There is a bug in checkmodule that is driving me nuts

There is a bug in checkmodule that is driving me nuts

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 575 bytes --]

The compiler is mistakenly seeing a

gen_requires {
       type  xguest_gnome_home_t;
}

As a redefinition of the type

 /usr/bin/checkmodule -M -m guest.tmp -o guest.mod/usr/bin/checkmodule:  
loading policy configuration from guest.tmp
policy/modules/users/guest.te:4:ERROR 'duplicate declaration of 
type/attribute' at token ';' on line 55020:
        type xguest_gnome_home_t;
#line 4
/usr/bin/checkmodule:  error(s) encountered while parsing configuration

The problem is the gen_requires happens before the declaration.

The type is being declared in  a template file.

[-- Attachment #2: guest.tmp.bz2 --]
[-- Type: application/x-bzip, Size: 38105 bytes --]

Re: There is a bug in checkmodule that is driving me nuts

[Karl MacMillan]

On Fri, 2007-07-20 at 16:22 -0400, Daniel J Walsh wrote:
> The compiler is mistakenly seeing a
> 
> gen_requires {
>        type  xguest_gnome_home_t;
> }
> 
> As a redefinition of the type
> 
>  /usr/bin/checkmodule -M -m guest.tmp -o guest.mod/usr/bin/checkmodule:  
> loading policy configuration from guest.tmp
> policy/modules/users/guest.te:4:ERROR 'duplicate declaration of 
> type/attribute' at token ';' on line 55020:
>         type xguest_gnome_home_t;
> #line 4
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> 
> The problem is the gen_requires happens before the declaration.
> 
> The type is being declared in  a template file.

For better or discarding of requires upon hitting a declaration isn't
like to be fixed (when the require is first).

I have an alternative suggestion - remove all of the requires from the
policy and use an sepolgen-based pre-processor to add them back in until
the policyrep work is done. That will ease the migration and can be done
far more easily than fixing the current compiler.

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: There is a bug in checkmodule that is driving me nuts

[Shintaro Fujiwara]

Hello,

Can I ask what policyrep is ?
Is that policy-generating project on going or wat ?

Thanks.

2007/7/21, Karl MacMillan <kmacmill@redhat.com>:
>
> On Fri, 2007-07-20 at 16:22 -0400, Daniel J Walsh wrote:
> > The compiler is mistakenly seeing a
> >
> > gen_requires {
> >        type  xguest_gnome_home_t;
> > }
> >
> > As a redefinition of the type
> >
> >  /usr/bin/checkmodule -M -m guest.tmp -o guest.mod/usr/bin/checkmodule:
> > loading policy configuration from guest.tmp
> > policy/modules/users/guest.te:4:ERROR 'duplicate declaration of
> > type/attribute' at token ';' on line 55020:
> >         type xguest_gnome_home_t;
> > #line 4
> > /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> >
> > The problem is the gen_requires happens before the declaration.
> >
> > The type is being declared in  a template file.
>
> For better or discarding of requires upon hitting a declaration isn't
> like to be fixed (when the require is first).
>
> I have an alternative suggestion - remove all of the requires from the
> policy and use an sepolgen-based pre-processor to add them back in until
> the policyrep work is done. That will ease the migration and can be done
> far more easily than fixing the current compiler.
>
> Karl
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: There is a bug in checkmodule that is driving me nuts

[Karl MacMillan]

Shintaro Fujiwara wrote:
> Hello,
>
> Can I ask what policyrep is ?
> Is that policy-generating project on going or wat ?
>

