From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Wed, 10 Sep 2014 21:53:45 +0200 Subject: [refpolicy] Some already-fixed bugs (was: Re: [PATCH] Fix minor typo in init.if) In-Reply-To: <540EF681.208@tresys.com> References: <1410125394-26905-1-git-send-email-nicolas.iooss@m4x.org> <20140908182740.GA24131@x220.network2> <540E31DD.5070506@m4x.org> <540EF681.208@tresys.com> Message-ID: <5410AC49.8010102@m4x.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 2014-09-09 14:45 GMT+02:00 Christopher J. PeBenito: > On 9/8/2014 6:46 PM, Nicolas Iooss wrote: >> Tonight I had the idea of using travis-ci.org to automate some kind of >> testing. This free service can basically watch public Github >> repositories and run tests after every commit. I ran tests in some >> configurations [1] and every test case failed. >> >> The monolithic build fails with [2]: >> >> /usr/bin/checkpolicy -U deny policy.conf -o policy.26 >> /usr/bin/checkpolicy: loading policy configuration from policy.conf >> checkpolicy: expand.c:721: role_fix_callback: Assertion `regular_role >> != ((void *)0) && regular_role->flavor == 0' failed. >> make: *** [policy.26] Aborted >> >> [SNIP] > > I'd have to look at the code to better understand what the assertion means. > > Are you using HEAD version of refpolicy and HEAD refpolicy-contrib? I'm > not able to reproduce any build errors. > I am not able to reproduce this assertion failure on a Debian Jessie system using the 2.3 toolchain. travis-ci.org uses Ubuntu 12.04 LTS Server Edition [1] and therefore the 2.1 toolchain [2][3]. As far as I understand, this means that the "assertion failure bug" has already been fixed. I was using HEAD version of both refpolicy and refpolicy-contrib when the bug happened. While speaking about a bug which has already been fixed, this command fails with the 2.3 toolchain on Debian Jessie when building the reference policy from HEAD (without the Debian patches): $ semodule_link -o tmp/test.lnk base.pp storage.pp sysadm.pp \ application.pp authlogin.pp init.pp libraries.pp locallogin.pp \ logging.pp lvm.pp miscfiles.pp modutils.pp mount.pp selinuxutil.pp \ sysnetwork.pp userdomain.pp && semodule_expand tmp/test.lnk \ tmp/policy.bin semodule_link: loading package from file base.pp semodule_link: loading package from file storage.pp semodule_link: loading package from file sysadm.pp semodule_link: loading package from file application.pp semodule_link: loading package from file authlogin.pp semodule_link: loading package from file init.pp semodule_link: loading package from file libraries.pp semodule_link: loading package from file locallogin.pp semodule_link: loading package from file logging.pp semodule_link: loading package from file lvm.pp semodule_link: loading package from file miscfiles.pp semodule_link: loading package from file modutils.pp semodule_link: loading package from file mount.pp semodule_link: loading package from file selinuxutil.pp semodule_link: loading package from file sysnetwork.pp semodule_link: loading package from file userdomain.pp libsepol.sepol_module_package_read: invalid module in module package (at section 0) semodule_expand: Error in reading package from tmp/test.lnk The error message is quite tricky to understand... What's interesting is that the command succeeds when: * removing lvm.pp from the list, * removing "virt_manage_images(lvm_t)" from system/lvm.te [4], * adding virt.pp and its required dependencies (mta.pp qemu.pp clock.pp), * removing the two tunable_policy blocks from virt_manage_images interface [5]. In short it seems an impossible-to-understand error message happens to be printed when linking a policy module which defines an optional_policy block that requires a tunable which is not defined (or defined in a not-included module). This is an already-fixed bug as using programs from SELinux Userspace Release 2014-08-26-rc2 (with policycoreutils 2.4-rc2) works fine here. Cheers, Nicolas [1] http://docs.travis-ci.com/user/ci-environment/ [2] http://packages.ubuntu.com/en/precise/checkpolicy [3] http://packages.ubuntu.com/en/precise/libsepol1 [4] https://github.com/TresysTechnology/refpolicy/blob/1743984bafd19d093d29923ce7717a15f2b2a965/policy/modules/system/lvm.te#L350 [5] https://github.com/TresysTechnology/refpolicy-contrib/blob/21f961a147a9a08583825bdbe7cce43cf8fdc43d/virt.if#L1107