| Summary: | checkmodule fails to compile policy on newer .te files | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Simon Sekidde <ssekidde> |
| Component: | checkpolicy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 24 | CC: | dwalsh, mgrepl, plautrba, vmojzis |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-10-31 16:10:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
The problem here is that checkmodule doesn't understand M4 macros (policy_module, domain_type, domain_entry_file).
Please use the following command to compile your policy module (also, the name of the .te file has to be <module_name>.te):
# mv example.te myapp.te
# make -f /usr/share/selinux/devel/Makefile myapp.pp
First 'all_interfaces.conf' containing definitions of all macros is created. That file is than used to expand all macros in given module. Expanded module can than be compiled by checkmodule. (use 'make' with '-n' to see commands used in the process)
The following example module can be compiled directly by checkmodule because it doesn't contain macros:
# cat mymodule.te
module mymodule 1.0;
require {
class file {open read write};
type httpd_t;
attribute non_security_file_type;
};
allow httpd_t non_security_file_type:file { open read write };
# checkmodule -C -M -m mymodule.te -o mymodule.mod
|
Description of problem: example.te 1 2 policy_module(myapp,1.0.0) 3 4 ######################################## 5 # 6 # Declarations 7 # 8 9 type myapp_t; 10 type myapp_exec_t; 11 domain_type(myapp_t) 12 domain_entry_file(myapp_t, myapp_exec_t) $ checkmodule -C -M -m example.te -o example.mod checkmodule: loading policy configuration from example.te example.te:2:ERROR 'Building a policy module, but no module specification found. ' at token 'policy_module' on line 2: policy_module(myapp,1.0.0) 1 2 #policy_module(myapp,1.0.0) 3 module myapp 1.0.0; 4 $ checkmodule -C -M -m example.te -o example.mod checkmodule: loading policy configuration from example.te example.te:12:ERROR 'This block has no require section.' at token 'domain_type' on line 12: domain_type(myapp_t) type myapp_exec_t; checkmodule: error(s) encountered while parsing configuration Version-Release number of selected component (if applicable): checkpolicy-2.5-6.fc24.x86_64 How reproducible: 100%