'make policy' issues

'make policy' issues

[Eric Laganowski]

    Hello,

 I was trying to build selinux userspace tools on my custom linux build. 
Everything went fine until I attempted to compile reference policy.
Could you please help me in understanding what went wrong here.

refpolicy-2.20090730

$ make policy
Compiling refpolicy policy.24
/usr/bin/checkpolicy policy.conf -o policy.24
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
policy/modules/kernel/corenetwork.te":1715:ERROR 'syntax error' at token ':' on line 9122:
allow corenet_unconfined_type node_type:node *;

checkpolicy:  error(s) encountered while parsing configuration
make: *** [policy.24] Error 1


Packages:

checkpolicy-2.0.19
libselinux-2.0.85
libsemanage-2.0.33
libsepol-2.0.37
policycoreutils-2.0.69
sepolgen-1.0.17

$ yacc -V
yacc - 1.9 20090221
$ flex -V
flex 2.5.35

-Eric




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 'make policy' issues

[Stephen Smalley]

On Wed, 2009-10-21 at 11:06 -0400, Eric Laganowski wrote:
> Hello,
> 
>  I was trying to build selinux userspace tools on my custom linux build. 
> Everything went fine until I attempted to compile reference policy.
> Could you please help me in understanding what went wrong here.
> 
> refpolicy-2.20090730
> 
> $ make policy
> Compiling refpolicy policy.24
> /usr/bin/checkpolicy policy.conf -o policy.24
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> policy/modules/kernel/corenetwork.te":1715:ERROR 'syntax error' at token ':' on line 9122:
> allow corenet_unconfined_type node_type:node *;
> 
> checkpolicy:  error(s) encountered while parsing configuration
> make: *** [policy.24] Error 1
> 
> 
> Packages:
> 
> checkpolicy-2.0.19
> libselinux-2.0.85
> libsemanage-2.0.33
> libsepol-2.0.37
> policycoreutils-2.0.69
> sepolgen-1.0.17
> 
> $ yacc -V
> yacc - 1.9 20090221
> $ flex -V
> flex 2.5.35

Sounds similar to:
http://marc.info/?l=selinux&m=117076095205821&w=2

which was an upstream flex problem.  However, I also see that you are using yacc rather than bison?
Default for building checkpolicy is bison -y, which could be relevant.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 'make policy' issues

[Eric Laganowski]

Stephen Smalley wrote:
> On Wed, 2009-10-21 at 11:06 -0400, Eric Laganowski wrote:
>   
>> Hello,
>>
>>  I was trying to build selinux userspace tools on my custom linux build. 
>> Everything went fine until I attempted to compile reference policy.
>> Could you please help me in understanding what went wrong here.
>>
>> refpolicy-2.20090730
>>
>> $ make policy
>> Compiling refpolicy policy.24
>> /usr/bin/checkpolicy policy.conf -o policy.24
>> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
>> policy/modules/kernel/corenetwork.te":1715:ERROR 'syntax error' at token ':' on line 9122:
>> allow corenet_unconfined_type node_type:node *;
>>
>> checkpolicy:  error(s) encountered while parsing configuration
>> make: *** [policy.24] Error 1
>>
>>
>> Packages:
>>
>> checkpolicy-2.0.19
>> libselinux-2.0.85
>> libsemanage-2.0.33
>> libsepol-2.0.37
>> policycoreutils-2.0.69
>> sepolgen-1.0.17
>>
>> $ yacc -V
>> yacc - 1.9 20090221
>> $ flex -V
>> flex 2.5.35
>>     
>
> Sounds similar to:
> http://marc.info/?l=selinux&m=117076095205821&w=2
>
> which was an upstream flex problem.  However, I also see that you are using yacc rather than bison?
> Default for building checkpolicy is bison -y, which could be relevant.
>   
Re bison/yacc: I tried both, byacc and 'bison -y'
Re flex: What is the requirement for flex from selinux perspective? Is 
it known what build of flex is "known good"?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 'make policy' issues

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 2108 bytes --]

