* role_fix_callback assertion with sysadm in base
@ 2012-02-09 22:58 Martin Orr
2012-02-11 23:52 ` Martin Orr
2012-02-18 15:02 ` role_fix_callback assertion with sysadm in base - base VS loadable module HarryCiao
0 siblings, 2 replies; 8+ messages in thread
From: Martin Orr @ 2012-02-09 22:58 UTC (permalink / raw)
To: SE-Linux
[-- Attachment #1: Type: text/plain, Size: 550 bytes --]
I tried to build latest git refpolicy (6da98efd) using latest
checkpolicy and libsepol (339f8079) with the attached modules.conf.
In particular this puts sysadm into base.pp, and minimal other things.
I get the following error.
Compiling refpolicy base module
/usr/bin/checkmodule base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
checkmodule: expand.c:700: role_fix_callback: Assertion `new_role !=
((void *)0) && new_role->flavor == 1' failed.
make: *** [tmp/base.mod] Aborted
--
Martin Orr
[-- Attachment #2: modules.conf --]
[-- Type: application/octet-stream, Size: 34911 bytes --]
#
# This file contains a listing of available modules.
# To prevent a module from being used in policy
# creation, set the module name to "off".
#
# For monolithic policies, modules set to "base" and "module"
# will be built into the policy.
#
# For modular policies, modules set to "base" will be
# included in the base module. "module" will be compiled
# as individual loadable modules.
#
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: kernel
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Layer: kernel
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: kernel
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Layer: kernel
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Layer: kernel
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,
# and unlabeled processes and objects.
#
kernel = base
# Layer: kernel
# Module: mcs
# Required in base
#
# Multicategory security policy
#
mcs = base
# Layer: kernel
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Layer: kernel
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: ubac
# Required in base
#
# User-based access control policy
#
ubac = base
# Layer: admin
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: admin
# Module: consoletype
#
# Determine of the console connected to the controlling terminal.
#
consoletype = module
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: apps
# Module: seunshare
#
# Filesystem namespacing/polyinstantiation application.
#
seunshare = module
# Layer: contrib
# Module: abrt
#
# ABRT - automated bug-reporting tool
#
abrt = module
# Layer: contrib
# Module: accountsd
#
# AccountsService and daemon for manipulating user account information via D-Bus
#
accountsd = module
# Layer: contrib
# Module: acct
#
# Berkeley process accounting
#
acct = module
# Layer: contrib
# Module: ada
#
# GNAT Ada95 compiler
#
ada = module
# Layer: contrib
# Module: afs
#
# Andrew Filesystem server
#
afs = module
# Layer: contrib
# Module: aiccu
#
# Automatic IPv6 Connectivity Client Utility.
#
aiccu = module
# Layer: contrib
# Module: aide
#
# Aide filesystem integrity checker
#
aide = module
# Layer: contrib
# Module: aisexec
#
# Aisexec Cluster Engine
#
aisexec = module
# Layer: contrib
# Module: alsa
#
# Ainit ALSA configuration tool.
#
alsa = module
# Layer: contrib
# Module: amanda
#
# Advanced Maryland Automatic Network Disk Archiver.
#
amanda = module
# Layer: contrib
# Module: amavis
#
# Daemon that interfaces mail transfer agents and content
# checkers, such as virus scanners.
#
amavis = module
# Layer: contrib
# Module: amtu
#
# Abstract Machine Test Utility.
#
amtu = module
# Layer: contrib
# Module: anaconda
#
# Anaconda installer.
#
anaconda = module
# Layer: contrib
# Module: apache
#
# Apache web server
#
apache = module
# Layer: contrib
# Module: apcupsd
#
# APC UPS monitoring daemon
#
apcupsd = module
# Layer: contrib
# Module: apm
#
# Advanced power management daemon
#
apm = module
# Layer: contrib
# Module: apt
#
# APT advanced package tool.
#
apt = module
# Layer: contrib
# Module: arpwatch
#
# Ethernet activity monitor.
#
arpwatch = module
# Layer: contrib
# Module: asterisk
#
# Asterisk IP telephony server
#
asterisk = module
# Layer: contrib
# Module: authbind
#
# Tool for non-root processes to bind to reserved ports
#
authbind = module
# Layer: contrib
# Module: automount
#
# Filesystem automounter service.
#
automount = module
# Layer: contrib
# Module: avahi
#
# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
#
avahi = module
# Layer: contrib
# Module: awstats
#
# AWStats is a free powerful and featureful tool that generates advanced
# web, streaming, ftp or mail server statistics, graphically.
#
awstats = module
# Layer: contrib
# Module: backup
#
# System backup scripts
#
backup = module
# Layer: contrib
# Module: bind
#
# Berkeley internet name domain DNS server.
#
bind = module
# Layer: contrib
# Module: bitlbee
#
# Bitlbee service
#
bitlbee = module
# Layer: contrib
# Module: bluetooth
#
# Bluetooth tools and system services.
#
bluetooth = module
# Layer: contrib
# Module: brctl
#
# Utilities for configuring the linux ethernet bridge
#
brctl = module
# Layer: contrib
# Module: bugzilla
#
# Bugzilla server
#
bugzilla = module
# Layer: contrib
# Module: calamaris
#
# Squid log analysis
#
calamaris = module
# Layer: contrib
# Module: canna
#
# Canna - kana-kanji conversion server
#
canna = module
# Layer: contrib
# Module: ccs
#
# Cluster Configuration System
#
ccs = module
# Layer: contrib
# Module: cdrecord
#
# Policy for cdrecord
#
cdrecord = module
# Layer: contrib
# Module: certmaster
#
# Certmaster SSL certificate distribution service
#
certmaster = module
# Layer: contrib
# Module: certmonger
#
# Certificate status monitor and PKI enrollment client
#
certmonger = module
# Layer: contrib
# Module: certwatch
#
# Digital Certificate Tracking
#
certwatch = module
# Layer: contrib
# Module: cgroup
#
# libcg is a library that abstracts the control group file system in Linux.
#
cgroup = module
# Layer: contrib
# Module: chronyd
#
# Chrony NTP background daemon
#
chronyd = module
# Layer: contrib
# Module: cipe
#
# Encrypted tunnel daemon
#
cipe = module
# Layer: contrib
# Module: clamav
#
# ClamAV Virus Scanner
#
clamav = module
# Layer: contrib
# Module: clockspeed
#
# Clockspeed simple network time protocol client
#
clockspeed = module
# Layer: contrib
# Module: clogd
#
# clogd - Clustered Mirror Log Server
#
clogd = module
# Layer: contrib
# Module: cmirrord
#
# Cluster mirror log daemon
#
cmirrord = module
# Layer: contrib
# Module: cobbler
#
# Cobbler installation server.
#
cobbler = module
# Layer: contrib
# Module: colord
#
# GNOME color manager
#
colord = module
# Layer: contrib
# Module: comsat
#
# Comsat, a biff server.
#
comsat = module
# Layer: contrib
# Module: consolekit
#
# Framework for facilitating multiple user sessions on desktops.
#
consolekit = module
# Layer: contrib
# Module: corosync
#
# Corosync Cluster Engine
#
corosync = module
# Layer: contrib
# Module: courier
#
# Courier IMAP and POP3 email servers
#
courier = module
# Layer: contrib
# Module: cpucontrol
#
# Services for loading CPU microcode and CPU frequency scaling.
#
cpucontrol = module
# Layer: contrib
# Module: cpufreqselector
#
# Command-line CPU frequency settings.
#
cpufreqselector = module
# Layer: contrib
# Module: cron
#
# Periodic execution of scheduled commands.
#
cron = module
# Layer: contrib
# Module: cups
#
# Common UNIX printing system
#
cups = module
# Layer: contrib
# Module: cvs
#
# Concurrent versions system
#
cvs = module
