From: qingtao.cao@windriver.com (Harry Ciao)
Date: Wed, 29 Feb 2012 16:12:01 +0800
Subject: [refpolicy] Build of 20120215 fails with unknown role system_r
In-Reply-To: <20120225100547.GA28560@siphos.be>
References: <20120225100547.GA28560@siphos.be>
Message-ID: <4F4DDDD1.7040506@windriver.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi Sven,

On 02/25/2012 06:05 PM, Sven Vermeulen wrote:
> While trying to build the 20120215 reference policy, I hit the following
> problem while running "make base":
>
> Compiling strict base module
> /usr/bin/checkmodule:  loading policy configuration from base.conf
> policy/modules/admin/bootloader.te":9:ERROR 'unknown role system_r' at token
> ';' on line 40265:
> # this line was moved by the build process: attribute_role bootloader_roles;
> roleattribute system_r bootloader_roles;
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> make: *** [tmp/base.mod] Error 1

This problem could be reproduced simply by adding the bootloader module 
into base.pp.

The root cause is that the policy_module() used to require system_r will 
be expanded as EMPTY if the module is built into base.pp (with 
"self_contained_policy" flag set), rendering modules(such as 
bootloader.te) that are copied earlier than kernel.te into base.conf 
found system_r not ever defined or required when referencing it in their 
unconditional block.

The solution is to bump role declarations in the unconditional block of 
base.pp to the top of base.conf, as what has been done for attribute, 
type, alias or boolean declarations. The patch just got posted to the 
mailing list.

Last, it's worthwhile to mention that the bootloader module could be 
properly built as a standalone module without such error, owing to the 
fact that policy_module() could require system_r properly.

Thanks,
Harry



> All utilities have been updated with the latest userspace release. Is the
> system role defined somewhere that I forgot to include in my modules.conf? I
> have the following modules marked for base:
>
> application authlogin bootloader clock consoletype corecommands corenetwork
> cron devices dmesg domain files filesystem fstools getty hostname hotplug
> init iptables kernel libraries locallogin logging lvm miscfiles mcs mls
> modutils mount mta netutils nscd portage raid rsync selinux selinuxutil ssh
> staff storage su sysadm sysnetwork terminal ubac udev userdomain usermanage
> unprivuser
>
> Wkr,
> 	Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>