|
Hello Chris,
Many thanks for finding out this problem, I've found out the root cause, and the fix is very easy - just remove the second call of role_fix_callback() in expand_module() for processing block/decls' local p_roles table. Ok, let me ramble on how I've analyzed this problem. 1. After I add some printf in the role_fix_callback(), I will get below results: 712, role attribute name: portage_roles 712, role attribute name: semanage_roles 712, role attribute name: rpm_roles 712, role attribute name: semanage_roles 724, regular_role_name: portage_roles, 1 semodule: expand.c:725: role_fix_callback: Assertion `0' failed. Which shows that the semanage_role attribute has been processed TWICE, and it is the second time when the assertion finds that it still contains a sub role attribute. How could this happen? Since the expand_role_attributes() at the end of the link phase would escalate sub role attribute's roles ebitma! p into that of the parent, then remove the sub role attribute away from the parent's roles ebitmap, which supports the assertion that during the role_fix_callback() in the expand phase any role attribute's roles ebitmap should only contain regular roles, but not role attribute. When the role_fix_callback() is called the second time in the expand phase, it is processing the p_roles symtab of some block/decl. If I comment off usermanage_run_useradd(portage_t, portage_roles), which is inside optional_policy macro, then I would get another similar error log: 712, role attribute name: portage_roles 712, role attribute name: semanage_roles 712, role attribute name: rpm_roles 712, role attribute name: semanage_roles 724, regular_role_name: rpm_roles, 1 semodule: expand.c:725: role_fix_callback: Assertion `0' failed. Then if I further comment off usermanage_run_useradd(rpm_script_t, rpm_roles), then the problem would gone. 2. This problem ! makes me remember that months ago when I was developing the role attri bute support, I had been doubtful about the need to call role_fix_callback() again in the expand phase for any block/decl. Turns out this is not only redundant but also wrong! At the end of the link phase, before expand_role_attributes() is called the populate_roleattributes() takes care of merging any role attributes's roles ebitmap recorded in any block/decl's p_roles table, into the base.p_roles table. Actually this would have complemented the effect of get_local_role(), so there is not any need to look into any block/decl's p_roles table again in the expand phase. Moreover, any attempt to do so would be wrong, since expand_role_attributes() just works on base.p_roles table, not that of block/decl's, which explains when processing some local p_roles of some block/decl, the semange_role's roles ebitmap still contains sub role attributes! which further explains why comment off the call of usermanage_run_useradd() would make the problem disappear - since! it's called in some block/decl other than the global block! 3. The tests in step 1 proves that the analysis in step 2 is correct. Also, the call of attr_convert_callback() in the expand phase for block/decls aims to complement the effect of get_local_type(). Again, now that the effect of get_local_role() has been complemented by populate_roleattributes() in the link phase, role_fix_callback() should not be called for block/decl any more. I would send out the fix in a separate thread. Thanks again! Best regards, Harry > Date: Mon, 1 Aug 2011 09:00:32 -0400 > From: cpebenito@xxxxxxxxxx > To: selinux@xxxxxxxxxxxxx > CC: qingtao.cao@xxxxxxxxxxxxx; harrytaurus2002@xxxxxxxxxxx > Subject: Error in monolithic role attribute > > I started the Refpolicy implementation for the new role attribute > support. Unfortunately, I get the following error for monolithic policies: > > /usr/bin/checkpolicy policy.conf -o policy.26 > /usr/bin /checkpolicy: loading policy configuration from policy.conf > checkpolicy: expand.c:721: role_fix_callback: Assertion `regular_role != > ((void *)0) && regular_role->flavor == 0' failed. > make: *** [policy.26] Aborted > > With the same policy I get a similar error when running 'make validate' > in a modular build: > > /usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin > semodule_expand: expand.c:721: role_fix_callback: Assertion > `regular_role != ((void *)0) && regular_role->flavor == 0' failed. > make: *** [validate] Aborted > > This is with last week's release of the toolchain. > > You should be able to reproduce this by checking out current Refpolicy > and applying the attached patch. > > For monolithic: > $ make conf > $ make MONOLITHIC=y. > > For modular: > > $ make conf > $ make validate> > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com |