# Layer: contrib
# Module: cyphesis
#
# Cyphesis WorldForge game server
#
cyphesis = module
# Layer: contrib
# Module: cyrus
#
# Cyrus is an IMAP service intended to be run on sealed servers
#
cyrus = module
# Layer: contrib
# Module: daemontools
#
# Collection of tools for managing UNIX services
#
daemontools = module
# Layer: contrib
# Module: dante
#
# Dante msproxy and socks4/5 proxy server
#
dante = module
# Layer: contrib
# Module: dbadm
#
# Database administrator role
#
dbadm = module
# Layer: contrib
# Module: dbskk
#
# Dictionary server for the SKK Japanese input method system.
#
dbskk = module
# Layer: contrib
# Module: dbus
#
# Desktop messaging bus
#
dbus = module
# Layer: contrib
# Module: dcc
#
# Distributed checksum clearinghouse spam filtering
#
dcc = module
# Layer: contrib
# Module: ddclient
#
# Update dynamic IP address at DynDNS.org
#
ddclient = module
# Layer: contrib
# Module: ddcprobe
#
# ddcprobe retrieves monitor and graphics card information
#
ddcprobe = module
# Layer: contrib
# Module: denyhosts
#
# DenyHosts SSH dictionary attack mitigation
#
denyhosts = module
# Layer: contrib
# Module: devicekit
#
# Devicekit modular hardware abstraction layer
#
devicekit = module
# Layer: contrib
# Module: dhcp
#
# Dynamic host configuration protocol (DHCP) server
#
dhcp = module
# Layer: contrib
# Module: dictd
#
# Dictionary daemon
#
dictd = module
# Layer: contrib
# Module: distcc
#
# Distributed compiler daemon
#
distcc = module
# Layer: contrib
# Module: djbdns
#
# small and secure DNS daemon
#
djbdns = module
# Layer: contrib
# Module: dkim
#
# DomainKeys Identified Mail milter.
#
dkim = module
# Layer: contrib
# Module: dmidecode
#
# Decode DMI data for x86/ia64 bioses.
#
dmidecode = module
# Layer: contrib
# Module: dnsmasq
#
# dnsmasq DNS forwarder and DHCP server
#
dnsmasq = module
# Layer: contrib
# Module: dovecot
#
# Dovecot POP and IMAP mail server
#
dovecot = module
# Layer: contrib
# Module: dpkg
#
# Policy for the Debian package manager.
#
dpkg = module
# Layer: contrib
# Module: entropyd
#
# Generate entropy from audio input
#
entropyd = module
# Layer: contrib
# Module: evolution
#
# Evolution email client
#
evolution = module
# Layer: contrib
# Module: exim
#
# Exim mail transfer agent
#
exim = module
# Layer: contrib
# Module: fail2ban
#
# Update firewall filtering to ban IP addresses with too many password failures.
#
fail2ban = module
# Layer: contrib
# Module: fetchmail
#
# Remote-mail retrieval and forwarding utility
#
fetchmail = module
# Layer: contrib
# Module: finger
#
# Finger user information service.
#
finger = module
# Layer: contrib
# Module: firstboot
#
# Final system configuration run during the first boot
# after installation of Red Hat/Fedora systems.
#
firstboot = module
# Layer: contrib
# Module: fprintd
#
# DBus fingerprint reader service
#
fprintd = module
# Layer: contrib
# Module: ftp
#
# File transfer protocol service
#
ftp = module
# Layer: contrib
# Module: games
#
# Games
#
games = module
# Layer: contrib
# Module: gatekeeper
#
# OpenH.323 Voice-Over-IP Gatekeeper
#
gatekeeper = module
# Layer: contrib
# Module: gift
#
# giFT peer to peer file sharing tool
#
gift = module
# Layer: contrib
# Module: git
#
# GIT revision control system.
#
git = module
# Layer: contrib
# Module: gitosis
#
# Tools for managing and hosting git repositories.
#
gitosis = module
# Layer: contrib
# Module: glance
#
# policy for glance
#
glance = module
# Layer: contrib
# Module: gnome
#
# GNU network object model environment (GNOME)
#
gnome = module
# Layer: contrib
# Module: gnomeclock
#
# Gnome clock handler for setting the time.
#
gnomeclock = module
# Layer: contrib
# Module: gpg
#
# Policy for GNU Privacy Guard and related programs.
#
gpg = module
# Layer: contrib
# Module: gpm
#
# General Purpose Mouse driver
#
gpm = module
# Layer: contrib
# Module: gpsd
#
# gpsd monitor daemon
#
gpsd = module
# Layer: contrib
# Module: guest
#
# Least privledge terminal user role
#
guest = module
# Layer: contrib
# Module: hadoop
#
# Software for reliable, scalable, distributed computing.
#
hadoop = module
# Layer: contrib
# Module: hal
#
# Hardware abstraction layer
#
hal = module
# Layer: contrib
# Module: hddtemp
#
# hddtemp hard disk temperature tool running as a daemon.
#
hddtemp = module
# Layer: contrib
# Module: howl
#
# Port of Apple Rendezvous multicast DNS
#
howl = module
# Layer: contrib
# Module: i18n_input
#
# IIIMF htt server
#
i18n_input = module
# Layer: contrib
# Module: icecast
#
# ShoutCast compatible streaming media server
#
icecast = module
# Layer: contrib
# Module: ifplugd
#
# Bring up/down ethernet interfaces based on cable detection.
#
ifplugd = module
# Layer: contrib
# Module: imaze
#
# iMaze game server
#
imaze = module
# Layer: contrib
# Module: inetd
#
# Internet services daemon.
#
inetd = module
# Layer: contrib
# Module: inn
#
# Internet News NNTP server
#
inn = module
# Layer: contrib
# Module: irc
#
# IRC client policy
#
irc = module
# Layer: contrib
# Module: ircd
#
# IRC server
#
ircd = module
# Layer: contrib
# Module: irqbalance
#
# IRQ balancing daemon
#
irqbalance = module
# Layer: contrib
# Module: iscsi
#
# Establish connections to iSCSI devices
#
iscsi = module
# Layer: contrib
# Module: jabber
#
# Jabber instant messaging server
#
jabber = module
# Layer: contrib
# Module: java
#
# Java virtual machine
#
java = module
# Layer: contrib
# Module: kdump
#
# Kernel crash dumping mechanism
#
kdump = module
# Layer: contrib
# Module: kdumpgui
#
# system-config-kdump GUI
#
kdumpgui = module
# Layer: contrib
# Module: kerberos
#
# MIT Kerberos admin and KDC
#
kerberos = module
# Layer: contrib
# Module: kerneloops
#
# Service for reporting kernel oopses to kerneloops.org
#
kerneloops = module
# Layer: contrib
# Module: kismet
#
# Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
#
kismet = module
# Layer: contrib
# Module: ksmtuned
#
# Kernel Samepage Merging (KSM) Tuning Daemon
#
ksmtuned = module
# Layer: contrib
# Module: ktalk
#
# KDE Talk daemon
#
ktalk = module
# Layer: contrib
# Module: kudzu
#
# Hardware detection and configuration tools
#
kudzu = module
# Layer: contrib
# Module: ldap
#
# OpenLDAP directory server
#
ldap = module
# Layer: contrib
# Module: likewise
#
# Likewise Active Directory support for UNIX.
#
likewise = module
# Layer: contrib
# Module: lircd
#
# Linux infared remote control daemon
#
lircd = module
# Layer: contrib
# Module: livecd
#
# Livecd tool for building alternate livecd for different os and policy versions.
#
livecd = module
# Layer: contrib
# Module: loadkeys
#
# Load keyboard mappings.
#
loadkeys = module
# Layer: contrib
# Module: lockdev
#
# device locking policy for lockdev
#
lockdev = module
# Layer: contrib
# Module: logrotate
#
# Rotate and archive system logs
#
logrotate = module
# Layer: contrib
# Module: logwatch
#
# System log analyzer and reporter
#
logwatch = module
# Layer: contrib
# Module: lpd
#
# Line printer daemon
#
lpd = module
# Layer: contrib
# Module: mailman
#
# Mailman is for managing electronic mail discussion and e-newsletter lists
#
mailman = module
# Layer: contrib
# Module: mcelog
#
# policy for mcelog
#
mcelog = module
# Layer: contrib
# Module: mediawiki
#
# Mediawiki policy
#
mediawiki = module
# Layer: contrib
# Module: memcached
#
# high-performance memory object caching system
#
memcached = module
# Layer: contrib
# Module: milter
#
# Milter mail filters
#
milter = module
# Layer: contrib
# Module: modemmanager
#
# Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.