Separate branch to rework the selinux policy compiler. It includes a 
library for representing policies (hence the name policyrep) that is 
useful for policy compilation, analysis, and generation. You can view 
the code at:

http://selinux.svn.sourceforge.net/viewvc/selinux/branches/policyrep/

Karl

> Thanks.
>
> 2007/7/21, Karl MacMillan <kmacmill@redhat.com>:
>>
>> On Fri, 2007-07-20 at 16:22 -0400, Daniel J Walsh wrote:
>> > The compiler is mistakenly seeing a
>> >
>> > gen_requires {
>> >        type  xguest_gnome_home_t;
>> > }
>> >
>> > As a redefinition of the type
>> >
>> >  /usr/bin/checkmodule -M -m guest.tmp -o 
>> guest.mod/usr/bin/checkmodule:
>> > loading policy configuration from guest.tmp
>> > policy/modules/users/guest.te:4:ERROR 'duplicate declaration of
>> > type/attribute' at token ';' on line 55020:
>> >         type xguest_gnome_home_t;
>> > #line 4
>> > /usr/bin/checkmodule:  error(s) encountered while parsing 
>> configuration
>> >
>> > The problem is the gen_requires happens before the declaration.
>> >
>> > The type is being declared in  a template file.
>>
>> For better or discarding of requires upon hitting a declaration isn't
>> like to be fixed (when the require is first).
>>
>> I have an alternative suggestion - remove all of the requires from the
>> policy and use an sepolgen-based pre-processor to add them back in until
>> the policyrep work is done. That will ease the migration and can be done
>> far more easily than fixing the current compiler.
>>
>> Karl
>>
>>
>> -- 
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to 
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: There is a bug in checkmodule that is driving me nuts

[Stephen Smalley]

On Fri, 2007-07-20 at 18:28 -0400, Karl MacMillan wrote:
> On Fri, 2007-07-20 at 16:22 -0400, Daniel J Walsh wrote:
> > The compiler is mistakenly seeing a
> > 
> > gen_requires {
> >        type  xguest_gnome_home_t;
> > }
> > 
> > As a redefinition of the type
> > 
> >  /usr/bin/checkmodule -M -m guest.tmp -o guest.mod/usr/bin/checkmodule:  
> > loading policy configuration from guest.tmp
> > policy/modules/users/guest.te:4:ERROR 'duplicate declaration of 
> > type/attribute' at token ';' on line 55020:
> >         type xguest_gnome_home_t;
> > #line 4
> > /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> > 
> > The problem is the gen_requires happens before the declaration.
> > 
> > The type is being declared in  a template file.
> 
> For better or discarding of requires upon hitting a declaration isn't
> like to be fixed (when the require is first).

How hard is it to escalate a requires to a decl?
Already happens for users and roles, right?

> 
> I have an alternative suggestion - remove all of the requires from the
> policy and use an sepolgen-based pre-processor to add them back in until
> the policyrep work is done. That will ease the migration and can be done
> far more easily than fixing the current compiler.
> 
> Karl
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: There is a bug in checkmodule that is driving me nuts

[Daniel J Walsh]

Stephen Smalley wrote:
> On Fri, 2007-07-20 at 18:28 -0400, Karl MacMillan wrote:
>   
>> On Fri, 2007-07-20 at 16:22 -0400, Daniel J Walsh wrote:
>>     
>>> The compiler is mistakenly seeing a
>>>
>>> gen_requires {
>>>        type  xguest_gnome_home_t;
>>> }
>>>
>>> As a redefinition of the type
>>>
>>>  /usr/bin/checkmodule -M -m guest.tmp -o guest.mod/usr/bin/checkmodule:  
>>> loading policy configuration from guest.tmp
>>> policy/modules/users/guest.te:4:ERROR 'duplicate declaration of 
>>> type/attribute' at token ';' on line 55020:
>>>         type xguest_gnome_home_t;
>>> #line 4
>>> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
>>>
>>> The problem is the gen_requires happens before the declaration.
>>>
>>> The type is being declared in  a template file.
>>>       
>> For better or discarding of requires upon hitting a declaration isn't
>> like to be fixed (when the require is first).
>>     
>
> How hard is it to escalate a requires to a decl?
> Already happens for users and roles, right?
>
>   
>> I have an alternative suggestion - remove all of the requires from the
>> policy and use an sepolgen-based pre-processor to add them back in until
>> the policyrep work is done. That will ease the migration and can be done
>> far more easily than fixing the current compiler.
>>
>> Karl
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>     
If we resorted Templates before Interfaces, would this problem go away?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: There is a bug in checkmodule that is driving me nuts

