Looks to be an ordering issue with how we verify classmaps when they are nested. If you define (classmap common_appletalk_socket ...) before (classmap all_sockets ...), you'll get this error error: Map class common_appletalk_socket does not have a classmapping for common_readwrite_socket_perms Map class common_appletalk_socket does not have a classmapping for common_create_socket_perms So you're just missing the mapping for common_appletalk_sockets. The right fix for the segfault isn't immediately clear to me--might need to change some orderings or maybe even add another verify pass? But adding the mapping should resolve your segfault for now. On 1/28/20 7:25 AM, Dominick Grift wrote: > In trying to reduce points of failure in my policy I encountered another segfault > > I want to centralize common permissions, for example common create and common read/write socket perms: > > 872 (classmap all_sockets | > 873 (common_create_socket_perms common_readwrite_socket_perms)) | > 874 | > 875 (classmap common_alg_socket | > 876 (common_create_socket_perms common_readwrite_socket_perms)) | > 877 (classmap common_appletalk_socket | > 878 (common_create_socket_perms common_readwrite_socket_perms)) | > 879 | > 880 (classmapping | > 881 all_sockets | > 882 common_create_socket_perms | > 883 (common_alg_socket | > 884 (common_create_socket_perms))) | > 885 | > 886 (classmapping | > 887 all_sockets | > 888 common_create_socket_perms | > 889 (common_appletalk_socket | > 890 (common_create_socket_perms))) | > 891 | > 892 (classmapping | > 893 all_sockets | > 894 common_readwrite_socket_perms | > 895 (common_alg_socket | > 896 (common_readwrite_socket_perms))) | > 897 | > 898 (classmapping | > 899 all_sockets | > 900 common_readwrite_socket_perms | > 901 (common_appletalk_socket | > 902 (common_readwrite_socket_perms))) | > 903 | > 904 (classmapping | > 905 common_alg_socket | > 906 common_create_socket_perms | > 907 (alg_socket | > 908 (append bind connect create getattr getopt ioctl read setattr setopt shutdown| > 909 write))) | > 910 | > 911 (classmapping | > 912 common_alg_socket | > 913 common_readwrite_socket_perms | > 914 (alg_socket | > 915 (append bind connect getattr getopt ioctl read setattr setopt shutdown | > 916 write))) | > 917 | > 918 (classpermission create_alg_socket_perms) | > 919 | > 920 (classpermissionset | > 921 create_alg_socket_perms | > 922 (common_alg_socket | > 923 (common_create_socket_perms))) | > 924 | > 925 (classpermission readwrite_alg_socket_perms) | > 926 | > 927 (classpermissionset | > 928 readwrite_alg_socket_perms | > 929 (common_alg_socket | > 930 (common_readwrite_socket_perms))) | > > <snip> > Building AST from Parse Tree > Destroying Parse Tree > Resolving AST > Qualifying Names > Compile post process > make: *** [Makefile:21: policy.32] Segmentation fault (core dumped) >