#
modemmanager = module
# Layer: contrib
# Module: mojomojo
#
# MojoMojo Wiki
#
mojomojo = module
# Layer: contrib
# Module: mono
#
# Run .NET server and client applications on Linux.
#
mono = module
# Layer: contrib
# Module: monop
#
# Monopoly daemon
#
monop = module
# Layer: contrib
# Module: mozilla
#
# Policy for Mozilla and related web browsers
#
mozilla = module
# Layer: contrib
# Module: mpd
#
# Music Player Daemon
#
mpd = module
# Layer: contrib
# Module: mplayer
#
# Mplayer media player and encoder
#
mplayer = module
# Layer: contrib
# Module: mrtg
#
# Network traffic graphing
#
mrtg = module
# Layer: contrib
# Module: mta
#
# Policy common to all email tranfer agents.
#
mta = module
# Layer: contrib
# Module: munin
#
# Munin network-wide load graphing (formerly LRRD)
#
munin = module
# Layer: contrib
# Module: mysql
#
# Policy for MySQL
#
mysql = module
# Layer: contrib
# Module: nagios
#
# Net Saint / NAGIOS - network monitoring server
#
nagios = module
# Layer: contrib
# Module: ncftool
#
# Netcf network configuration tool (ncftool).
#
ncftool = module
# Layer: contrib
# Module: nessus
#
# Nessus network scanning daemon
#
nessus = module
# Layer: contrib
# Module: networkmanager
#
# Manager for dynamically switching between networks.
#
networkmanager = module
# Layer: contrib
# Module: nis
#
# Policy for NIS (YP) servers and clients
#
nis = module
# Layer: contrib
# Module: nscd
#
# Name service cache daemon
#
nscd = module
# Layer: contrib
# Module: nsd
#
# Authoritative only name server
#
nsd = module
# Layer: contrib
# Module: nslcd
#
# nslcd - local LDAP name service daemon.
#
nslcd = module
# Layer: contrib
# Module: ntop
#
# Network Top
#
ntop = module
# Layer: contrib
# Module: ntp
#
# Network time protocol daemon
#
ntp = module
# Layer: contrib
# Module: nut
#
# nut - Network UPS Tools
#
nut = module
# Layer: contrib
# Module: nx
#
# NX remote desktop
#
nx = module
# Layer: contrib
# Module: oav
#
# Open AntiVirus scannerdaemon and signature update
#
oav = module
# Layer: contrib
# Module: oddjob
#
# Oddjob provides a mechanism by which unprivileged applications can
# request that specified privileged operations be performed on their
# behalf.
#
oddjob = module
# Layer: contrib
# Module: oident
#
# SELinux policy for Oident daemon.
#
oident = module
# Layer: contrib
# Module: openca
#
# OpenCA - Open Certificate Authority
#
openca = module
# Layer: contrib
# Module: openct
#
# Service for handling smart card readers.
#
openct = module
# Layer: contrib
# Module: openvpn
#
# full-featured SSL VPN solution
#
openvpn = module
# Layer: contrib
# Module: pads
#
# Passive Asset Detection System
#
pads = module
# Layer: contrib
# Module: passenger
#
# Ruby on rails deployment for Apache and Nginx servers.
#
passenger = module
# Layer: contrib
# Module: pcmcia
#
# PCMCIA card management services
#
pcmcia = module
# Layer: contrib
# Module: pcscd
#
# PCSC smart card service
#
pcscd = module
# Layer: contrib
# Module: pegasus
#
# The Open Group Pegasus CIM/WBEM Server.
#
pegasus = module
# Layer: contrib
# Module: perdition
#
# Perdition POP and IMAP proxy
#
perdition = module
# Layer: contrib
# Module: pingd
#
# Pingd of the Whatsup cluster node up/down detection utility
#
pingd = module
# Layer: contrib
# Module: plymouthd
#
# Plymouth graphical boot
#
plymouthd = module
# Layer: contrib
# Module: podsleuth
#
# Podsleuth is a tool to get information about an Apple (TM) iPod (TM)
#
podsleuth = module
# Layer: contrib
# Module: policykit
#
# Policy framework for controlling privileges for system-wide services.
#
policykit = module
# Layer: contrib
# Module: portage
#
# Portage Package Management System. The primary package management and
# distribution system for Gentoo.
#
portage = module
# Layer: contrib
# Module: portmap
#
# RPC port mapping service.
#
portmap = module
# Layer: contrib
# Module: portreserve
#
# Reserve well-known ports in the RPC port range.
#
portreserve = module
# Layer: contrib
# Module: portslave
#
# Portslave terminal server software
#
portslave = module
# Layer: contrib
# Module: postfix
#
# Postfix email server
#
postfix = module
# Layer: contrib
# Module: postfixpolicyd
#
# Postfix policy server
#
postfixpolicyd = module
# Layer: contrib
# Module: postgrey
#
# Postfix grey-listing server
#
postgrey = module
# Layer: contrib
# Module: ppp
#
# Point to Point Protocol daemon creates links in ppp networks
#
ppp = module
# Layer: contrib
# Module: prelink
#
# Prelink ELF shared library mappings.
#
prelink = module
# Layer: contrib
# Module: prelude
#
# Prelude hybrid intrusion detection system
#
prelude = module
# Layer: contrib
# Module: privoxy
#
# Privacy enhancing web proxy.
#
privoxy = module
# Layer: contrib
# Module: procmail
#
# Procmail mail delivery agent
#
procmail = module
# Layer: contrib
# Module: psad
#
# Intrusion Detection and Log Analysis with iptables
#
psad = module
# Layer: contrib
# Module: ptchown
#
# helper function for grantpt(3), changes ownship and permissions of pseudotty
#
ptchown = module
# Layer: contrib
# Module: publicfile
#
# publicfile supplies files to the public through HTTP and FTP
#
publicfile = module
# Layer: contrib
# Module: pulseaudio
#
# Pulseaudio network sound server.
#
pulseaudio = module
# Layer: contrib
# Module: puppet
#
# Puppet client daemon
#
puppet = module
# Layer: contrib
# Module: pxe
#
# Server for the PXE network boot protocol
#
pxe = module
# Layer: contrib
# Module: pyicqt
#
# PyICQt is an ICQ transport for XMPP server.
#
pyicqt = module
# Layer: contrib
# Module: pyzor
#
# Pyzor is a distributed, collaborative spam detection and filtering network.
#
pyzor = module
# Layer: contrib
# Module: qemu
#
# QEMU machine emulator and virtualizer
#
qemu = module
# Layer: contrib
# Module: qmail
#
# Qmail Mail Server
#
qmail = module
# Layer: contrib
# Module: qpid
#
# Apache QPID AMQP messaging server.
#
qpid = module
# Layer: contrib
# Module: quota
#
# File system quota management
#
quota = module
# Layer: contrib
# Module: radius
#
# RADIUS authentication and accounting server.
#
radius = module
# Layer: contrib
# Module: radvd
#
# IPv6 router advertisement daemon
#
radvd = module
# Layer: contrib
# Module: raid
#
# RAID array management tools
#
raid = module
# Layer: contrib
# Module: razor
#
# A distributed, collaborative, spam detection and filtering network.
#
razor = module
# Layer: contrib
# Module: rdisc
#
# Network router discovery daemon
#
rdisc = module
# Layer: contrib
# Module: readahead
#
# Readahead, read files into page cache for improved performance
#
readahead = module
# Layer: contrib
# Module: remotelogin
#
# Policy for rshd, rlogind, and telnetd.
#
remotelogin = module
