On Wed, 2010-03-03 at 08:24 -0800, Justin P. mattock wrote: > On 03/03/2010 07:53 AM, Stephen Smalley wrote: > > On Wed, 2010-03-03 at 07:36 -0800, Justin P. mattock wrote: > >> On 03/03/2010 07:28 AM, Stephen Smalley wrote: > >>> On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote: > >>>> On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote: > >>>>> Hi there. > >>>>> > >>>>> I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc > >>>>> tools (libselinux policycoreutils). I'm trying to: > >>>>> > >>>>> make bare > >>>>> make conf > >>>>> make base.pp > >>>>> > >>>>> My configuration: > >>>>> > >>>>> TYPE=mcs > >>>>> NAME=refpolicy > >>>>> UNK_PERMS=allow > >>>>> DIRECT_INITRC=n > >>>>> MONOLITHIC=n > >>>>> UBAC=n > >>>>> MLS_CATS=1024 > >>>>> MCS_CATS=1024 > >>>>> > >>>>> But, the last command failed with the following error: > >>>>> > >>>>> Creating refpolicy base module base.conf > >>>>> cat tmp/pre_te_files.conf tmp/all_attrs_types.conf > >>>>> tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf > >>>>> Compiling refpolicy base module > >>>>> /usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod > >>>>> /usr/bin/checkmodule: loading policy configuration from base.conf > >>>>> base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032: > >>>>> level s0:c0.c1023; > >>>>> > >>>>> Seems to be, it's a good line (2032), but checkmodule can't eat it. > >>>>> > >>>>> Where can be the probem? > >>>> > >>>> Looks like a scanner problem to me. There have been problems with some > >>>> versions of flex, e.g. see: > >>>> http://marc.info/?t=125613782400001&r=1&w=2 > >>>> but no one has ever tracked it down precisely and I've never been able > >>>> to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so > >>>> that it generates debug output and then capture the stderr of running > >>>> checkpolicy on base.conf. Here I get the following output for that > >>>> line: > >>>> --accepting rule at line 55 (" > >>>> level s0:c0.c1023;") > >>>> --accepting rule at line 116 ("level") > >>>> --accepting rule at line 227 (" ") > >>>> --accepting rule at line 219 ("s0") > >>>> --accepting rule at line 235 (":") > >>>> --accepting rule at line 219 ("c0.c1023") > >>>> --accepting rule at line 236 (";") > >>>> > >>>> Note that the ":" gets treated as a separate token above, as it should, > >>>> whereas your checkmodule seems to not be splitting it properly. > >>>> > >>>> You can look at checkpolicy/policy_scan.l and see if anything strikes > >>>> you as problematic, but it looks sane to me. Maybe it is matching on > >>>> ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in > >>>> the pattern. Does this help? > >>>> > >>>> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l > >>>> index 48128a8..b7b8f0a 100644 > >>>> --- a/checkpolicy/policy_scan.l > >>>> +++ b/checkpolicy/policy_scan.l > >>>> @@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); } > >>>> {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } > >>>> {digit}+|0x{hexval}+ { return(NUMBER); } > >>>> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } > >>>> -{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } > >>>> +{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); } > >>>> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } > >>>> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } > >>>> #line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } > >>> > >>> Hmm...and does the second "." in VERSION_IDENTIFIER need to be quoted or > >>> escaped via backslash as well? > >>> > >> > >> > >> if the flex version from git goes all the way > >> back to 2.5* I'll do a bisect on this > >> but if it only goes so far, then bisection > >> can be tricky. > > > > If my patch fixes the problem, it was a bug in checkpolicy, not a bug in > > flex. > > > > > heres what I get: > > > flex --version > flex 2.5.35 > > (without the patch applied). > > Compiling mcs base module > /usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod > /usr/bin/checkmodule: loading policy configuration from base.conf > base.conf:1265:ERROR 'syntax error' at token ':c0.c255' on line 1265: > > level s0:c0.c255; > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/base.mod] Error 1 > > > (after applying patch): > > Compiling mcs base module > /usr/bin/checkmodule -M -U deny base.conf -o tmp/base.mod > /usr/bin/checkmodule: loading policy configuration from base.conf > base.conf:1265:ERROR 'syntax error' at token ':c0' on line 1265: > > level s0:c0.c255; > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/base.mod] Error 1 > > > as soon as I compile checkpolicy/checkmodule with the older version of > flex the policy will compile without the syntax error. > > but if this is userspace(SELinux) issue, I can try a bisect with > checkpolicy/checkmodule. No, your test result confirms that the bug lies in flex. The ipv6_addr pattern is just the trigger. It should not match (requires at least two colons), but appears to be doing so. See my other email. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
