Trouble building Policy-1.16

Trouble building Policy-1.16

[Justin Friel]

Hi All,

I am having a hard time getting policy-1.16 to compile
on a "Linux from scratch" system.  When I try to
compile the strict policy, I get the following output:

...
/usr/bin/checkpolicy -o policy.18 policy.conf
/usr/bin/checkpolicy:  loading policy configuration
from policy.conf
types/file.te:92:ERROR 'syntax error' at token ':f' on
line 3066:
allow auth shadow_t:file { getattr read };
type shadow_t, file_type;
/usr/bin/checkpolicy:  error(s) encountered while
parsing configuration
make: *** [policy.18] Error 1

Is this a problem with checkpolicy, m4 or the policy
package itself?  All of the other packages (the
patched kernel, libselinux-1.16, libsepol-1.0,
checkpolicy-1.16 and policycoreutils-1.16) compiled
without error, although checkpolicy gave a few
warnings during compilation.

I'm entirely new to SELinux, so I'm not really sure
where to start.  Any help is appreciated.

Thanks


		
__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trouble building Policy-1.16

[Justin Friel]

[-- Attachment #1: Type: text/plain, Size: 2759 bytes --]

--- Stephen Smalley <sds@epoch.ncsc.mil> wrote:

> On Tue, 2004-08-24 at 15:25, Justin Friel wrote:
> > I am having a hard time getting policy-1.16 to
> compile
> > on a "Linux from scratch" system.  When I try to
> > compile the strict policy, I get the following
> output:
> > 
> > ...
> > /usr/bin/checkpolicy -o policy.18 policy.conf
> > /usr/bin/checkpolicy:  loading policy
> configuration
> > from policy.conf
> > types/file.te:92:ERROR 'syntax error' at token
> ':f' on
> > line 3066:
> > allow auth shadow_t:file { getattr read };
> > type shadow_t, file_type;
> > /usr/bin/checkpolicy:  error(s) encountered while
> > parsing configuration
> > make: *** [policy.18] Error 1
> 
> That looks very odd.  Can you send your entire
> policy.conf file to me?

Sorry if this is a repost, I sent this in earlier this
morning and haven't seen it hit the list yet. 

I bzipped and attached the policy.conf.  As for the
warnings while bulding checkpoliy, they seem harmless
to me, but here they are.

yacc -d policy_parse.y
cc -g  -Wall -O2 -pipe -I. -o y.tab.o -c y.tab.c
y.tab.c: In function `yyparse':
y.tab.c:1693: warning: implicit declaration of
function `yylex'
policy_parse.y:724: warning: implicit declaration of
function `strtoul'
policy_parse.y: In function `insert_id':
policy_parse.y:766: warning: implicit declaration of
function `free'
lex policy_scan.l
cc -g  -Wall -O2 -pipe -I. -o lex.yy.o -c lex.yy.c
lex.yy.c: In function `yylex':
lex.yy.c:1457: warning: label `find_rule' defined but
not used
policy_scan.l: At top level:
lex.yy.c:2308: warning: `yyunput' defined but not used
lex.yy.c:2918: warning: `yy_flex_strlen' defined but
not used
cc -g  -Wall -O2 -pipe -I. -o queue.o -c queue.c
cc -g  -Wall -O2 -pipe -I. -o checkpolicy.o -c
checkpolicy.c
cc -o checkpolicy y.tab.o lex.yy.o queue.o
checkpolicy.o -lfl /usr/lib/libsepol.a
yacc -d -o users.tab.c users.y
cc -g  -Wall -O2 -pipe -I. -o users.tab.o -c
users.tab.c
users.tab.c: In function `yyparse':
users.tab.c:961: warning: implicit declaration of
function `yylex'
users.y: In function `insert_id':
users.y:139: warning: implicit declaration of function
`free'
lex -olex.users.c users.l
cc -g  -Wall -O2 -pipe -I. -o lex.users.o -c
lex.users.c
lex.users.c: In function `yylex':
lex.users.c:782: warning: label `find_rule' defined
but not used
users.l: At top level:
lex.users.c:1178: warning: `yyunput' defined but not
used
lex.users.c:1788: warning: `yy_flex_strlen' defined
but not used
cc -g  -Wall -O2 -pipe -I. -o genpolusers.o -c
genpolusers.c
cc -o genpolusers users.tab.o lex.users.o queue.o
genpolusers.o -lfl /usr/lib/libsepol.a