# Layer: contrib
# Module: resmgr
#
# Resource management daemon
#
resmgr = module
# Layer: contrib
# Module: rgmanager
#
# rgmanager - Resource Group Manager
#
rgmanager = module
# Layer: contrib
# Module: rhcs
#
# RHCS - Red Hat Cluster Suite
#
rhcs = module
# Layer: contrib
# Module: rhgb
#
# Red Hat Graphical Boot
#
rhgb = module
# Layer: contrib
# Module: rhsmcertd
#
# Subscription Management Certificate Daemon policy
#
rhsmcertd = module
# Layer: contrib
# Module: ricci
#
# Ricci cluster management agent
#
ricci = module
# Layer: contrib
# Module: rlogin
#
# Remote login daemon
#
rlogin = module
# Layer: contrib
# Module: roundup
#
# Roundup Issue Tracking System policy
#
roundup = module
# Layer: contrib
# Module: rpc
#
# Remote Procedure Call Daemon for managment of network based process communication
#
rpc = module
# Layer: contrib
# Module: rpcbind
#
# Universal Addresses to RPC Program Number Mapper
#
rpcbind = module
# Layer: contrib
# Module: rpm
#
# Policy for the RPM package manager.
#
rpm = module
# Layer: contrib
# Module: rshd
#
# Remote shell service.
#
rshd = module
# Layer: contrib
# Module: rssh
#
# Restricted (scp/sftp) only shell
#
rssh = module
# Layer: contrib
# Module: rsync
#
# Fast incremental file transfer for synchronization
#
rsync = module
# Layer: contrib
# Module: rtkit
#
# Realtime scheduling for user processes.
#
rtkit = module
# Layer: contrib
# Module: rwho
#
# Who is logged in on other machines?
#
rwho = module
# Layer: contrib
# Module: samba
#
# SMB and CIFS client/server programs for UNIX and
# name Service Switch daemon for resolving names
# from Windows NT servers.
#
samba = module
# Layer: contrib
# Module: sambagui
#
# system-config-samba dbus service policy
#
sambagui = module
# Layer: contrib
# Module: samhain
#
# Samhain - check file integrity
#
samhain = module
# Layer: contrib
# Module: sanlock
#
# policy for sanlock
#
sanlock = module
# Layer: contrib
# Module: sasl
#
# SASL authentication server
#
sasl = module
# Layer: contrib
# Module: sblim
#
# policy for SBLIM Gatherer
#
sblim = module
# Layer: contrib
# Module: screen
#
# GNU terminal multiplexer
#
screen = module
# Layer: contrib
# Module: sectoolm
#
# Sectool security audit tool
#
sectoolm = module
# Layer: contrib
# Module: sendmail
#
# Policy for sendmail.
#
sendmail = module
# Layer: contrib
# Module: setroubleshoot
#
# SELinux troubleshooting service
#
setroubleshoot = module
# Layer: contrib
# Module: shorewall
#
# Shoreline Firewall high-level tool for configuring netfilter
#
shorewall = module
# Layer: contrib
# Module: shutdown
#
# System shutdown command
#
shutdown = module
# Layer: contrib
# Module: slocate
#
# Update database for mlocate
#
slocate = module
# Layer: contrib
# Module: slrnpull
#
# Service for downloading news feeds the slrn newsreader.
#
slrnpull = module
# Layer: contrib
# Module: smartmon
#
# Smart disk monitoring daemon policy
#
smartmon = module
# Layer: contrib
# Module: smokeping
#
# Smokeping network latency measurement.
#
smokeping = module
# Layer: contrib
# Module: smoltclient
#
# The Fedora hardware profiler client
#
smoltclient = module
# Layer: contrib
# Module: snmp
#
# Simple network management protocol services
#
snmp = module
# Layer: contrib
# Module: snort
#
# Snort network intrusion detection system
#
snort = module
# Layer: contrib
# Module: sosreport
#
# sosreport - Generate debugging information for system
#
sosreport = module
# Layer: contrib
# Module: soundserver
#
# sound server for network audio server programs, nasd, yiff, etc
#
soundserver = module
# Layer: contrib
# Module: spamassassin
#
# Filter used for removing unsolicited email.
#
spamassassin = module
# Layer: contrib
# Module: speedtouch
#
# Alcatel speedtouch USB ADSL modem
#
speedtouch = module
# Layer: contrib
# Module: squid
#
# Squid caching http proxy server
#
squid = module
# Layer: contrib
# Module: sssd
#
# System Security Services Daemon
#
sssd = module
# Layer: contrib
# Module: stunnel
#
# SSL Tunneling Proxy
#
stunnel = module
# Layer: contrib
# Module: sxid
#
# SUID/SGID program monitoring
#
sxid = module
# Layer: contrib
# Module: sysstat
#
# Policy for sysstat. Reports on various system states
#
sysstat = module
# Layer: contrib
# Module: tcpd
#
# Policy for TCP daemon.
#
tcpd = module
# Layer: contrib
# Module: tcsd
#
# TSS Core Services (TCS) daemon (tcsd) policy
#
tcsd = module
# Layer: contrib
# Module: telepathy
#
# Telepathy communications framework.
#
telepathy = module
# Layer: contrib
# Module: telnet
#
# Telnet daemon
#
telnet = module
# Layer: contrib
# Module: tftp
#
# Trivial file transfer protocol daemon
#
tftp = module
# Layer: contrib
# Module: tgtd
#
# Linux Target Framework Daemon.
#
tgtd = module
# Layer: contrib
# Module: thunderbird
#
# Thunderbird email client
#
thunderbird = module
# Layer: contrib
# Module: timidity
#
# MIDI to WAV converter and player configured as a service
#
timidity = module
# Layer: contrib
# Module: tmpreaper
#
# Manage temporary directory sizes and file ages
#
tmpreaper = module
# Layer: contrib
# Module: tor
#
# TOR, the onion router
#
tor = module
# Layer: contrib
# Module: transproxy
#
# HTTP transperant proxy
#
transproxy = module
# Layer: contrib
# Module: tripwire
#
# Tripwire file integrity checker.
#
tripwire = module
# Layer: contrib
# Module: tuned
#
# Dynamic adaptive system tuning daemon
#
tuned = module
# Layer: contrib
# Module: tvtime
#
# tvtime - a high quality television application
#
tvtime = module
# Layer: contrib
# Module: tzdata
#
# Time zone updater
#
tzdata = module
# Layer: contrib
# Module: ucspitcp
#
# ucspitcp policy
#
ucspitcp = module
# Layer: contrib
# Module: ulogd
#
# Iptables/netfilter userspace logging daemon.
#
ulogd = module
# Layer: contrib
# Module: uml
#
# Policy for UML
#
uml = module
# Layer: contrib
# Module: updfstab
#
# Red Hat utility to change /etc/fstab.
#
updfstab = module
# Layer: contrib
# Module: uptime
#
# Uptime daemon
#
uptime = module
# Layer: contrib
# Module: usbmodules
#
# List kernel modules of USB devices
#
usbmodules = module
# Layer: contrib
# Module: usbmuxd
#
# USB multiplexing daemon for communicating with Apple iPod Touch and iPhone
#
usbmuxd = module
# Layer: contrib
# Module: userhelper
#
# SELinux utility to run a shell with a new role
#
userhelper = module
# Layer: contrib
# Module: usernetctl
#
# User network interface configuration helper
#
usernetctl = module
# Layer: contrib
# Module: uucp
#
# Unix to Unix Copy
#
uucp = module
# Layer: contrib
# Module: uuidd
#
# policy for uuidd
#
uuidd = module
# Layer: contrib
# Module: uwimap
#
# University of Washington IMAP toolkit POP3 and IMAP mail server
#
uwimap = module