On Wed, 2009-10-21 at 11:18 -0400, Eric Laganowski wrote:
> Stephen Smalley wrote:
> > On Wed, 2009-10-21 at 11:06 -0400, Eric Laganowski wrote:
> >   
> >> Hello,
> >>
> >>  I was trying to build selinux userspace tools on my custom linux build. 
> >> Everything went fine until I attempted to compile reference policy.
> >> Could you please help me in understanding what went wrong here.
> >>
> >> refpolicy-2.20090730
> >>
> >> $ make policy
> >> Compiling refpolicy policy.24
> >> /usr/bin/checkpolicy policy.conf -o policy.24
> >> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> >> policy/modules/kernel/corenetwork.te":1715:ERROR 'syntax error' at token ':' on line 9122:
> >> allow corenet_unconfined_type node_type:node *;
> >>
> >> checkpolicy:  error(s) encountered while parsing configuration
> >> make: *** [policy.24] Error 1
> >>
> >>
> >> Packages:
> >>
> >> checkpolicy-2.0.19
> >> libselinux-2.0.85
> >> libsemanage-2.0.33
> >> libsepol-2.0.37
> >> policycoreutils-2.0.69
> >> sepolgen-1.0.17
> >>
> >> $ yacc -V
> >> yacc - 1.9 20090221
> >> $ flex -V
> >> flex 2.5.35
> >>     
> >
> > Sounds similar to:
> > http://marc.info/?l=selinux&m=117076095205821&w=2
> >
> > which was an upstream flex problem.  However, I also see that you are using yacc rather than bison?
> > Default for building checkpolicy is bison -y, which could be relevant.
> >   
> Re bison/yacc: I tried both, byacc and 'bison -y'
> Re flex: What is the requirement for flex from selinux perspective? Is 
> it known what build of flex is "known good"?

My impression is that one of the patches carried by the distributions
for flex is needed for checkpolicy to work, but no one has ever fully
investigated the precise dependency - people just grab the Fedora srpm
and apply those patches to flex, and then rebuild checkpolicy and it
works.  I haven't seen any complaints from Debian or Gentoo so I presume
that they also carry the same patches for flex.

flex -V here also shows 2.5.35.  But there are three patches in the
Fedora package.  Attached.

-- 
Stephen Smalley
National Security Agency

[-- Attachment #2: flex-2.5.35-gcc44.patch --]
[-- Type: text/x-patch, Size: 829 bytes --]

diff -urNp flex-2.5.35.orig/flex.skl flex-2.5.35/flex.skl
--- flex-2.5.35.orig/flex.skl	2009-04-20 03:09:46.000000000 +0530
+++ flex-2.5.35/flex.skl	2009-04-20 07:46:58.000000000 +0530
@@ -217,6 +217,7 @@ m4preproc_include(`flexint.h')
 /* begin standard C++ headers. */
 #include <iostream> 
 #include <errno.h>
+#include <cstdio>
 #include <cstdlib>
 #include <cstring>
 /* end standard C++ headers. */
diff -urNp flex-2.5.35.orig/skel.c flex-2.5.35/skel.c
--- flex-2.5.35.orig/skel.c	2009-04-20 03:09:46.000000000 +0530
+++ flex-2.5.35/skel.c	2009-04-20 07:46:40.000000000 +0530
@@ -284,6 +284,7 @@ const char *skel[] = {
   "/* begin standard C++ headers. */",
   "#include <iostream> ",
   "#include <errno.h>",
+  "#include <cstdio>",
   "#include <cstdlib>",
   "#include <cstring>",
   "/* end standard C++ headers. */",

[-- Attachment #3: flex-2.5.35-hardening.patch --]
[-- Type: text/x-patch, Size: 1324 bytes --]

diff -u flex-2.5.35/scan.c flex-2.5.35/scan.c
--- flex-2.5.35/scan.c
+++ flex-2.5.35/scan.c
@@ -2096,7 +2096,7 @@
 /* This used to be an fputs(), but since the string might contain NUL's,
  * we now use fwrite().
  */
-#define ECHO fwrite( yytext, yyleng, 1, yyout )
+#define ECHO do { if (fwrite( yytext, yyleng, 1, yyout )) {} } while (0)
 #endif
 