		
__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo 

[-- Attachment #2: policy.conf.bz2 --]
[-- Type: application/x-tar, Size: 257903 bytes --]

Re: Trouble building Policy-1.16

[Stephen Smalley]

On Wed, 2004-08-25 at 18:23, Justin Friel wrote:
> --- Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> 
> > On Tue, 2004-08-24 at 15:25, Justin Friel wrote:
> > > I am having a hard time getting policy-1.16 to
> > compile
> > > on a "Linux from scratch" system.  When I try to
> > > compile the strict policy, I get the following
> > output:
> > > 
> > > ...
> > > /usr/bin/checkpolicy -o policy.18 policy.conf
> > > /usr/bin/checkpolicy:  loading policy
> > configuration
> > > from policy.conf
> > > types/file.te:92:ERROR 'syntax error' at token
> > ':f' on
> > > line 3066:
> > > allow auth shadow_t:file { getattr read };
> > > type shadow_t, file_type;
> > > /usr/bin/checkpolicy:  error(s) encountered while
> > > parsing configuration
> > > make: *** [policy.18] Error 1
> > 
> > That looks very odd.  Can you send your entire
> > policy.conf file to me?
> 
> Sorry if this is a repost, I sent this in earlier this
> morning and haven't seen it hit the list yet. 
> 
> I bzipped and attached the policy.conf.  As for the
> warnings while bulding checkpoliy, they seem harmless
> to me, but here they are.

In general, don't repost - send a note to selinux-team@tycho.nsa.gov or
owner-selinux@tycho.nsa.gov if you think you have posted and it hasn't
shown up after a while (but be patient, please).

Interesting.  Your attached policy.conf compiles fine with a checkpolicy
built on Fedora, but this looks like a scanner bug.  What version of lex
are you using (we are using flex-2.5.4a-33 on Fedora)?  Your scanner is
handling the ":f" as a single token rather than splitting it up as ":"
and "file".  Looking at policy_scan.l, I noticed that the IPV6_ADDR
entry seems dangerously close to treating this as a token, but not quite
(it would match :f:).

Rather than treating an entire ipv6 address as a single token, we could
just scan the hexval components and separating colons as individual
tokens and define ipv6 address in the grammar, as we do with
ipv4_addr_def.  That would seem safer.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trouble building Policy-1.16

[James Morris]

On Thu, 26 Aug 2004, Stephen Smalley wrote:

> Rather than treating an entire ipv6 address as a single token, we could
> just scan the hexval components and separating colons as individual
> tokens and define ipv6 address in the grammar, as we do with
> ipv4_addr_def.  That would seem safer.

Well, you need to interpret embedded ipv4 addresses at the end, implied 
runs of zeroes etc.  Parsing as one token and feeding into inet_pton() is 
much simpler, and uses an existing, well tested library function for 
validation.


- James
-- 
James Morris
<jmorris@redhat.com>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trouble building Policy-1.16

[Justin Friel]

--- Stephen SmSmalleysdsdspoch.ncncscil> wrote:

> On Wed, 2004-08-25 at 18:23, Justin FrFrielrote:
> > --- Stephen SmSmalleysdsdspoch.ncncscil> wrote:
> > 
> > > On Tue, 2004-08-24 at 15:25, Justin FrFrielrote:
> > > > I am having a hard time getting policy-1.16 to
> > > compile
> > > > on a "Linux from scratch" system.  When I try
> to
> > > > compile the strict policy, I get the following
> > > output:
> > > > 
> > > > ...
> > > > /ususrin/chcheckpolicyo policy.18
policy.coconf> > > > /ususrin/chcheckpolicy loading
policy
> > > configuration
> > > > from policy.coconf> > > >
types/file.tete2:ERROR 'syntax error' at token
> > > ':f' on
> > > > line 3066:
> > > > allow auauthhadow_t:file { gegetattread };
> > > > type shadow_t, file_type;
> > > > /ususrin/chcheckpolicy error(s) encountered
> while
> > > > parsing configuration
> > > > make: *** [policy.18] Error 1
> > > 

> Interesting.  Your attached policy.coconfompiles
> fine with a chcheckpolicy> built on Fedora, but this
looks like a scanner bug. 
> What version of lex
> are you using (we are using flex-2.5.4a-33 on
> Fedora)?  Your scanner is
> handling the ":f" as a single token rather than
> splitting it up as ":"
> and "file".  