# Layer: contrib
# Module: varnishd
#
# Varnishd http accelerator daemon
#
varnishd = module
# Layer: contrib
# Module: vbetool
#
# run real-mode video BIOS code to alter hardware state
#
vbetool = module
# Layer: contrib
# Module: vdagent
#
# policy for vdagent
#
vdagent = module
# Layer: contrib
# Module: vhostmd
#
# Virtual host metrics daemon
#
vhostmd = module
# Layer: contrib
# Module: virt
#
# Libvirt virtualization API
#
virt = module
# Layer: contrib
# Module: vlock
#
# Lock one or more sessions on the Linux console.
#
vlock = module
# Layer: contrib
# Module: vmware
#
# VMWare Workstation virtual machines
#
vmware = module
# Layer: contrib
# Module: vnstatd
#
# Console network traffic monitor.
#
vnstatd = module
# Layer: contrib
# Module: vpn
#
# Virtual Private Networking client
#
vpn = module
# Layer: contrib
# Module: w3c
#
# W3C Markup Validator
#
w3c = module
# Layer: contrib
# Module: watchdog
#
# Software watchdog
#
watchdog = module
# Layer: contrib
# Module: webadm
#
# Web administrator role
#
webadm = module
# Layer: contrib
# Module: webalizer
#
# Web server log analysis
#
webalizer = module
# Layer: contrib
# Module: wine
#
# Wine Is Not an Emulator. Run Windows programs in Linux.
#
wine = module
# Layer: contrib
# Module: wireshark
#
# Wireshark packet capture tool.
#
wireshark = module
# Layer: contrib
# Module: wm
#
# X Window Managers
#
wm = module
# Layer: contrib
# Module: xen
#
# Xen hypervisor
#
xen = module
# Layer: contrib
# Module: xfs
#
# X Windows Font Server
#
xfs = module
# Layer: contrib
# Module: xguest
#
# Least privledge xwindows user role
#
xguest = module
# Layer: contrib
# Module: xprint
#
# X print server
#
xprint = module
# Layer: contrib
# Module: xscreensaver
#
# X Screensaver
#
xscreensaver = module
# Layer: contrib
# Module: yam
#
# Yum/Apt Mirroring
#
yam = module
# Layer: contrib
# Module: zabbix
#
# Distributed infrastructure monitoring
#
zabbix = module
# Layer: contrib
# Module: zarafa
#
# Zarafa collaboration platform.
#
zarafa = module
# Layer: contrib
# Module: zebra
#
# Zebra border gateway protocol network routing service
#
zebra = module
# Layer: contrib
# Module: zosremote
#
# policy for z/OS Remote-services Audit dispatcher plugin
#
zosremote = module
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Layer: roles
# Module: auditadm
#
# Audit administrator role
#
auditadm = module
# Layer: roles
# Module: logadm
#
# Log administrator role
#
logadm = module
# Layer: roles
# Module: secadm
#
# Security administrator role
#
secadm = module
# Layer: roles
# Module: staff
#
# Administrator's unprivileged user role
#
staff = module
# Layer: roles
# Module: sysadm
#
# General system administration role
#
sysadm = base
# Layer: roles
# Module: unprivuser
#
# Generic unprivileged user role
#
unprivuser = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: services
# Module: xserver
#
# X Windows Server
#
xserver = module
# Layer: system
# Module: application
#
# Policy for user executable applications.
#
application = base
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = base
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: hotplug
#
# Policy for hotplug system, for supporting the
# connection and disconnection of devices at runtime.
#
hotplug = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = base
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = base
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = base
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = base
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = base
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = base
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# NetLabel/CIPSO labeled networking management
#
netlabel = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = base
# Layer: system
# Module: setrans
#
# SELinux MLS/MCS label translation service.
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = base
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = module
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = base
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: role_fix_callback assertion with sysadm in base
2012-02-09 22:58 role_fix_callback assertion with sysadm in base Martin Orr
@ 2012-02-11 23:52 ` Martin Orr
2012-02-13 5:39 ` Harry Ciao
2012-02-18 15:02 ` role_fix_callback assertion with sysadm in base - base VS loadable module HarryCiao
1 sibling, 1 reply; 8+ messages in thread
From: Martin Orr @ 2012-02-11 23:52 UTC (permalink / raw)
To: SE-Linux
On Thu 9 Feb 22:58:47 2012, Martin Orr wrote:
> I tried to build latest git refpolicy (6da98efd) using latest
> checkpolicy and libsepol (339f8079) with the attached modules.conf.
> In particular this puts sysadm into base.pp, and minimal other
> things. I get the following error.
It turns out that this is not just an issue with base vs modules. If
I build refpolicy with the default modules.conf and try to install the
same set of modules as I built into base previously, then semodule
fails with the same error, whether I use TYPE = standard or mcs.
$ sudo semodule $(sudo semodule -l | awk '{ print "-r "$1 }') -b
base.pp -i storage.pp sysadm.pp application.pp authlogin.pp init.pp
libraries.pp locallogin.pp logging.pp miscfiles.pp modutils.pp
selinuxutil.pp sysnetwork.pp userdomain.pp
semodule: expand.c:700: role_fix_callback: Assertion `new_role !=
((void *)0) && new_role->flavor == 1' failed.
It works if I add enough modules that all role attributes "require"d
by optional blocks are present, i.e. the following command, provided I
am using an mcs policy. It seg faults if using a standard policy.
$ sudo semodule $(sudo semodule -l | awk '{ print "-r "$1 }') -b
base.pp -i storage.pp sysadm.pp application.pp authlogin.pp init.pp
libraries.pp locallogin.pp logging.pp miscfiles.pp modutils.pp
selinuxutil.pp sysnetwork.pp userdomain.pp portage.pp rsync.pp
consoletype.pp usermanage.pp usernetctl.pp bootloader.pp dpkg.pp
iptables.pp modutils.pp mount.pp rpm.pp sysnetwork.pp vpn.pp ppp.pp
It appears that requiring role attributes does not work correctly.
The seg fault with a non-mcs policy may be an independent problem.
--
Martin Orr
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: role_fix_callback assertion with sysadm in base
2012-02-11 23:52 ` Martin Orr
@ 2012-02-13 5:39 ` Harry Ciao
0 siblings, 0 replies; 8+ messages in thread
From: Harry Ciao @ 2012-02-13 5:39 UTC (permalink / raw)
To: Martin Orr; +Cc: SE-Linux
This issue was discovered months ago, it seg faults when the "level" of
a security context is NULL, which explains why it disappears when
building mcs or mls types of policy. BTW, this problem could be worked
around by specifying "disable-genhomedircon = true" in your semanage.conf.
