From: Steve Lawrence <slawrence@tresys.com>
To: Jason Zaman <jason@perfinion.com>,
Sven Vermeulen <sven.vermeulen@siphos.be>
Cc: SELinux <selinux@tycho.nsa.gov>
Subject: Re: ANN: SELinux Userspace Release: 20140826-rc7
Date: Mon, 15 Dec 2014 10:12:17 -0500 [thread overview]
Message-ID: <548EFA51.2060505@tresys.com> (raw)
In-Reply-To: <20141214160431.GA28896@meriadoc.Home>
On 12/14/2014 11:04 AM, Jason Zaman wrote:
> On Sun, Dec 14, 2014 at 04:46:40PM +0100, Sven Vermeulen wrote:
>> On Thu, Dec 4, 2014 at 8:15 PM, Steve Lawrence <slawrence@tresys.com> wrote:
>>> The seventh release candidate for the next release of SELinux Userspace
>>> [1] is now available. T
>> [...]
>>
>> Hi all
>>
>> Is it possible to kepe the tmp/ directory when building/loading a policy fails?
>>
>> # semodule -v -i foo.pp
>> Attempting to install module 'foo.pp':
>> Ok: return value of 0.
>> Committing changes:
>> Conflicting type rules
>> Binary policy creation failed at line 177 of
>> /var/lib/selinux/mcs/tmp/modules/400/java/cil
>
> Alternatively, would it be possible to just print out line 177 to the
> terminal? Diving into files is less ideal than just seeing both
> conflicting lines directly in the output.
>
> eg when there are errors during building:
> /usr/bin/checkmodule: loading policy configuration from tmp/mycustom.tmp
> mycustom.te:55:ERROR 'unknown type stttttaff_t' at token ';' on line 2790:
> allow stttttaff_t syslogd_t:unix_dgram_socket sendto;
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
>
>
>> Failed to generate binary
>> semodule: Failed!
>>
>> The tmp/ directory is cleared so it is not possible to use that
>> location for troubleshooting.
>>
>> In this particular case, I could find the java/cil in the
>> /var/lib/selinux/mcs/active/modules/400 location, but if the error
>> would be within the foo.pp-generated CIL file, then the CIL file
>> cannot be found anymore.
>>
Both good suggestions. I agree that it can be difficult to track down
issues. CIL diagnostics have plenty of room for improvement.
One thing that may help, if you were not already aware, you can always
compile the pp file to CIL yourself with something like this:
$ cat /var/lib/selinux/.../hll | bunzip2 | /usr/libexec/selinux/hll/pp
It's not perfect, but should allow you to view the generated CIL and
figure out where the error is to help track things down.
With all that said, I'm not sure this a blocker, and is something we'll
target to improve in the next SELinux Userspace release.
- Steve
next prev parent reply other threads:[~2014-12-15 15:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-04 19:15 ANN: SELinux Userspace Release: 20140826-rc7 Steve Lawrence
2014-12-14 15:46 ` Sven Vermeulen
2014-12-14 16:04 ` Jason Zaman
2014-12-15 15:12 ` Steve Lawrence [this message]
2014-12-15 18:33 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=548EFA51.2060505@tresys.com \
--to=slawrence@tresys.com \
--cc=jason@perfinion.com \
--cc=selinux@tycho.nsa.gov \
--cc=sven.vermeulen@siphos.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.