 /* Gets input and stuffs it into "buf".  number of characters read, or YY_NULL,
diff -u flex-2.5.35/flex.skl flex-2.5.35/flex.skl
--- flex-2.5.35/flex.skl
+++ flex-2.5.35/flex.skl
@@ -1075,7 +1075,7 @@
 /* This used to be an fputs(), but since the string might contain NUL's,
  * we now use fwrite().
  */
-#define ECHO fwrite( yytext, yyleng, 1, yyout )
+#define ECHO do { if (fwrite( yytext, yyleng, 1, yyout )) {} } while (0)
 %endif
 %if-c++-only C++ definition
 #define ECHO LexerOutput( yytext, yyleng )
diff -u flex-2.5.35/skel.c flex-2.5.35/skel.c
--- flex-2.5.35/skel.c
+++ flex-2.5.35/skel.c
@@ -1142,7 +1142,7 @@
   "/* This used to be an fputs(), but since the string might contain NUL's,",
   " * we now use fwrite().",
   " */",
-  "#define ECHO fwrite( yytext, yyleng, 1, yyout )",
+  "#define ECHO do { if (fwrite( yytext, yyleng, 1, yyout )) {} } while (0)",
   "%endif",
   "%if-c++-only C++ definition",
   "#define ECHO LexerOutput( yytext, yyleng )",

[-- Attachment #4: flex-2.5.35-sign.patch --]
[-- Type: text/x-patch, Size: 498 bytes --]

--- flex-2.5.35/gen.c-orig	2008-04-30 22:51:08.000000000 +0200
+++ flex-2.5.35/gen.c	2008-04-30 22:51:14.000000000 +0200
@@ -1890,7 +1890,7 @@
 			outn ("\tif ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \\");
 			outn ("\t\t{ \\");
 			outn ("\t\tint c = '*'; \\");
-			outn ("\t\tint n; \\");
+			outn ("\t\tunsigned n; \\");
 			outn ("\t\tfor ( n = 0; n < max_size && \\");
 			outn ("\t\t\t     (c = getc( yyin )) != EOF && c != '\\n'; ++n ) \\");
 			outn ("\t\t\tbuf[n] = (char) c; \\");

Re: 'make policy' issues

[Justin P. Mattock]

Stephen Smalley wrote:
> On Wed, 2009-10-21 at 11:18 -0400, Eric Laganowski wrote:
>    
>> Stephen Smalley wrote:
>>      
>>> On Wed, 2009-10-21 at 11:06 -0400, Eric Laganowski wrote:
>>>
>>>        
>>>> Hello,
>>>>
>>>>   I was trying to build selinux userspace tools on my custom linux build.
>>>> Everything went fine until I attempted to compile reference policy.
>>>> Could you please help me in understanding what went wrong here.
>>>>
>>>> refpolicy-2.20090730
>>>>
>>>> $ make policy
>>>> Compiling refpolicy policy.24
>>>> /usr/bin/checkpolicy policy.conf -o policy.24
>>>> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
>>>> policy/modules/kernel/corenetwork.te":1715:ERROR 'syntax error' at token ':' on line 9122:
>>>> allow corenet_unconfined_type node_type:node *;
>>>>
>>>> checkpolicy:  error(s) encountered while parsing configuration
>>>> make: *** [policy.24] Error 1
>>>>
>>>>
>>>> Packages:
>>>>
>>>> checkpolicy-2.0.19
>>>> libselinux-2.0.85
>>>> libsemanage-2.0.33
>>>> libsepol-2.0.37
>>>> policycoreutils-2.0.69
>>>> sepolgen-1.0.17
>>>>
>>>> $ yacc -V
>>>> yacc - 1.9 20090221
>>>> $ flex -V
>>>> flex 2.5.35
>>>>
>>>>          
>>> Sounds similar to:
>>> http://marc.info/?l=selinux&m=117076095205821&w=2
>>>
>>> which was an upstream flex problem.  However, I also see that you are using yacc rather than bison?
>>> Default for building checkpolicy is bison -y, which could be relevant.
>>>
>>>        
>> Re bison/yacc: I tried both, byacc and 'bison -y'
>> Re flex: What is the requirement for flex from selinux perspective? Is
>> it known what build of flex is "known good"?
>>      
>
> My impression is that one of the patches carried by the distributions
> for flex is needed for checkpolicy to work, but no one has ever fully
> investigated the precise dependency - people just grab the Fedora srpm
> and apply those patches to flex, and then rebuild checkpolicy and it
> works.  I haven't seen any complaints from Debian or Gentoo so I presume
> that they also carry the same patches for flex.
>
> flex -V here also shows 2.5.35.  But there are three patches in the
> Fedora package.  Attached.
>
>    
Thanks for the patch, been hitting something similar to this
with checkpolicy(used git clean -fx to fix)