Thanks,
Harry
On 02/12/2012 07:52 AM, Martin Orr wrote:
> The seg fault with a non-mcs policy may be an independent problem.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: role_fix_callback assertion with sysadm in base - base VS loadable module
2012-02-09 22:58 role_fix_callback assertion with sysadm in base Martin Orr
2012-02-11 23:52 ` Martin Orr
@ 2012-02-18 15:02 ` HarryCiao
2012-02-22 23:22 ` Martin Orr
1 sibling, 1 reply; 8+ messages in thread
From: HarryCiao @ 2012-02-18 15:02 UTC (permalink / raw)
To: martin, selinux
[-- Attachment #1: Type: text/plain, Size: 2018 bytes --]
So far I am not 100% sure, but I am extra sure that certain cautions must be taken when requiring a module to be built into base.pp rather than as loadable module. In particular, while building the base module the "self_contained_policy" macro is defined, exactly the same as when building a monolithic policy image, which will influence if the gen_require() macro would be properly expanded to the "require" keyword. Below is the definition of the gen_require() macro:
define(`gen_require',`
ifdef(`self_contained_policy',`
ifdef(`__in_optional_policy',`
require {
$1
} # end require
')
',`
require {
$1
} # end require
')
')
Where we can clearly see that if the "self_contained_policy" is defined, ONLY WHEN the "__in_optional_policy" is also defined, would gen_require() be expaned to the require keyword. BTW, "__in_optional_policy" is defined only within an optional_policy() block.
That's why I take it for granted that you would have to include the actual definition of a role attribute along with the module that requires it into the base module.
Cheers,
Harry
> Date: Thu, 9 Feb 2012 22:58:47 +0000
> From: martin@martinorr.name
> To: selinux@tycho.nsa.gov
> Subject: role_fix_callback assertion with sysadm in base
>
> I tried to build latest git refpolicy (6da98efd) using latest
> checkpolicy and libsepol (339f8079) with the attached modules.conf.
> In particular this puts sysadm into base.pp, and minimal other things.
> I get the following error.
>
> Compiling refpolicy base module
> /usr/bin/checkmodule base.conf -o tmp/base.mod
> /usr/bin/checkmodule: loading policy configuration from base.conf
> checkmodule: expand.c:700: role_fix_callback: Assertion `new_role !=
> ((void *)0) && new_role->flavor == 1' failed.
> make: *** [tmp/base.mod] Aborted
>
> --
> Martin Orr
[-- Attachment #2: Type: text/html, Size: 3380 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: role_fix_callback assertion with sysadm in base - base VS loadable module
2012-02-18 15:02 ` role_fix_callback assertion with sysadm in base - base VS loadable module HarryCiao
@ 2012-02-22 23:22 ` Martin Orr
2012-02-23 10:22 ` Harry Ciao
0 siblings, 1 reply; 8+ messages in thread
From: Martin Orr @ 2012-02-22 23:22 UTC (permalink / raw)
To: HarryCiao; +Cc: selinux
Sorry, I failed to make it clear that the requires causing problems are
in optional blocks.
Perhaps might make it clearer if I remove the refpolicy machinery.
Ignore everything below except the attribute_role stuff - the rest is
just needed to get something which compiles.
In each case, the base module optionally requires the role attribute
foo. This works if the attribute is defined in the base but not
otherwise. Both examples work if foo is a type instead of an
attribute_role.
$ cat x.te
class file
sid kernel
class file {
read
}
optional {
require {
attribute_role foo;
}
}
type kernel_t;
user system_u roles { object_r };
sid kernel system_u:object_r:kernel_t
$ checkmodule x.te
checkmodule: loading policy configuration from x.te
checkmodule: expand.c:700: role_fix_callback: Assertion `new_role != ((void *)0) && new_role->flavor == 1' failed.
Aborted
$ cat y.te
class file
sid kernel
class file {
read
}
attribute_role foo;
optional {
require {
attribute_role foo;
}
}
type kernel_t;
user system_u roles { object_r };
sid kernel system_u:object_r:kernel_t
$ checkmodule y.te
checkmodule: loading policy configuration from y.te
checkmodule: policy configuration loaded
On Sat, Feb 18, 2012 at 03:02:23PM +0000, HarryCiao wrote:
>
> So far I am not 100% sure, but I am extra sure that certain cautions
> must be taken when requiring a module to be built into base.pp rather
> than as loadable module. In particular, while building the base module
> the "self_contained_policy" macro is defined, exactly the same as when
> building a monolithic policy image, which will influence if the
> gen_require() macro would be properly expanded to the "require"
> keyword. Below is the definition of the gen_require() macro:
>
> define(`gen_require',`
> ifdef(`self_contained_policy',`
> ifdef(`__in_optional_policy',`
> require {
> $1
> } # end require
> ')
> ',`
> require {
> $1
> } # end require
> ')
> ')
>
> Where we can clearly see that if the "self_contained_policy" is
> defined, ONLY WHEN the "__in_optional_policy" is also defined, would
> gen_require() be expaned to the require keyword. BTW,
> "__in_optional_policy" is defined only within an optional_policy()
> block.
>
> That's why I take it for granted that you would have to include the
> actual definition of a role attribute along with the module that
> requires it into the base module.
>
> Cheers,
> Harry
>
>
> > Date: Thu, 9 Feb 2012 22:58:47 +0000
> > From: martin@martinorr.name
> > To: selinux@tycho.nsa.gov
> > Subject: role_fix_callback assertion with sysadm in base
> >
> > I tried to build latest git refpolicy (6da98efd) using latest
> > checkpolicy and libsepol (339f8079) with the attached modules.conf.
> > In particular this puts sysadm into base.pp, and minimal other things.
> > I get the following error.
> >
> > Compiling refpolicy base module
> > /usr/bin/checkmodule base.conf -o tmp/base.mod
> > /usr/bin/checkmodule: loading policy configuration from base.conf
> > checkmodule: expand.c:700: role_fix_callback: Assertion `new_role !=
> > ((void *)0) && new_role->flavor == 1' failed.
> > make: *** [tmp/base.mod] Aborted
> >
> > --
> > Martin Orr
>
--
Martin Orr
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: role_fix_callback assertion with sysadm in base - base VS loadable module
2012-02-22 23:22 ` Martin Orr
@ 2012-02-23 10:22 ` Harry Ciao
2012-02-24 1:31 ` Harry Ciao
2012-02-24 7:29 ` Harry Ciao
0 siblings, 2 replies; 8+ messages in thread
From: Harry Ciao @ 2012-02-23 10:22 UTC (permalink / raw)
To: Martin Orr; +Cc: selinux
Hi Martin,
On 02/23/2012 07:22 AM, Martin Orr wrote:
> Sorry, I failed to make it clear that the requires causing problems are
> in optional blocks.
>
> Perhaps might make it clearer if I remove the refpolicy machinery.
> Ignore everything below except the attribute_role stuff - the rest is
> just needed to get something which compiles.
>
> In each case, the base module optionally requires the role attribute
> foo. This works if the attribute is defined in the base but not
> otherwise. Both examples work if foo is a type instead of an
> attribute_role.
No comments about why if foo is a type attribute then its declaration
could be optional (not momentarily required) in the base module.
Hypothetically, base module should be self-contained so that other
modules could add on top of it.
(Perhaps this is a toolchain bug, but I am not sure, need more time to
understand why link_modules() failed to find this undeclared symbol)
> $ cat x.te
> class file
> sid kernel
> class file {
> read
> }
>
> optional {
> require {
> attribute_role foo;
> }
> }
>
> type kernel_t;
> user system_u roles { object_r };
> sid kernel system_u:object_r:kernel_t
>
> $ checkmodule x.te
> checkmodule: loading policy configuration from x.te
> checkmodule: expand.c:700: role_fix_callback: Assertion `new_role != ((void *)0)&& new_role->flavor == 1' failed.
> Aborted
If you break above assertion into two parts, you will see that it aborts
at the criteria of
new_role != ((void *)0)
The reason is that during expansion any undeclared role identifiers
would be skipped (see role_copy_callback > is_id_enabled, which will
return 0 if it fails to find a SCOPE_DECL type of scope_datum_t for the
current identifier), resulting in the foo attribute won't even be
properly copied from the base module to the out module.
