---
policy/modules/system/init.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 921796e547e3..24e62e9c8f03 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -814,7 +814,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
--
2.1.0
On Sun, Sep 07, 2014 at 11:29:54PM +0200, Nicolas Iooss wrote:
> ---
> policy/modules/system/init.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 921796e547e3..24e62e9c8f03 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -814,7 +814,7 @@ interface(`init_rw_initctl',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain to not audit.
> ## </summary>
> ## </param>
> #
> --
> 2.1.0
>
It seems that we have one or more commits that break reference policy since the last release
I am trying to track down the culprits, it started after last release but before or during June 25th
It is going to take time to track this down because build-testing reference policy is so slow.
Looking forward to the day we fully moved to cil/secilc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140908/89d0eca8/attachment.bin
2014-09-08 20:27 GMT+02:00 Dominick Grift:
> It seems that we have one or more commits that break reference policy since the last release
>
> I am trying to track down the culprits, it started after last release but before or during June 25th
>
> It is going to take time to track this down because build-testing reference policy is so slow.
>
> Looking forward to the day we fully moved to cil/secilc
>
Tonight I had the idea of using travis-ci.org to automate some kind of
testing. This free service can basically watch public Github
repositories and run tests after every commit. I ran tests in some
configurations [1] and every test case failed.
The monolithic build fails with [2]:
/usr/bin/checkpolicy -U deny policy.conf -o policy.26
/usr/bin/checkpolicy: loading policy configuration from policy.conf
checkpolicy: expand.c:721: role_fix_callback: Assertion `regular_role
!= ((void *)0) && regular_role->flavor == 0' failed.
make: *** [policy.26] Aborted
The modular build verification ("make validate") fails with [3]:
/usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin
semodule_expand: expand.c:721: role_fix_callback: Assertion
`regular_role != ((void *)0) && regular_role->flavor == 0' failed.
make: *** [validate] Aborted
Is this assertion failure known? I did not take time to investigate
further but travis-ci may run an old version of the build toolchain (on
Ubuntu) which breaks the latest refpolicy.
Wkr,
Nicolas
[1]
https://travis-ci.org/fishilico/selinux-refpolicy-patched/builds/34760305
[2]
https://travis-ci.org/fishilico/selinux-refpolicy-patched/jobs/34760306#L202
[3]
https://travis-ci.org/fishilico/selinux-refpolicy-patched/jobs/34760307#L4227
On 9/8/2014 6:46 PM, Nicolas Iooss wrote:
> 2014-09-08 20:27 GMT+02:00 Dominick Grift:
>> It seems that we have one or more commits that break reference policy since the last release
>>
>> I am trying to track down the culprits, it started after last release but before or during June 25th
>>
>> It is going to take time to track this down because build-testing reference policy is so slow.
>>
>> Looking forward to the day we fully moved to cil/secilc
>>
>
> Tonight I had the idea of using travis-ci.org to automate some kind of
> testing. This free service can basically watch public Github
> repositories and run tests after every commit. I ran tests in some
> configurations [1] and every test case failed.
>
> The monolithic build fails with [2]:
>
> /usr/bin/checkpolicy -U deny policy.conf -o policy.26
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> checkpolicy: expand.c:721: role_fix_callback: Assertion `regular_role
> != ((void *)0) && regular_role->flavor == 0' failed.
> make: *** [policy.26] Aborted
>
> The modular build verification ("make validate") fails with [3]:
>
> /usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin
> semodule_expand: expand.c:721: role_fix_callback: Assertion
> `regular_role != ((void *)0) && regular_role->flavor == 0' failed.
> make: *** [validate] Aborted
>
> Is this assertion failure known? I did not take time to investigate
> further but travis-ci may run an old version of the build toolchain (on
> Ubuntu) which breaks the latest refpolicy.
I'd have to look at the code to better understand what the assertion means.
Are you using HEAD version of refpolicy and HEAD refpolicy-contrib? I'm
not able to reproduce any build errors.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Tue, Sep 09, 2014 at 08:45:53AM -0400, Christopher J. PeBenito wrote:
> On 9/8/2014 6:46 PM, Nicolas Iooss wrote:
> > 2014-09-08 20:27 GMT+02:00 Dominick Grift:
> >> It seems that we have one or more commits that break reference policy since the last release
> >>
> >> I am trying to track down the culprits, it started after last release but before or during June 25th
> >>
> >> It is going to take time to track this down because build-testing reference policy is so slow.
> >>
> >> Looking forward to the day we fully moved to cil/secilc
> >>
> >
> > Tonight I had the idea of using travis-ci.org to automate some kind of
> > testing. This free service can basically watch public Github
> > repositories and run tests after every commit. I ran tests in some
> > configurations [1] and every test case failed.
> >
> > The monolithic build fails with [2]:
> >
> > /usr/bin/checkpolicy -U deny policy.conf -o policy.26
> > /usr/bin/checkpolicy: loading policy configuration from policy.conf
> > checkpolicy: expand.c:721: role_fix_callback: Assertion `regular_role
> > != ((void *)0) && regular_role->flavor == 0' failed.
