On Thu 9 Feb 22:58:47 2012, Martin Orr wrote:
I tried to build latest git refpolicy (6da98efd) using latest checkpolicy and libsepol (339f8079) with the attached modules.conf. In particular this puts sysadm into base.pp, and minimal other things. I get the following error.
It turns out that this is not just an issue with base vs modules. If I build refpolicy with the default modules.conf and try to install the same set of modules as I built into base previously, then semodule fails with the same error, whether I use TYPE = standard or mcs.
$ sudo semodule $(sudo semodule -l | awk '{ print "-r "$1 }') -b base.pp -i storage.pp sysadm.pp application.pp authlogin.pp init.pp libraries.pp locallogin.pp logging.pp miscfiles.pp modutils.pp selinuxutil.pp sysnetwork.pp userdomain.pp semodule: expand.c:700: role_fix_callback: Assertion `new_role != ((void *)0) && new_role->flavor == 1' failed.
It works if I add enough modules that all role attributes "require"d by optional blocks are present, i.e. the following command, provided I am using an mcs policy. It seg faults if using a standard policy.
$ sudo semodule $(sudo semodule -l | awk '{ print "-r "$1 }') -b base.pp -i storage.pp sysadm.pp application.pp authlogin.pp init.pp libraries.pp locallogin.pp logging.pp miscfiles.pp modutils.pp selinuxutil.pp sysnetwork.pp userdomain.pp portage.pp rsync.pp consoletype.pp usermanage.pp usernetctl.pp bootloader.pp dpkg.pp iptables.pp modutils.pp mount.pp rpm.pp sysnetwork.pp vpn.pp ppp.pp
It appears that requiring role attributes does not work correctly. The seg fault with a non-mcs policy may be an independent problem.
-- Martin Orr -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