At last the expand_module > role_fix_callback will find foo identifier
does not exist in out.p_roles hashtab, that's exactly how above
assertion is failed.
Last but not least, if you want to build a loadable module, the "-m"
option would have to be used for checkmodule, otherwise it will try to
build a base module by default and then tries to call link_modules() and
expand_module(), which makes no sense for loadable modules.
Thanks,
Harry
> $ cat y.te
> class file
> sid kernel
> class file {
> read
> }
>
> attribute_role foo;
> optional {
> require {
> attribute_role foo;
> }
> }
>
> type kernel_t;
> user system_u roles { object_r };
> sid kernel system_u:object_r:kernel_t
>
> $ checkmodule y.te
> checkmodule: loading policy configuration from y.te
> checkmodule: policy configuration loaded
>
> On Sat, Feb 18, 2012 at 03:02:23PM +0000, HarryCiao wrote:
>> So far I am not 100% sure, but I am extra sure that certain cautions
>> must be taken when requiring a module to be built into base.pp rather
>> than as loadable module. In particular, while building the base module
>> the "self_contained_policy" macro is defined, exactly the same as when
>> building a monolithic policy image, which will influence if the
>> gen_require() macro would be properly expanded to the "require"
>> keyword. Below is the definition of the gen_require() macro:
>>
>> define(`gen_require',`
>> ifdef(`self_contained_policy',`
>> ifdef(`__in_optional_policy',`
>> require {
>> $1
>> } # end require
>> ')
>> ',`
>> require {
>> $1
>> } # end require
>> ')
>> ')
>>
>> Where we can clearly see that if the "self_contained_policy" is
>> defined, ONLY WHEN the "__in_optional_policy" is also defined, would
>> gen_require() be expaned to the require keyword. BTW,
>> "__in_optional_policy" is defined only within an optional_policy()
>> block.
>>
>> That's why I take it for granted that you would have to include the
>> actual definition of a role attribute along with the module that
>> requires it into the base module.
>>
>> Cheers,
>> Harry
>>
>>
>>> Date: Thu, 9 Feb 2012 22:58:47 +0000
>>> From: martin@martinorr.name
>>> To: selinux@tycho.nsa.gov
>>> Subject: role_fix_callback assertion with sysadm in base
>>>
>>> I tried to build latest git refpolicy (6da98efd) using latest
>>> checkpolicy and libsepol (339f8079) with the attached modules.conf.
>>> In particular this puts sysadm into base.pp, and minimal other things.
>>> I get the following error.
>>>
>>> Compiling refpolicy base module
>>> /usr/bin/checkmodule base.conf -o tmp/base.mod
>>> /usr/bin/checkmodule: loading policy configuration from base.conf
>>> checkmodule: expand.c:700: role_fix_callback: Assertion `new_role !=
>>> ((void *)0)&& new_role->flavor == 1' failed.
>>> make: *** [tmp/base.mod] Aborted
>>>
>>> --
>>> Martin Orr
>>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: role_fix_callback assertion with sysadm in base - base VS loadable module
2012-02-23 10:22 ` Harry Ciao
@ 2012-02-24 1:31 ` Harry Ciao
2012-02-24 7:29 ` Harry Ciao
1 sibling, 0 replies; 8+ messages in thread
From: Harry Ciao @ 2012-02-24 1:31 UTC (permalink / raw)
To: Martin Orr; +Cc: qingtao.cao, selinux
Hi Martin,
Later last night I turned to realized that even the base module could
have some exterior reference as long as they are in the optional block.
I need some time to dive into the source code to see how symbols
required in an optional block are handled during link & expansion and
get back to you about how we could improve the situation here.
Thanks,
Harry
On 02/23/2012 06:22 PM, Harry Ciao wrote:
> Hi Martin,
>
> On 02/23/2012 07:22 AM, Martin Orr wrote:
>> Sorry, I failed to make it clear that the requires causing problems are
>> in optional blocks.
>>
>> Perhaps might make it clearer if I remove the refpolicy machinery.
>> Ignore everything below except the attribute_role stuff - the rest is
>> just needed to get something which compiles.
>>
>> In each case, the base module optionally requires the role attribute
>> foo. This works if the attribute is defined in the base but not
>> otherwise. Both examples work if foo is a type instead of an
>> attribute_role.
>
> No comments about why if foo is a type attribute then its declaration
> could be optional (not momentarily required) in the base module.
> Hypothetically, base module should be self-contained so that other
> modules could add on top of it.
>
> (Perhaps this is a toolchain bug, but I am not sure, need more time to
> understand why link_modules() failed to find this undeclared symbol)
>
>> $ cat x.te
>> class file
>> sid kernel
>> class file {
>> read
>> }
>>
>> optional {
>> require {
>> attribute_role foo;
>> }
>> }
>>
>> type kernel_t;
>> user system_u roles { object_r };
>> sid kernel system_u:object_r:kernel_t
>>
>> $ checkmodule x.te
>> checkmodule: loading policy configuration from x.te
>> checkmodule: expand.c:700: role_fix_callback: Assertion `new_role !=
>> ((void *)0)&& new_role->flavor == 1' failed.
>> Aborted
>
> If you break above assertion into two parts, you will see that it
> aborts at the criteria of
>
> new_role != ((void *)0)
>
>
> The reason is that during expansion any undeclared role identifiers
> would be skipped (see role_copy_callback > is_id_enabled, which will
> return 0 if it fails to find a SCOPE_DECL type of scope_datum_t for
> the current identifier), resulting in the foo attribute won't even be
> properly copied from the base module to the out module.
>
> At last the expand_module > role_fix_callback will find foo identifier
> does not exist in out.p_roles hashtab, that's exactly how above
> assertion is failed.
>
> Last but not least, if you want to build a loadable module, the "-m"
> option would have to be used for checkmodule, otherwise it will try to
> build a base module by default and then tries to call link_modules()
> and expand_module(), which makes no sense for loadable modules.
>
> Thanks,
> Harry
>
>> $ cat y.te
>> class file
>> sid kernel
>> class file {
>> read
>> }
>>
>> attribute_role foo;
>> optional {
>> require {
>> attribute_role foo;
>> }
>> }
>>
>> type kernel_t;
>> user system_u roles { object_r };
>> sid kernel system_u:object_r:kernel_t
>>
>> $ checkmodule y.te
>> checkmodule: loading policy configuration from y.te
>> checkmodule: policy configuration loaded
>>
>> On Sat, Feb 18, 2012 at 03:02:23PM +0000, HarryCiao wrote:
>>> So far I am not 100% sure, but I am extra sure that certain cautions
>>> must be taken when requiring a module to be built into base.pp rather
>>> than as loadable module. In particular, while building the base module
>>> the "self_contained_policy" macro is defined, exactly the same as when
>>> building a monolithic policy image, which will influence if the
>>> gen_require() macro would be properly expanded to the "require"
>>> keyword. Below is the definition of the gen_require() macro:
>>>
>>> define(`gen_require',`
>>> ifdef(`self_contained_policy',`
>>> ifdef(`__in_optional_policy',`
>>> require {
>>> $1
>>> } # end require
>>> ')
>>> ',`
>>> require {
>>> $1
>>> } # end require
>>> ')
>>> ')
>>>
>>> Where we can clearly see that if the "self_contained_policy" is
>>> defined, ONLY WHEN the "__in_optional_policy" is also defined, would
>>> gen_require() be expaned to the require keyword. BTW,
>>> "__in_optional_policy" is defined only within an optional_policy()
>>> block.
>>>
>>> That's why I take it for granted that you would have to include the
>>> actual definition of a role attribute along with the module that
>>> requires it into the base module.
