On 03/03/2010 08:23 AM, Stephen Smalley wrote:
On Wed, 2010-03-03 at 10:21 -0500, Stephen Smalley wrote:
On Wed, 2010-03-03 at 17:31 +0300, AlannY wrote:
Hi there.
I'm trying to compile refpolicy. I have checkpolicy 2.0.20 and misc
tools (libselinux policycoreutils). I'm trying to:
make bare
make conf
make base.pp
My configuration:
TYPE=mcs
NAME=refpolicy
UNK_PERMS=allow
DIRECT_INITRC=n
MONOLITHIC=n
UBAC=n
MLS_CATS=1024
MCS_CATS=1024
But, the last command failed with the following error:
Creating refpolicy base module base.conf
cat tmp/pre_te_files.conf tmp/all_attrs_types.conf
tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf> base.conf
Compiling refpolicy base module
/usr/bin/checkmodule -M -U allow base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
base.conf:2032:ERROR 'syntax error' at token ':c0.c1023' on line 2032:
level s0:c0.c1023;
Seems to be, it's a good line (2032), but checkmodule can't eat it.
Where can be the probem?
Looks like a scanner problem to me. There have been problems with some
versions of flex, e.g. see:
http://marc.info/?t=125613782400001&r=1&w=2
but no one has ever tracked it down precisely and I've never been able
to reproduce. Modify your checkpolicy Makefile to pass -d to $(LEX) so
that it generates debug output and then capture the stderr of running
checkpolicy on base.conf. Here I get the following output for that
line:
--accepting rule at line 55 ("
level s0:c0.c1023;")
--accepting rule at line 116 ("level")
--accepting rule at line 227 (" ")
--accepting rule at line 219 ("s0")
--accepting rule at line 235 (":")
--accepting rule at line 219 ("c0.c1023")
--accepting rule at line 236 (";")
Note that the ":" gets treated as a separate token above, as it should,
whereas your checkmodule seems to not be splitting it properly.
You can look at checkpolicy/policy_scan.l and see if anything strikes
you as problematic, but it looks sane to me. Maybe it is matching on
ipv6_addr instead. On second look, I'm wondering why ipv6_addr has . in
the pattern. Does this help?
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 48128a8..b7b8f0a 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -219,7 +219,7 @@ PERMISSIVE { return(PERMISSIVE); }
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
{digit}+|0x{hexval}+ { return(NUMBER); }
{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
-{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
+{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":")* { return(IPV6_ADDR); }
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
#line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
#line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
It turns out there was a reason why we originally allowed "." in the
ipv6_addr pattern - for embedded ipv4 addresses,
http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm
Re-considering this, I don't see why we'd match on ipv6_addr anyway
(":c0.c1023" doesn't match the pattern as it lacks two colons), so
perhaps this is still a bug in flex.
It did first seem to manifest after the ipv6_addr pattern was added
though, so I think that the ipv6_addr pattern is the trigger for the
bug.
http://marc.info/?t=109338686200002&r=1&w=2
man!! seeing all of the bickering towards the end
really looks bad.
Anyways I made a wrapper with the -l option and tried other options
as well, and still am able to reproduce this syntax error.
FWIW here's the -v option while building checkmodule/checkpolicy with
new/older
versions of flex:
scanner options: -lvI8 -Cem
1677/2000 NFA states
944/1000 DFA states (8671 words)
188 rules
Compressed tables always back-up
1/40 start conditions
494 epsilon states, 252 double epsilon states
28/100 character classes needed 458/500 words of storage, 0 reused
50312 state/nextstate pairs created
3621/46691 unique/duplicate transitions
988/1000 base-def entries created
2182/4000 (peak 5221) nxt-chk entries created
396/5000 (peak 3520) template nxt-chk entries created
0 empty table entries
49 protos created
44 templates created, 98 uses
80/256 equivalence classes created
9/256 meta-equivalence classes created
0 (17 saved) hash collisions, 2680 DFAs equal
3 sets of reallocations needed
6676 total table entries needed
and the -v option with the older version of flex that
works:
/flex version 2.5.4 usage statistics:
scanner options: -lvI8 -Cem
1621/2000 NFA states
891/1000 DFA states (8396 words)
188 rules
Compressed tables always back-up
1/40 start conditions
465 epsilon states, 236 double epsilon states
13/100 character classes needed 161/500 words of storage, 14 reused
48957 state/nextstate pairs created
3506/45451 unique/duplicate transitions
907/1000 base-def entries created
2038/4000 (peak 2927) nxt-chk entries created
144/2500 (peak 1280) template nxt-chk entries created
0 empty table entries
21 protos created
16 templates created, 48 uses
80/256 equivalence classes created
9/256 meta-equivalence classes created
1 (15 saved) hash collisions, 2618 DFAs equal
2 sets of reallocations needed
6226 total table entries needed
I thinking I'll try a go at bisecting flex(if possible),and see,
but might take some time.
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
