[refpolicy] Some already-fixed bugs (was: Re: [PATCH] Fix minor typo in init.if)

[nicolas.iooss@m4x.org (Nicolas Iooss)]

2014-09-09 14:45 GMT+02:00 Christopher J. PeBenito:
> On 9/8/2014 6:46 PM, Nicolas Iooss wrote:
>> Tonight I had the idea of using travis-ci.org to automate some kind of
>> testing.  This free service can basically watch public Github
>> repositories and run tests after every commit.  I ran tests in some
>> configurations [1] and every test case failed.
>>
>> The monolithic build fails with [2]:
>>
>>   /usr/bin/checkpolicy -U deny policy.conf -o policy.26
>>   /usr/bin/checkpolicy: loading policy configuration from policy.conf
>>   checkpolicy: expand.c:721: role_fix_callback: Assertion `regular_role
>> != ((void *)0) && regular_role->flavor == 0' failed.
>>   make: *** [policy.26] Aborted
>>
>> [SNIP]
> 
> I'd have to look at the code to better understand what the assertion means.
> 
> Are you using HEAD version of refpolicy and HEAD refpolicy-contrib?  I'm
> not able to reproduce any build errors.
> 

I am not able to reproduce this assertion failure on a Debian Jessie
system using the 2.3 toolchain.  travis-ci.org uses Ubuntu 12.04 LTS
Server Edition [1] and therefore the 2.1 toolchain [2][3].  As far as I
understand, this means that the "assertion failure bug" has already been
fixed.  I was using HEAD version of both refpolicy and refpolicy-contrib
when the bug happened.


While speaking about a bug which has already been fixed, this command
fails with the 2.3 toolchain on Debian Jessie when building the
reference policy from HEAD (without the Debian patches):

  $ semodule_link -o tmp/test.lnk base.pp storage.pp sysadm.pp \
  application.pp authlogin.pp init.pp libraries.pp locallogin.pp \
  logging.pp lvm.pp miscfiles.pp modutils.pp mount.pp selinuxutil.pp \
  sysnetwork.pp userdomain.pp && semodule_expand tmp/test.lnk \
  tmp/policy.bin

  semodule_link:  loading package from file base.pp
  semodule_link:  loading package from file storage.pp
  semodule_link:  loading package from file sysadm.pp
  semodule_link:  loading package from file application.pp
  semodule_link:  loading package from file authlogin.pp
  semodule_link:  loading package from file init.pp
  semodule_link:  loading package from file libraries.pp
  semodule_link:  loading package from file locallogin.pp
  semodule_link:  loading package from file logging.pp
  semodule_link:  loading package from file lvm.pp
  semodule_link:  loading package from file miscfiles.pp
  semodule_link:  loading package from file modutils.pp
  semodule_link:  loading package from file mount.pp
  semodule_link:  loading package from file selinuxutil.pp
  semodule_link:  loading package from file sysnetwork.pp
  semodule_link:  loading package from file userdomain.pp
  libsepol.sepol_module_package_read: invalid module in module package
  (at section 0)
  semodule_expand:  Error in reading package from tmp/test.lnk

The error message is quite tricky to understand...

What's interesting is that the command succeeds when:

* removing lvm.pp from the list,
* removing "virt_manage_images(lvm_t)" from system/lvm.te [4],
* adding virt.pp and its required dependencies (mta.pp qemu.pp clock.pp),
* removing the two tunable_policy blocks from virt_manage_images
interface [5].

In short it seems an impossible-to-understand error message happens to
be printed when linking a policy module which defines an optional_policy
block that requires a tunable which is not defined (or defined in a
not-included module).

This is an already-fixed bug as using programs from SELinux Userspace
Release 2014-08-26-rc2 (with policycoreutils 2.4-rc2) works fine here.

Cheers,

Nicolas


[1] http://docs.travis-ci.com/user/ci-environment/
[2] http://packages.ubuntu.com/en/precise/checkpolicy
[3] http://packages.ubuntu.com/en/precise/libsepol1
[4]
https://github.com/TresysTechnology/refpolicy/blob/1743984bafd19d093d29923ce7717a15f2b2a965/policy/modules/system/lvm.te#L350
[5]
https://github.com/TresysTechnology/refpolicy-contrib/blob/21f961a147a9a08583825bdbe7cce43cf8fdc43d/virt.if#L1107