[Karl MacMillan]

Daniel J Walsh wrote:
> Stephen Smalley wrote:
>> On Fri, 2007-07-20 at 18:28 -0400, Karl MacMillan wrote:
>>  
>>> On Fri, 2007-07-20 at 16:22 -0400, Daniel J Walsh wrote:
>>>    
>>>> The compiler is mistakenly seeing a
>>>>
>>>> gen_requires {
>>>>        type  xguest_gnome_home_t;
>>>> }
>>>>
>>>> As a redefinition of the type
>>>>
>>>>  /usr/bin/checkmodule -M -m guest.tmp -o 
>>>> guest.mod/usr/bin/checkmodule:  loading policy configuration from 
>>>> guest.tmp
>>>> policy/modules/users/guest.te:4:ERROR 'duplicate declaration of 
>>>> type/attribute' at token ';' on line 55020:
>>>>         type xguest_gnome_home_t;
>>>> #line 4
>>>> /usr/bin/checkmodule:  error(s) encountered while parsing 
>>>> configuration
>>>>
>>>> The problem is the gen_requires happens before the declaration.
>>>>
>>>> The type is being declared in  a template file.
>>>>       
>>> For better or discarding of requires upon hitting a declaration isn't
>>> like to be fixed (when the require is first).
>>>     
>>
>> How hard is it to escalate a requires to a decl?
>> Already happens for users and roles, right?
>>
>>  
>>> I have an alternative suggestion - remove all of the requires from the
>>> policy and use an sepolgen-based pre-processor to add them back in 
>>> until
>>> the policyrep work is done. That will ease the migration and can be 
>>> done
>>> far more easily than fixing the current compiler.
>>>
>>> Karl
>>>
>>>
>>> -- 
>>> This message was distributed to subscribers of the selinux mailing 
>>> list.
>>> If you no longer wish to subscribe, send mail to 
>>> majordomo@tycho.nsa.gov with
>>> the words "unsubscribe selinux" without quotes as the message.
>>>     
> If we resorted Templates before Interfaces, would this problem go away?
>

Potentially - requires after declarations works fine (the requires is 
just ignored). The other way around is what is more trouble.

Karl


>
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: There is a bug in checkmodule that is driving me nuts

[Daniel J Walsh]

Karl MacMillan wrote:
> Daniel J Walsh wrote:
>> Stephen Smalley wrote:
>>> On Fri, 2007-07-20 at 18:28 -0400, Karl MacMillan wrote:
>>>  
>>>> On Fri, 2007-07-20 at 16:22 -0400, Daniel J Walsh wrote:
>>>>   
>>>>> The compiler is mistakenly seeing a
>>>>>
>>>>> gen_requires {
>>>>>        type  xguest_gnome_home_t;
>>>>> }
>>>>>
>>>>> As a redefinition of the type
>>>>>
>>>>>  /usr/bin/checkmodule -M -m guest.tmp -o 
>>>>> guest.mod/usr/bin/checkmodule:  loading policy configuration from 
>>>>> guest.tmp
>>>>> policy/modules/users/guest.te:4:ERROR 'duplicate declaration of 
>>>>> type/attribute' at token ';' on line 55020:
>>>>>         type xguest_gnome_home_t;
>>>>> #line 4
>>>>> /usr/bin/checkmodule:  error(s) encountered while parsing 
>>>>> configuration
>>>>>
>>>>> The problem is the gen_requires happens before the declaration.
>>>>>
>>>>> The type is being declared in  a template file.
>>>>>       
>>>> For better or discarding of requires upon hitting a declaration isn't
>>>> like to be fixed (when the require is first).
>>>>     
>>>
>>> How hard is it to escalate a requires to a decl?
>>> Already happens for users and roles, right?
>>>
>>>  
>>>> I have an alternative suggestion - remove all of the requires from the
>>>> policy and use an sepolgen-based pre-processor to add them back in 
>>>> until
>>>> the policyrep work is done. That will ease the migration and can be 
>>>> done
>>>> far more easily than fixing the current compiler.
>>>>
>>>> Karl
>>>>
>>>>
>>>> -- 
>>>> This message was distributed to subscribers of the selinux mailing 
>>>> list.
>>>> If you no longer wish to subscribe, send mail to 
>>>> majordomo@tycho.nsa.gov with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>     
>> If we resorted Templates before Interfaces, would this problem go away?
>>
>
> Potentially - requires after declarations works fine (the requires is 
> just ignored). The other way around is what is more trouble.
>
> Karl
Ok I was able to hack around this by removing the optional block around 
gnome_per_role_domain, and moving the definition before the xwindows stuff.

