From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4B8E820D.8030807@gmail.com> Date: Wed, 03 Mar 2010 07:36:45 -0800 From: "Justin P. mattock" MIME-Version: 1.0 To: Stephen Smalley CC: AlannY , SELinux@tycho.nsa.gov, Joshua Brindle , Chad Sellers Subject: Re: Problem with compiling refpolicy base.pp References: <4B8E72D2.8030802@alanny.ru> <1267629710.6048.63.camel@moss-pluto.epoch.ncsc.mil> <1267630096.6048.64.camel@moss-pluto.epoch.ncsc.mil> In-Reply-To: <1267630096.6048.64.camel@moss-pluto.epoch.ncsc.mil> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On 03/03/2010 07:28 AM, Stephen Smalley wrote: > On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote: >> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote: >>> Hi there. >>> >>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc >>> tools (libselinux policycoreutils). I'm trying to: >>> >>> make bare >>> make conf >>> make base.pp >>> >>> My configuration: >>> >>> TYPE=mcs >>> NAME=refpolicy >>> UNK_PERMS=allow >>> DIRECT_INITRC=n >>> MONOLITHIC=n >>> UBAC=n >>> MLS_CATS=1024 >>> MCS_CATS=1024 >>> >>> But, the last command failed with the following error: >>> >>> Creating refpolicy base module base.conf >>> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf >>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf >>> Compiling refpolicy base module >>> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod >>> /usr/bin/checkmodule: loading policy configuration from base.conf >>> base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032: >>> level s0:c0.c1023; >>> >>> Seems to be, it's a good line (2032), but checkmodule can't eat it. >>> >>> Where can be the probem? >> >> Looks like a scanner problem to me. There have been problems with some >> versions of flex, e.g. see: >> http://marc.info/?t=125613782400001&r=1&w=2 >> but no one has ever tracked it down precisely and I've never been able >> to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so >> that it generates debug output and then capture the stderr of running >> checkpolicy on base.conf. Here I get the following output for that >> line: >> --accepting rule at line 55 (" >> level s0:c0.c1023;") >> --accepting rule at line 116 ("level") >> --accepting rule at line 227 (" ") >> --accepting rule at line 219 ("s0") >> --accepting rule at line 235 (":") >> --accepting rule at line 219 ("c0.c1023") >> --accepting rule at line 236 (";") >> >> Note that the ":" gets treated as a separate token above, as it should, >> whereas your checkmodule seems to not be splitting it properly. >> >> You can look at checkpolicy/policy_scan.l and see if anything strikes >> you as problematic, but it looks sane to me. Maybe it is matching on >> ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in >> the pattern. Does this help? >> >> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l >> index 48128a8..b7b8f0a 100644 >> --- a/checkpolicy/policy_scan.l >> +++ b/checkpolicy/policy_scan.l >> @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); } >> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } >> {digit}+|0x{hexval}+ { return(NUMBER); } >> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } >> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } >> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); } >> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } >> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } >> #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } > > Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or > escaped via backslash as well? > if the flex version from git goes all the way back to 2.5* I'll do a bisect on this but if it only goes so far, then bisection can be tricky. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.