> > make: *** [policy.26] Aborted
> >
> > The modular build verification ("make validate") fails with [3]:
> >
> > /usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin
> > semodule_expand: expand.c:721: role_fix_callback: Assertion
> > `regular_role != ((void *)0) && regular_role->flavor == 0' failed.
> > make: *** [validate] Aborted
> >
> > Is this assertion failure known? I did not take time to investigate
> > further but travis-ci may run an old version of the build toolchain (on
> > Ubuntu) which breaks the latest refpolicy.
>
> I'd have to look at the code to better understand what the assertion means.
>
> Are you using HEAD version of refpolicy and HEAD refpolicy-contrib? I'm
> not able to reproduce any build errors.
>
You aren't? did you run your "super-quicktest" script on the HEADS?
I am closing in on a commit that breaks the built (super-quicktest fails here using both heads)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140909/1251b426/attachment.bin
On 9/9/2014 9:28 AM, Dominick Grift wrote:
> On Tue, Sep 09, 2014 at 08:45:53AM -0400, Christopher J. PeBenito wrote:
>> On 9/8/2014 6:46 PM, Nicolas Iooss wrote:
>>> 2014-09-08 20:27 GMT+02:00 Dominick Grift:
>>>> It seems that we have one or more commits that break reference policy since the last release
>>>>
>>>> I am trying to track down the culprits, it started after last release but before or during June 25th
>>>>
>>>> It is going to take time to track this down because build-testing reference policy is so slow.
>>>>
>>>> Looking forward to the day we fully moved to cil/secilc
>>>>
>>>
>>> Tonight I had the idea of using travis-ci.org to automate some kind of
>>> testing. This free service can basically watch public Github
>>> repositories and run tests after every commit. I ran tests in some
>>> configurations [1] and every test case failed.
>>>
>>> The monolithic build fails with [2]:
>>>
>>> /usr/bin/checkpolicy -U deny policy.conf -o policy.26
>>> /usr/bin/checkpolicy: loading policy configuration from policy.conf
>>> checkpolicy: expand.c:721: role_fix_callback: Assertion `regular_role
>>> != ((void *)0) && regular_role->flavor == 0' failed.
>>> make: *** [policy.26] Aborted
>>>
>>> The modular build verification ("make validate") fails with [3]:
>>>
>>> /usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin
>>> semodule_expand: expand.c:721: role_fix_callback: Assertion
>>> `regular_role != ((void *)0) && regular_role->flavor == 0' failed.
>>> make: *** [validate] Aborted
>>>
>>> Is this assertion failure known? I did not take time to investigate
>>> further but travis-ci may run an old version of the build toolchain (on
>>> Ubuntu) which breaks the latest refpolicy.
>>
>> I'd have to look at the code to better understand what the assertion means.
>>
>> Are you using HEAD version of refpolicy and HEAD refpolicy-contrib? I'm
>> not able to reproduce any build errors.
>>
>
> You aren't? did you run your "super-quicktest" script on the HEADS?
I ran my buildtest script. Are you using the RC toolchain or last release?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Tue, Sep 09, 2014 at 02:40:34PM -0400, Christopher J. PeBenito wrote:
> On 9/9/2014 9:28 AM, Dominick Grift wrote:
> > On Tue, Sep 09, 2014 at 08:45:53AM -0400, Christopher J. PeBenito wrote:
> >> On 9/8/2014 6:46 PM, Nicolas Iooss wrote:
> >>> 2014-09-08 20:27 GMT+02:00 Dominick Grift:
> >>>> It seems that we have one or more commits that break reference policy since the last release
> >>>>
> >>>> I am trying to track down the culprits, it started after last release but before or during June 25th
> >>>>
> >>>> It is going to take time to track this down because build-testing reference policy is so slow.
> >>>>
> >>>> Looking forward to the day we fully moved to cil/secilc
> >>>>
> >>>
> >>> Tonight I had the idea of using travis-ci.org to automate some kind of
> >>> testing. This free service can basically watch public Github
> >>> repositories and run tests after every commit. I ran tests in some
> >>> configurations [1] and every test case failed.
> >>>
> >>> The monolithic build fails with [2]:
> >>>
> >>> /usr/bin/checkpolicy -U deny policy.conf -o policy.26
> >>> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> >>> checkpolicy: expand.c:721: role_fix_callback: Assertion `regular_role
> >>> != ((void *)0) && regular_role->flavor == 0' failed.
> >>> make: *** [policy.26] Aborted
> >>>
> >>> The modular build verification ("make validate") fails with [3]:
> >>>
> >>> /usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin
> >>> semodule_expand: expand.c:721: role_fix_callback: Assertion
> >>> `regular_role != ((void *)0) && regular_role->flavor == 0' failed.
