd_t init_t:process sigchld;
> #line 10
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/chronyd.mod] Error 1
> ==> CHYBA: Do??lo k chyb?? v build().
>
> This version of package flex you are refering to is fedoras version?
Actually its Gentoo's version. I haven't heard any problems from Dan
about compile errors like this in Fedora, so I'm still thinking its your
toolchain. Did you rebuild checkpolicy after changing flex and bison?
This pops up from time to time, the last thread I can find on it is here:
http://marc.info/?l=selinux&m=126762983301065&w=2
Also cc'ing Steve Smalley in case he has any additional feedback.
Steve: maybe we should put up a page on the selinuxproject.org about
these flex issues. Maybe a summary of what we know or known bad
versions or something.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Dne P? 19. srpna 2011 11.07:58 jste napsal(a):
> Actually its Gentoo's version. I haven't heard any problems from Dan
> about compile errors like this in Fedora, so I'm still thinking its your
> toolchain. Did you rebuild checkpolicy after changing flex and bison?
> This pops up from time to time, the last thread I can find on it is here:
>
> http://marc.info/?l=selinux&m=126762983301065&w=2
>
> Also cc'ing Steve Smalley in case he has any additional feedback.
>
> Steve: maybe we should put up a page on the selinuxproject.org about
> these flex issues. Maybe a summary of what we know or known bad
> versions or something.
I tried various combinations of versions of flex, bison and selinux userspace. I didn't succede on my SELinux netbook. I managed to build refpolicy on my
primary machine with just latest SELinux Userspace and prehistoric flex (2.5.4a-4), that is version combination which does not build the policy on my
netbook. I don't quite get it, especially as the software configuration is quite alike.
Nicky
Don't it always seem to go
That you don't know what you've got
Till it's gone
(Joni Mitchell)
On 08/31/11 14:15, Nicky726 wrote:
> Dne P?? 19. srpna 2011 11.07:58 jste napsal(a):
>> Actually its Gentoo's version. I haven't heard any problems from Dan
>> about compile errors like this in Fedora, so I'm still thinking its your
>> toolchain. Did you rebuild checkpolicy after changing flex and bison?
>> This pops up from time to time, the last thread I can find on it is here:
>>
>> http://marc.info/?l=selinux&m=126762983301065&w=2
>>
>> Also cc'ing Steve Smalley in case he has any additional feedback.
>>
>> Steve: maybe we should put up a page on the selinuxproject.org about
>> these flex issues. Maybe a summary of what we know or known bad
>> versions or something.
>
> I tried various combinations of versions of flex, bison and selinux userspace. I didn't succede on my SELinux netbook. I managed to build refpolicy on my
> primary machine with just latest SELinux Userspace and prehistoric flex (2.5.4a-4), that is version combination which does not build the policy on my
> netbook. I don't quite get it, especially as the software configuration is quite alike.
Unfortunately all I can suggest is to try the SELinux list for further help. They'll be better able to sort out any toolchain issues you may have.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com