>>>
>>> Cheers,
>>> Harry
>>>
>>>
>>>> Date: Thu, 9 Feb 2012 22:58:47 +0000
>>>> From: martin@martinorr.name
>>>> To: selinux@tycho.nsa.gov
>>>> Subject: role_fix_callback assertion with sysadm in base
>>>>
>>>> I tried to build latest git refpolicy (6da98efd) using latest
>>>> checkpolicy and libsepol (339f8079) with the attached modules.conf.
>>>> In particular this puts sysadm into base.pp, and minimal other things.
>>>> I get the following error.
>>>>
>>>> Compiling refpolicy base module
>>>> /usr/bin/checkmodule base.conf -o tmp/base.mod
>>>> /usr/bin/checkmodule: loading policy configuration from base.conf
>>>> checkmodule: expand.c:700: role_fix_callback: Assertion `new_role !=
>>>> ((void *)0)&& new_role->flavor == 1' failed.
>>>> make: *** [tmp/base.mod] Aborted
>>>>
>>>> --
>>>> Martin Orr
>>>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: role_fix_callback assertion with sysadm in base - base VS loadable module
2012-02-23 10:22 ` Harry Ciao
2012-02-24 1:31 ` Harry Ciao
@ 2012-02-24 7:29 ` Harry Ciao
1 sibling, 0 replies; 8+ messages in thread
From: Harry Ciao @ 2012-02-24 7:29 UTC (permalink / raw)
To: Martin Orr; +Cc: selinux
I have come up a fix for this issue, also there are some comments I
would like to share with you, see my comments below.
On 02/23/2012 06:22 PM, Harry Ciao wrote:
> Hi Martin,
>
> On 02/23/2012 07:22 AM, Martin Orr wrote:
>> Sorry, I failed to make it clear that the requires causing problems are
>> in optional blocks.
>>
>> Perhaps might make it clearer if I remove the refpolicy machinery.
>> Ignore everything below except the attribute_role stuff - the rest is
>> just needed to get something which compiles.
>>
>> In each case, the base module optionally requires the role attribute
>> foo. This works if the attribute is defined in the base but not
>> otherwise. Both examples work if foo is a type instead of an
>> attribute_role.
>
> No comments about why if foo is a type attribute then its declaration
> could be optional (not momentarily required) in the base module.
> Hypothetically, base module should be self-contained so that other
> modules could add on top of it.
>
> (Perhaps this is a toolchain bug, but I am not sure, need more time to
> understand why link_modules() failed to find this undeclared symbol)
When building a loadable module, no link and expansion would be
involved, and the symbol table and rules of an optional block (to be
precisely, the enabled decl of the block) will be written to its .pp file.
However, things are different for the base module, the compiling of
which requires link and expansion.
During expansion, all out-of-scope symbol will be skipped over, so are
the rules for an optional block if any of its required symbols is
out-of-scope. Which means such optional block will NOT be written into
base.pp at all.
>
>> $ cat x.te
>> class file
>> sid kernel
>> class file {
>> read
>> }
>>
>> optional {
>> require {
>> attribute_role foo;
>> }
>> }
>>
>> type kernel_t;
>> user system_u roles { object_r };
>> sid kernel system_u:object_r:kernel_t
>>
>> $ checkmodule x.te
>> checkmodule: loading policy configuration from x.te
>> checkmodule: expand.c:700: role_fix_callback: Assertion `new_role !=
>> ((void *)0)&& new_role->flavor == 1' failed.
>> Aborted
>
> If you break above assertion into two parts, you will see that it
> aborts at the criteria of
>
> new_role != ((void *)0)
>
>
> The reason is that during expansion any undeclared role identifiers
> would be skipped (see role_copy_callback > is_id_enabled, which will
> return 0 if it fails to find a SCOPE_DECL type of scope_datum_t for
> the current identifier), resulting in the foo attribute won't even be
> properly copied from the base module to the out module.
>
> At last the expand_module > role_fix_callback will find foo identifier
> does not exist in out.p_roles hashtab, that's exactly how above
> assertion is failed.
The fix for this problem is easy. Since role_copy_callback will skip
out-of-scope roles, role_fix_callback should skip them too. The simple
patch has been posted to the mailing list.
Moreover, as I mentioned beforehand the optional block with required
symbols not properly declared will be omitted during expansion, the base
module generated by the above example x.te file won't work as expected.
Thanks for prompting me to think this through.
Cheers,
Harry
>
> Last but not least, if you want to build a loadable module, the "-m"
> option would have to be used for checkmodule, otherwise it will try to
> build a base module by default and then tries to call link_modules()
> and expand_module(), which makes no sense for loadable modules.
>
> Thanks,
> Harry
>
>> $ cat y.te
>> class file
>> sid kernel
>> class file {
>> read
>> }
>>
>> attribute_role foo;
>> optional {
>> require {
>> attribute_role foo;
>> }
>> }
>>
>> type kernel_t;
>> user system_u roles { object_r };
>> sid kernel system_u:object_r:kernel_t
>>
>> $ checkmodule y.te
>> checkmodule: loading policy configuration from y.te
>> checkmodule: policy configuration loaded
>>
>> On Sat, Feb 18, 2012 at 03:02:23PM +0000, HarryCiao wrote:
>>> So far I am not 100% sure, but I am extra sure that certain cautions
>>> must be taken when requiring a module to be built into base.pp rather
>>> than as loadable module. In particular, while building the base module
>>> the "self_contained_policy" macro is defined, exactly the same as when
>>> building a monolithic policy image, which will influence if the
>>> gen_require() macro would be properly expanded to the "require"
>>> keyword. Below is the definition of the gen_require() macro:
>>>
>>> define(`gen_require',`
>>> ifdef(`self_contained_policy',`
>>> ifdef(`__in_optional_policy',`
>>> require {
>>> $1
>>> } # end require
>>> ')
>>> ',`
>>> require {
>>> $1
>>> } # end require
>>> ')
>>> ')
>>>
>>> Where we can clearly see that if the "self_contained_policy" is
>>> defined, ONLY WHEN the "__in_optional_policy" is also defined, would
>>> gen_require() be expaned to the require keyword. BTW,
>>> "__in_optional_policy" is defined only within an optional_policy()
>>> block.
>>>
>>> That's why I take it for granted that you would have to include the
>>> actual definition of a role attribute along with the module that
>>> requires it into the base module.
>>>
>>> Cheers,
>>> Harry
>>>
>>>
>>>> Date: Thu, 9 Feb 2012 22:58:47 +0000
>>>> From: martin@martinorr.name
>>>> To: selinux@tycho.nsa.gov
>>>> Subject: role_fix_callback assertion with sysadm in base
>>>>
>>>> I tried to build latest git refpolicy (6da98efd) using latest
>>>> checkpolicy and libsepol (339f8079) with the attached modules.conf.
>>>> In particular this puts sysadm into base.pp, and minimal other things.
>>>> I get the following error.
>>>>
>>>> Compiling refpolicy base module
>>>> /usr/bin/checkmodule base.conf -o tmp/base.mod
>>>> /usr/bin/checkmodule: loading policy configuration from base.conf
>>>> checkmodule: expand.c:700: role_fix_callback: Assertion `new_role !=
>>>> ((void *)0)&& new_role->flavor == 1' failed.
>>>> make: *** [tmp/base.mod] Aborted
>>>>
>>>> --
>>>> Martin Orr
>>>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2012-02-24 7:29 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-02-09 22:58 role_fix_callback assertion with sysadm in base Martin Orr
2012-02-11 23:52 ` Martin Orr
2012-02-13 5:39 ` Harry Ciao
2012-02-18 15:02 ` role_fix_callback assertion with sysadm in base - base VS loadable module HarryCiao
2012-02-22 23:22 ` Martin Orr
2012-02-23 10:22 ` Harry Ciao
2012-02-24 1:31 ` Harry Ciao
2012-02-24 7:29 ` Harry Ciao
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.