On Wed, 2010-03-03 at 07:36 -0800, Justin P. mattock wrote: > On 03/03/2010 07:28 AM, Stephen Smalley wrote: > > On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote: > >> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote: > >>> Hi there. > >>> > >>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc > >>> tools (libselinux policycoreutils). I'm trying to: > >>> > >>> make bare > >>> make conf > >>> make base.pp > >>> > >>> My configuration: > >>> > >>> TYPE=mcs > >>> NAME=refpolicy > >>> UNK_PERMS=allow > >>> DIRECT_INITRC=n > >>> MONOLITHIC=n > >>> UBAC=n > >>> MLS_CATS=1024 > >>> MCS_CATS=1024 > >>> > >>> But, the last command failed with the following error: > >>> > >>> Creating refpolicy base module base.conf > >>> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf > >>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf > >>> Compiling refpolicy base module > >>> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod > >>> /usr/bin/checkmodule: loading policy configuration from base.conf > >>> base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032: > >>> level s0:c0.c1023; > >>> > >>> Seems to be, it's a good line (2032), but checkmodule can't eat it. > >>> > >>> Where can be the probem? > >> > >> Looks like a scanner problem to me. There have been problems with some > >> versions of flex, e.g. see: > >> http://marc.info/?t=125613782400001&r=1&w=2 > >> but no one has ever tracked it down precisely and I've never been able > >> to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so > >> that it generates debug output and then capture the stderr of running > >> checkpolicy on base.conf. Here I get the following output for that > >> line: > >> --accepting rule at line 55 (" > >> level s0:c0.c1023;") > >> --accepting rule at line 116 ("level") > >> --accepting rule at line 227 (" ") > >> --accepting rule at line 219 ("s0") > >> --accepting rule at line 235 (":") > >> --accepting rule at line 219 ("c0.c1023") > >> --accepting rule at line 236 (";") > >> > >> Note that the ":" gets treated as a separate token above, as it should, > >> whereas your checkmodule seems to not be splitting it properly. > >> > >> You can look at checkpolicy/policy_scan.l and see if anything strikes > >> you as problematic, but it looks sane to me. Maybe it is matching on > >> ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in > >> the pattern. Does this help? > >> > >> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l > >> index 48128a8..b7b8f0a 100644 > >> --- a/checkpolicy/policy_scan.l > >> +++ b/checkpolicy/policy_scan.l > >> @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); } > >> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } > >> {digit}+|0x{hexval}+ { return(NUMBER); } > >> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } > >> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } > >> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); } > >> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } > >> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } > >> #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } > > > > Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or > > escaped via backslash as well? > > > > > if the flex version from git goes all the way > back to 2.5* I'll do a bisect on this > but if it only goes so far, then bisection > can be tricky. If my patch fixes the problem, it was a bug in checkpolicy, not a bug in flex. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