I'm using flex 2.5.31 with the patch from deDebian One
thing I noticed, though was that Fedora creates lex
with a sysymlinko the flex binary, while the LFLFSook
suggests you create a wrapper script that calls flex
with the -l option to run in lex compatibility mode. 
I recompiled chcheckpolicyith lex as a sysymlinknstead
of the wrapper script and now "make policy" compiles
fine.  The question now is, should I permanently ditch
the lex wrapper, or is the chcheckpolicyource in
error.

When I run "make install", however, policy complains
that I don't have python installed (which I don't). If
I run "make install" a second time I don't get the
Python error, but I doubt the policy is installed
properly.

I didn't see Python as a rerequrementn the spec files.
 Do I need to install it? What package requires
Python?  This Is going to be a gateway/router, so I'm
trying to eliminate as many unneeded packages as
possible and would like to avoid installing Python if
at all possible.

Thanks,
Justin


		
_______________________________
Do you Yahoo!?
Win 1 of 4,000 free domain names from Yahoo! Enter now.
http://promotions.yahoo.com/goldrush

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trouble building Policy-1.16

[Stephen Smalley]

On Thu, 2004-08-26 at 12:12, Justin Friel wrote:
> I'm using flex 2.5.31 with the patch from deDebian One
> thing I noticed, though was that Fedora creates lex
> with a sysymlinko the flex binary, while the LFLFSook
> suggests you create a wrapper script that calls flex
> with the -l option to run in lex compatibility mode. 
> I recompiled chcheckpolicyith lex as a sysymlinknstead
> of the wrapper script and now "make policy" compiles
> fine.  The question now is, should I permanently ditch
> the lex wrapper, or is the chcheckpolicyource in
> error.

Hmm...I tried rebuilding checkpolicy on Fedora using lex -l rather than
just lex; this did reproduce your warnings, but the resulting
checkpolicy still compiled your policy.conf just fine.  From my reading
of policy_scan.l, :f should not be getting treated as a token, as the
pattern requires at least :f: to match.  So this appears to be a bug in
the scanner produced by your flex, not a bug in checkpolicy itself.

> When I run "make install", however, policy complains
> that I don't have python installed (which I don't). If
> I run "make install" a second time I don't get the
> Python error, but I doubt the policy is installed
> properly.

The policy build is using a python script from policycoreutils
(genhomedircon) to generate the user home directory entries in the
file_contexts configuration.   You can certainly manually hack your
file_contexts configuration instead, or build your policy on a different
machine that does have python available.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trouble building Policy-1.16

[Luke Kenneth Casson Leighton]

On Wed, Aug 25, 2004 at 03:23:22PM -0700, Justin Friel wrote:

> Sorry if this is a repost, I sent this in earlier this
> morning and haven't seen it hit the list yet. 

 GOOD, that means i won't have my time wasted twice.

> I bzipped and attached the policy.conf.  As for the

 a 341k file which took several minutes for me - who has no choice _but_ -
 to download.

 please don't do that again: this is not an AOL bullettin board service.

 please in future if you wish people to see a large file, please place
 the file on a suitable web site and then send a text message (which
 will be only 8k or so) containing the location of the file.

 then, people who CHOOSE to download your large file, at a convenient
 time TO THEM, may do so.

 if you do not _have_ access to a web site, please contact someone who
 has the bandwidth at the time to receive a large file and who is
 willing to place the file on a publicly accessible web site on your
 behalf.

 sorry, this is the C21st and it's a public mailing list,
 and i don't expect to have to explain mailing list etiquette to
 people.

 l.

 p.s. i trust that you will not be offended by this message: you did
 something you should not have (that you should not have been allowed
 to do anyway), don't do it again, end of story, now let's get on with
 helping you out.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trouble building Policy-1.16

[Justin Friel]

--- Luke Kenneth Casson Leighton <lkcl@lkcl.net>
wrote:

> On Wed, Aug 25, 2004 at 03:23:22PM -0700, Justin
> Friel wrote:
> 
> > Sorry if this is a repost, I sent this in earlier
> this
> > morning and haven't seen it hit the list yet. 
> 
>  GOOD, that means i won't have my time wasted twice.