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 'make policy' issues

[Manoj Srivastava]

On Wed, Oct 21 2009, Stephen Smalley wrote:

> On Wed, 2009-10-21 at 11:18 -0400, Eric Laganowski wrote:
>> Stephen Smalley wrote:

>> Re bison/yacc: I tried both, byacc and 'bison -y'
>> Re flex: What is the requirement for flex from selinux perspective? Is 
>> it known what build of flex is "known good"?
>
> My impression is that one of the patches carried by the distributions
> for flex is needed for checkpolicy to work, but no one has ever fully
> investigated the precise dependency - people just grab the Fedora srpm
> and apply those patches to flex, and then rebuild checkpolicy and it
> works.  I haven't seen any complaints from Debian or Gentoo so I presume
> that they also carry the same patches for flex.
>
> flex -V here also shows 2.5.35.  But there are three patches in the
> Fedora package.  Attached.

        Debian currently carries 13 (though 3 of them need to be
 squashed together) patches against 2.5.35. I can make them available if
 there is interest.

        manoj
-- 
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 'make policy' issues

[Eric Laganowski]

Manoj Srivastava wrote:
> On Wed, Oct 21 2009, Stephen Smalley wrote:
>   
>>> Re flex: What is the requirement for flex from selinux perspective? Is 
>>> it known what build of flex is "known good"?
>>>       
>> My impression is that one of the patches carried by the distributions
>> for flex is needed for checkpolicy to work, but no one has ever fully
>> investigated the precise dependency - people just grab the Fedora srpm
>> and apply those patches to flex, and then rebuild checkpolicy and it
>> works.  I haven't seen any complaints from Debian or Gentoo so I presume
>> that they also carry the same patches for flex.
>>
>> flex -V here also shows 2.5.35.  But there are three patches in the
>> Fedora package.  Attached.
>>     
>
>         Debian currently carries 13 (though 3 of them need to be
>  squashed together) patches against 2.5.35. I can make them available if
>  there is interest.
>
>         manoj
>   
Yes please. Patches would be welcome.

-Eric

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 'make policy' issues

[Stephen Smalley]

On Wed, 2009-10-21 at 12:56 -0400, Eric Laganowski wrote:
> Manoj Srivastava wrote:
> > On Wed, Oct 21 2009, Stephen Smalley wrote:
> >   
> >>> Re flex: What is the requirement for flex from selinux perspective? Is 
> >>> it known what build of flex is "known good"?
> >>>       
> >> My impression is that one of the patches carried by the distributions
> >> for flex is needed for checkpolicy to work, but no one has ever fully
> >> investigated the precise dependency - people just grab the Fedora srpm
> >> and apply those patches to flex, and then rebuild checkpolicy and it
> >> works.  I haven't seen any complaints from Debian or Gentoo so I presume
> >> that they also carry the same patches for flex.
> >>
> >> flex -V here also shows 2.5.35.  But there are three patches in the
> >> Fedora package.  Attached.
> >>     
> >
> >         Debian currently carries 13 (though 3 of them need to be
> >  squashed together) patches against 2.5.35. I can make them available if
> >  there is interest.
> >
> >         manoj
> >   
> Yes please. Patches would be welcome.

