|
So far I am not 100% sure, but I am extra sure that certain cautions must be taken when requiring a module to be built into base.pp rather than as loadable module. In particular, while building the base module the "self_contained_policy" macro is defined, exactly the same as when building a monolithic policy image, which will influence if the gen_require() macro would be properly expanded to the "require" keyword. Below is the definition of the gen_require() macro:
define(`gen_require',` ifdef(`self_contained_policy',` ifdef(`__in_optional_policy',` require { $1 } # end require ') ',` require { $1 } # end require ') ') Where we can clearly see that if the "self_contained_policy" is defined, ONLY WHEN the "__in_optional_policy" is also defined, would gen_require() be expaned to the require keyword. BTW, "__in_optional_policy" is defined only within an optional_policy() block! . That's why I take it for granted that you would have to include the actual definition of a role attribute along with the module that requires it into the base module. Cheers, Harry > Date: Thu, 9 Feb 2012 22:58:47 +0000 > From: martin@xxxxxxxxxxxxxx > To: selinux@xxxxxxxxxxxxx > Subject: role_fix_callback assertion with sysadm in base > > I tried to build latest git refpolicy (6da98efd) using latest > checkpolicy and libsepol (339f8079) with the attached modules.conf. > In particular this puts sysadm into base.pp, and minimal other things. > I get the following error. > > Compiling refpolicy base module > /usr/bin/checkmodule base.conf -o tmp/base.mod > /usr/bin/checkmodule: loading policy configuration from base.conf > checkmodule: expand.c:700: role_fix_callback: Assertion `new_role != > ((void *)0) && new_role->flavor == 1' failed. > make: *** [tmp/base.mod] Aborted > > -- > Martin Orr |