> >>> make: *** [validate] Aborted
> >>>
> >>> Is this assertion failure known? I did not take time to investigate
> >>> further but travis-ci may run an old version of the build toolchain (on
> >>> Ubuntu) which breaks the latest refpolicy.
> >>
> >> I'd have to look at the code to better understand what the assertion means.
> >>
> >> Are you using HEAD version of refpolicy and HEAD refpolicy-contrib? I'm
> >> not able to reproduce any build errors.
> >>
> >
> > You aren't? did you run your "super-quicktest" script on the HEADS?
>
> I ran my buildtest script. Are you using the RC toolchain or last release?
>
I found the bug that broken built. It was the presence on a non-existant boolean identifier
However this only breaks monolithic, modular just ignores it since it was called only once, and in an optional policy block
Thus if you do not test monolithic then you will not notice the bug.
Anyhow, It is fixed and i pushed the fix to refpolicy-contrib
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140909/d84905be/attachment.bin
2014-09-09 14:45 GMT+02:00 Christopher J. PeBenito:
> On 9/8/2014 6:46 PM, Nicolas Iooss wrote:
>> Tonight I had the idea of using travis-ci.org to automate some kind of
>> testing. This free service can basically watch public Github
>> repositories and run tests after every commit. I ran tests in some
>> configurations [1] and every test case failed.
>>
>> The monolithic build fails with [2]:
>>
>> /usr/bin/checkpolicy -U deny policy.conf -o policy.26
>> /usr/bin/checkpolicy: loading policy configuration from policy.conf
>> checkpolicy: expand.c:721: role_fix_callback: Assertion `regular_role
>> != ((void *)0) && regular_role->flavor == 0' failed.
>> make: *** [policy.26] Aborted
>>
>> [SNIP]
>
> I'd have to look at the code to better understand what the assertion means.
>
> Are you using HEAD version of refpolicy and HEAD refpolicy-contrib? I'm
> not able to reproduce any build errors.
>
I am not able to reproduce this assertion failure on a Debian Jessie
system using the 2.3 toolchain. travis-ci.org uses Ubuntu 12.04 LTS
Server Edition [1] and therefore the 2.1 toolchain [2][3]. As far as I
understand, this means that the "assertion failure bug" has already been
fixed. I was using HEAD version of both refpolicy and refpolicy-contrib
when the bug happened.
While speaking about a bug which has already been fixed, this command
fails with the 2.3 toolchain on Debian Jessie when building the
reference policy from HEAD (without the Debian patches):
$ semodule_link -o tmp/test.lnk base.pp storage.pp sysadm.pp \
application.pp authlogin.pp init.pp libraries.pp locallogin.pp \
logging.pp lvm.pp miscfiles.pp modutils.pp mount.pp selinuxutil.pp \
sysnetwork.pp userdomain.pp && semodule_expand tmp/test.lnk \
tmp/policy.bin
semodule_link: loading package from file base.pp
semodule_link: loading package from file storage.pp
semodule_link: loading package from file sysadm.pp
semodule_link: loading package from file application.pp
semodule_link: loading package from file authlogin.pp
semodule_link: loading package from file init.pp
semodule_link: loading package from file libraries.pp
semodule_link: loading package from file locallogin.pp
semodule_link: loading package from file logging.pp
semodule_link: loading package from file lvm.pp
semodule_link: loading package from file miscfiles.pp
semodule_link: loading package from file modutils.pp
semodule_link: loading package from file mount.pp
semodule_link: loading package from file selinuxutil.pp
semodule_link: loading package from file sysnetwork.pp
semodule_link: loading package from file userdomain.pp
libsepol.sepol_module_package_read: invalid module in module package
(at section 0)
semodule_expand: Error in reading package from tmp/test.lnk
The error message is quite tricky to understand...
What's interesting is that the command succeeds when:
* removing lvm.pp from the list,
* removing "virt_manage_images(lvm_t)" from system/lvm.te [4],
* adding virt.pp and its required dependencies (mta.pp qemu.pp clock.pp),
* removing the two tunable_policy blocks from virt_manage_images
interface [5].
In short it seems an impossible-to-understand error message happens to
be printed when linking a policy module which defines an optional_policy
block that requires a tunable which is not defined (or defined in a
not-included module).
This is an already-fixed bug as using programs from SELinux Userspace
Release 2014-08-26-rc2 (with policycoreutils 2.4-rc2) works fine here.
Cheers,
Nicolas
[1] http://docs.travis-ci.com/user/ci-environment/
[2] http://packages.ubuntu.com/en/precise/checkpolicy
[3] http://packages.ubuntu.com/en/precise/libsepol1
[4]
https://github.com/TresysTechnology/refpolicy/blob/1743984bafd19d093d29923ce7717a15f2b2a965/policy/modules/system/lvm.te#L350
[5]
https://github.com/TresysTechnology/refpolicy-contrib/blob/21f961a147a9a08583825bdbe7cce43cf8fdc43d/virt.if#L1107