Joe Nall wrote:
> I'm really struggling to get our mls X policy to work around this
> issue. I have to rebuild the base policy for every change because the
> change has to be in the optional. blagh.
>
> joe
>
We took a look at this and applied the following patch to checkmodule:
diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
index 36d20be..c8a6d05 100644
--- a/checkpolicy/module_compiler.c
+++ b/checkpolicy/module_compiler.c
@@ -904,8 +904,7 @@ static int require_type_or_attribute(int pass, unsigned char isattr)
return -1;
}
case -2:{
- yyerror("duplicate declaration of type/attribute");
- return -1;
+ return 0;
}
case -1:{
yyerror("could not require type/attribute here");
The magic -2 value is documented at the top of require_symbol() as
meaning "duplicate declaration", however, in the bowels of the function
(module_compiler.c line 628) this is contradicted by the statement
"previous declaration was not in scope or had a mismatched
type/attribute." So I think the error message touched in the above
patch is wrong, or at least not always correct.
Anyway, the return -2 on line 628 is the case encountered by Joe's test
code. And in fact applying the above patch changes the error to:
/home/ewalsh/git/selinux/checkpolicy/checkmodule: loading policy configuration from tmp/swo.tmp
swo.te":4:ERROR 'type swo_dbusd_t is not within scope' at token ';' on line 77949:
allow swo_t swo_dbusd_t:dbus send_msg;
#line 4
/home/ewalsh/git/selinux/checkpolicy/checkmodule: error(s) encountered while parsing configuration
So perhaps we could do something like go back and promote type
declarations in optional blocks into the containing scope when a require
is encountered further along? Josh?
--
Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