I will add comments that this is broken, and when the new compiler is 
available we can put it back the way it was.

>
>
>>
>> -- 
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to 
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: There is a bug in checkmodule that is driving me nuts

[Daniel J Walsh]

Karl MacMillan wrote:
> Daniel J Walsh wrote:
>> Stephen Smalley wrote:
>>> On Fri, 2007-07-20 at 18:28 -0400, Karl MacMillan wrote:
>>>  
>>>> On Fri, 2007-07-20 at 16:22 -0400, Daniel J Walsh wrote:
>>>>   
>>>>> The compiler is mistakenly seeing a
>>>>>
>>>>> gen_requires {
>>>>>        type  xguest_gnome_home_t;
>>>>> }
>>>>>
>>>>> As a redefinition of the type
>>>>>
>>>>>  /usr/bin/checkmodule -M -m guest.tmp -o 
>>>>> guest.mod/usr/bin/checkmodule:  loading policy configuration from 
>>>>> guest.tmp
>>>>> policy/modules/users/guest.te:4:ERROR 'duplicate declaration of 
>>>>> type/attribute' at token ';' on line 55020:
>>>>>         type xguest_gnome_home_t;
>>>>> #line 4
>>>>> /usr/bin/checkmodule:  error(s) encountered while parsing 
>>>>> configuration
>>>>>
>>>>> The problem is the gen_requires happens before the declaration.
>>>>>
>>>>> The type is being declared in  a template file.
>>>>>       
>>>> For better or discarding of requires upon hitting a declaration isn't
>>>> like to be fixed (when the require is first).
>>>>     
>>>
>>> How hard is it to escalate a requires to a decl?
>>> Already happens for users and roles, right?
>>>
>>>  
>>>> I have an alternative suggestion - remove all of the requires from the
>>>> policy and use an sepolgen-based pre-processor to add them back in 
>>>> until
>>>> the policyrep work is done. That will ease the migration and can be 
>>>> done
>>>> far more easily than fixing the current compiler.
>>>>
>>>> Karl
>>>>
>>>>
>>>> -- 
>>>> This message was distributed to subscribers of the selinux mailing 
>>>> list.
>>>> If you no longer wish to subscribe, send mail to 
>>>> majordomo@tycho.nsa.gov with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>     
>> If we resorted Templates before Interfaces, would this problem go away?
>>
>
> Potentially - requires after declarations works fine (the requires is 
> just ignored). The other way around is what is more trouble.
>
> Karl
>
>
>>
>> -- 
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to 
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>
template(`userdom_unpriv_xwindows_login_user', `

userdom_unpriv_login_user($1)
# Should be optional but policy will not build because of compiler problems
# Must be before xwindows calls
#optional_policy(`
    gnome_per_role_template($1, $1_usertype, $1_r)
    gnome_exec_gconf($1_t)
#')

userdom_xwindows_client_template($1)
...


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.