Did you try the three patches that I attached to my email for flex?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 'make policy' issues

[Eric Laganowski]

Stephen Smalley wrote:
>>>>   
>>>>         
>>>        Debian currently carries 13 (though 3 of them need to be
>>>  squashed together) patches against 2.5.35. I can make them available if
>>>  there is interest.
>>>
>>>         manoj
>>>   
>>>       
>> Yes please. Patches would be welcome.
>>     
>
> Did you try the three patches that I attached to my email for flex?
>
>   
Yes I did: applied patches and rebuilt checkpolicy-2.0.19, which did not 
resolve the issue.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 'make policy' issues

[Eric Laganowski]

Stephen Smalley wrote:
> On Wed, 2009-10-21 at 13:07 -0400, Eric Laganowski wrote:
>   
>> Stephen Smalley wrote:
>>     
>>>>>>   
>>>>>>         
>>>>>>             
>>>>>        Debian currently carries 13 (though 3 of them need to be
>>>>>  squashed together) patches against 2.5.35. I can make them available if
>>>>>  there is interest.
>>>>>
>>>>>         manoj
>>>>>   
>>>>>       
>>>>>           
>>>> Yes please. Patches would be welcome.
>>>>     
>>>>         
>>> Did you try the three patches that I attached to my email for flex?
>>>
>>>   
>>>       
>> Yes I did: applied patches and rebuilt checkpolicy-2.0.19, which did not 
>> resolve the issue.
>>     
>
> Curious.  gcc -v?
>
>   
$ gcc -v
Using built-in specs.
Target: i686-pc-linux-gnu
Configured with: ../gcc-4.4.1/configure --prefix=/usr 
--libexecdir=/usr/lib --enable-shared --enable-threads=posix 
--enable-__cxa_atexit --enable-c99 --enable-long-long 
--enable-clocale=gnu --enable-languages=c,c++ --disable-multilib 
--disable-libstdcxx-pch
Thread model: posix
gcc version 4.4.1 (GCC for Cross-LFS 4.4.1.20090722)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 'make policy' issues

[Stephen Smalley]

On Wed, 2009-10-21 at 13:07 -0400, Eric Laganowski wrote:
> Stephen Smalley wrote:
> >>>>   
> >>>>         
> >>>        Debian currently carries 13 (though 3 of them need to be
> >>>  squashed together) patches against 2.5.35. I can make them available if
> >>>  there is interest.
> >>>
> >>>         manoj
> >>>   
> >>>       
> >> Yes please. Patches would be welcome.
> >>     
> >
> > Did you try the three patches that I attached to my email for flex?
> >
> >   
> Yes I did: applied patches and rebuilt checkpolicy-2.0.19, which did not 
> resolve the issue.

Curious.  gcc -v?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 'make policy' issues

[Mike Edenfield]

On Wed, Oct 21 2009, Stephen Smalley wrote:

> My impression is that one of the patches carried by the distributions
> for flex is needed for checkpolicy to work, but no one has ever fully
> investigated the precise dependency - people just grab the Fedora srpm
> and apply those patches to flex, and then rebuild checkpolicy and it
> works.  I haven't seen any complaints from Debian or Gentoo so I presume
> that they also carry the same patches for flex.

Just for reference, Gentoo only has the gcc44 one in portage (plus two 
others that seem unrelated), and it build the refpolicy fine here.

--Mike

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 'make policy' issues

[Justin P. Mattock]

Mike Edenfield wrote:
> On Wed, Oct 21 2009, Stephen Smalley wrote:
>
>> My impression is that one of the patches carried by the distributions
>> for flex is needed for checkpolicy to work, but no one has ever fully
>> investigated the precise dependency - people just grab the Fedora srpm
>> and apply those patches to flex, and then rebuild checkpolicy and it
>> works.  I haven't seen any complaints from Debian or Gentoo so I presume
>> that they also carry the same patches for flex.
>
> Just for reference, Gentoo only has the gcc44 one in portage (plus two 
> others that seem unrelated), and it build the refpolicy fine here.
>
> --Mike
>
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
just looking at the Makefile there is some
stuff in there pointing to xmldtd,etc..
In the case like me(LFS) xmldtd was built
but gtkdoc was not. Wondering if one needs to
build the doc generating tools to not hit any
odd things.

