From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <48FF660E.2080708@manicmethod.com> Date: Wed, 22 Oct 2008 13:42:38 -0400 From: Joshua Brindle MIME-Version: 1.0 To: Stephen Smalley CC: Joe Nall , Eamon Walsh , Daniel J Walsh , "Christopher J. PeBenito" , SE Linux Subject: Re: Use of optional_policy in templates (compiler bug or feature?) References: <1224096411.21012.46.camel@gorn.columbia.tresys.com> <842B0735-FCD6-4BAF-B8D3-A462B1D5C9E4@nall.com> <1224161367.21012.57.camel@gorn.columbia.tresys.com> <48F754B5.8020302@manicmethod.com> <48FCCBB1.1010004@redhat.com> <9E8A5545-7705-4CD3-9015-30AD17FA0AFE@nall.com> <48FD19BB.1090503@tycho.nsa.gov> <1224684070.29917.13.camel@moss-spartans.epoch.ncsc.mil> <1224685723.29917.20.camel@moss-spartans.epoch.ncsc.mil> <1224685922.29917.22.camel@moss-spartans.epoch.ncsc.mil> In-Reply-To: <1224685922.29917.22.camel@moss-spartans.epoch.ncsc.mil> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Stephen Smalley wrote: > On Wed, 2008-10-22 at 10:28 -0400, Stephen Smalley wrote: > >> On Wed, 2008-10-22 at 09:26 -0500, Joe Nall wrote: >> >>> On Oct 22, 2008, at 9:01 AM, Stephen Smalley wrote: >>> >>> >>>> I did notice however that I could also get it to build w/o >>>> changing checkmodule by reversing the order of the interface calls >>>> there >>>> - not sure if that workaround is usable in the original case that >>>> triggered this bug report. >>>> >>> Arranging modules in the proper order becomes increasingly difficult >>> as module interaction grows. I finally de-optioned the X policy in >>> fedora since it is in base so get our additions to compile. Patch >>> included for reference. >>> >>> Making the compiler gracefully deal with options would really be >>> appreciated. I could see the issue in the compiler code, but the right >>> fix wasn't obvious. >>> >> Does the patch I posted fix your problem? >> > > And by fix, I mean not only does it allow you to build the policy but > does it yield the expected final kernel policy (i.e. look at the > policy.N file via apol and check that you are getting the expected types > and rules in the final policy). > I just worry that allowing situations like this will cause the linker to not properly (or deterministically) enable optional blocks. That is why we require everything be scoped locally to be used. We have, however, made changes to the linker algorithm since the original module codebase so it might have gotten better, but I don't think anyone has sat down and figured out exactly which cases can be required and which ones may be prevented. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.