If you read the timestamp on the email, I sent the
second one in at 3:23PM.  The first post, which
_still_ hasn't hit the board, was mailed at 9:14AM.  I
think it's safe to say it's not going to get posted. 
Also, you didn't even have to waste your time once. 
Don't bother reading emails you think are going to be
a waste of time.


>  a 341k file which took several minutes for me - who
> has no choice _but_ -
>  to download.

First, I was asked to send the file to the list. 
Second, I made every effort to make the post as small
as possible by bzipping the file.  I hardly think 341k
is something worth crying about.  

>  please in future if you wish people to see a large
> file, please place
>  the file on a suitable web site and then send a
> text message (which
>  will be only 8k or so) containing the location of
> the file.
> 
>  then, people who CHOOSE to download your large
> file, at a convenient
>  time TO THEM, may do so.
> 
>  if you do not _have_ access to a web site, please
> contact someone who
>  has the bandwidth at the time to receive a large
> file and who is
>  willing to place the file on a publicly accessible
> web site on your
>  behalf.

All this for a file that is < 1M?

>  sorry, this is the C21st and it's a public mailing
> list,

Agreed, it is the 21st Century and bandwith is pretty
cheap these days.

>  l.
> 
>  p.s. i trust that you will not be offended by this
> message: you did
>  something you should not have (that you should not
> have been allowed
>  to do anyway), don't do it again, end of story, now
> let's get on with
>  helping you out.

Funny, but I don't remember you doing _anything_ to
help.  The problem has been solved.  In all the time I
have used lists and the Usenet I've generally noticed
that it's the people who spend their time complaining
about other people's posts (and wasting everyone's
precious bandwidth) that do the least to help.  Sorry
if you feel that I stepped on your toes, but I think
you're being a little overly sensitive. 

By the way Stuart, thanks, you're a real stand-up guy.

Justin


		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trouble building Policy-1.16

[Luke Kenneth Casson Leighton]

On Thu, Aug 26, 2004 at 04:57:37PM -0700, Justin Friel wrote:
> 
> --- Luke Kenneth Casson Leighton <lkcl@lkcl.net>
> wrote:
> 
> > On Wed, Aug 25, 2004 at 03:23:22PM -0700, Justin
> > Friel wrote:
> > 
> > > Sorry if this is a repost, I sent this in earlier
> > this
> > > morning and haven't seen it hit the list yet. 
> > 
> >  GOOD, that means i won't have my time wasted twice.
> 
> If you read the timestamp on the email, I sent the
> second one in at 3:23PM.  The first post, which
> _still_ hasn't hit the board, was mailed at 9:14AM.  I
> think it's safe to say it's not going to get posted. 
> Also, you didn't even have to waste your time once. 
> Don't bother reading emails you think are going to be
> a waste of time.
 
 it's not a matter of reading, it's a matter of having no
 choice.

> 
> >  a 341k file which took several minutes for me - who
> > has no choice _but_ -
> >  to download.
> 
> First, I was asked to send the file to the list. 

 well you should not have been asked: you should have been asked
 to place in on an available web site.

 if people intend to send large files to this list,
 i will simply unsubscribe.



> Second, I made every effort to make the post as small
> as possible by bzipping the file.  I hardly think 341k
> is something worth crying about.  

 yes it bloody well is i'm paying MONEY i CAN'T AFFORD to
 download crap i don't want and don't have any choice about,
 and it is EXTREMELY RUDE of you to assume that i have the
 money to afford to be able to download your crap.

 if you don't think 5 mins of my money wasted "isn't worth crying"
 about", to whom and where do i send the bill?
 
 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trouble building Policy-1.16

[Dale Amon]

On Fri, Aug 27, 2004 at 03:26:22PM +0100, Luke Kenneth Casson Leighton wrote:
>  yes it bloody well is i'm paying MONEY i CAN'T AFFORD to
>  download crap i don't want and don't have any choice about,
>  and it is EXTREMELY RUDE of you to assume that i have the
>  money to afford to be able to download your crap.
>  if you don't think 5 mins of my money wasted "isn't worth crying"
>  about", to whom and where do i send the bill?

Please take this off line. It is not of interest to
anyone else on the list.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Trouble building Policy-1.16

[Luke Kenneth Casson Leighton]

On Fri, Aug 27, 2004 at 06:18:36PM +0100, Dale Amon wrote:
> Please take this off line. It is not of interest to
> anyone else on the list.
 
 finished already.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.