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 'make policy' issues

[Manoj Srivastava]

On Wed, Oct 21 2009, Eric Laganowski wrote:

> Manoj Srivastava wrote:
>> On Wed, Oct 21 2009, Stephen Smalley wrote:
>>   
>>>> Re flex: What is the requirement for flex from selinux
>>>> perspective? Is it known what build of flex is "known good"?
>>>>       
>>> My impression is that one of the patches carried by the distributions
>>> for flex is needed for checkpolicy to work, but no one has ever fully
>>> investigated the precise dependency - people just grab the Fedora srpm
>>> and apply those patches to flex, and then rebuild checkpolicy and it
>>> works.  I haven't seen any complaints from Debian or Gentoo so I presume
>>> that they also carry the same patches for flex.
>>>
>>> flex -V here also shows 2.5.35.  But there are three patches in the
>>> Fedora package.  Attached.
>>>     
>>
>>         Debian currently carries 13 (though 3 of them need to be
>>  squashed together) patches against 2.5.35. I can make them available if
>>  there is interest.
>>
>>         manoj
>>   
> Yes please. Patches would be welcome.

        ok. I have put all the patches at:
 http://www.golden-gryphon.com/software/misc/flex-patches/

        If you want to browse the git repository and see which topic
 branches these patches come from, you may browse the repo at:
   http://git.debian.org/?p=users/srivasta/debian/flex.git

        The upstream sources are in the upstream branch, and the various
 topic--[!old]foo branches are feature branches, and master is the
 integration branch that Debian packages are built from.

        I hope this helps.

        manoj
-- 
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 'make policy' issues

[Justin P. Mattock]

Manoj Srivastava wrote:
> On Wed, Oct 21 2009, Eric Laganowski wrote:
>
>    
>> Manoj Srivastava wrote:
>>      
>>> On Wed, Oct 21 2009, Stephen Smalley wrote:
>>>
>>>        
>>>>> Re flex: What is the requirement for flex from selinux
>>>>> perspective? Is it known what build of flex is "known good"?
>>>>>
>>>>>            
>>>> My impression is that one of the patches carried by the distributions
>>>> for flex is needed for checkpolicy to work, but no one has ever fully
>>>> investigated the precise dependency - people just grab the Fedora srpm
>>>> and apply those patches to flex, and then rebuild checkpolicy and it
>>>> works.  I haven't seen any complaints from Debian or Gentoo so I presume
>>>> that they also carry the same patches for flex.
>>>>
>>>> flex -V here also shows 2.5.35.  But there are three patches in the
>>>> Fedora package.  Attached.
>>>>
>>>>          
>>>          Debian currently carries 13 (though 3 of them need to be
>>>   squashed together) patches against 2.5.35. I can make them available if
>>>   there is interest.
>>>
>>>          manoj
>>>
>>>        
>> Yes please. Patches would be welcome.
>>      
>
>          ok. I have put all the patches at:
>   http://www.golden-gryphon.com/software/misc/flex-patches/
>
>          If you want to browse the git repository and see which topic
>   branches these patches come from, you may browse the repo at:
>     http://git.debian.org/?p=users/srivasta/debian/flex.git
>
>          The upstream sources are in the upstream branch, and the various
>   topic--[!old]foo branches are feature branches, and master is the
>   integration branch that Debian packages are built from.
>
>          I hope this helps.
>
>          manoj
>    
Cool, thanks for those.
not sure if I'm hitting the same issue,
but I am hitting something.
from checkpolicy crapping out to not being able to
install mcs/mls, only standard(but only on the first go of it)
leading me to believe that I'm missing something during my build
with some of the required packages.(system is an LFS build,
things like this are the norm).

Justin P. Mattock


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 'make policy' issues

[Justin Mattock]

after adding most of the patches, and
using flex from git, still getting an error from
checkpolicy. Now after searching
I ran into this:
http://aur.archlinux.org/packages.php?ID=13202
and sure enough after downgrading flex
the policy went through as it should.
(as for what/where? not sure, especially after adding
most if not all patches to the latest flex).


-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.