Bug 2254206
| Summary: | /usr/bin/sepolgen-ifgen reports "Illegal character '"'" | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Petr Lautrbach <plautrba> |
| Component: | policycoreutils | Assignee: | Petr Lautrbach <plautrba> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 40 | CC: | dwalsh, extras-qa, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, plautrba, ppisar, rc040203, rmetrich, robert.hinson, vmojzis, voj-tech, zpytela |
| Target Milestone: | --- | Keywords: | Reopened, SELinux |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-40.23-1.fc40 policycoreutils-3.7-6.fc40 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 2254169 | Environment: | |
| Last Closed: | 2025-01-22 01:49:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Petr Lautrbach
2023-12-12 16:45:21 UTC
Thank you for the report, it was introduced in rawhide in v40.2 with e62efd6dd Split virt policy, introduce virt_supplementary module and the change seems to have been intentional, not to make our tools fail or report an error. +# Use parentheses so that "interface" is not recognized as a keyword by M4 +/var/run/libvirt/interfac(e)(/.*)? gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) ... + filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interfac(e)") Will check if it is valid also for the filename in the transition pattern. Well, in the filename transition rule "interfac(e)" will not match "interface" (it's not a regex), so the rule doesn't have the desired effect even now. This bug appears to have been reported against 'rawhide' during the Fedora Linux 40 development cycle. Changing version to 40. *** Bug 2277925 has been marked as a duplicate of this bug. *** An attempt to use "interface" fails at the first virt_driver_template call at #L167 containing:
filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interface")
virt_driver_template(virtinterfaced_t) ->
allow virtinterfaced_t virt_var_run_t:dir { open read getattr lock search ioctl add_name remove_name write };
policy/modules/contrib/virt.te:298:ERROR 'unrecognized character' at token '"' on line 6887:
#line 298
type_transition virtinterfaced_t virt_var_run_t:dir virtinterfaced_var_run_t "
policy/modules/contrib/virt.te:298:ERROR 'syntax error' at token 'allow' on line 6891:
#line 298
allow virtinterfaced_t virt_var_run_t:dir { open read getattr lock search ioctl add_name remove_name write };
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [Rules.modular:77: tmp/virt.mod] Error 1
make: *** Waiting for unfinished jobs....
Do you happen to have a workaround handy?
I am looking for string concatenation in m4.
If any of these do not work, we can still try an unnamed file transition as this should not make things worse at least.
Given that "interface" is defined macro, it needs to be quoted - https://www.gnu.org/software/m4/manual/m4.html#Quoted-strings Unfortunately, simple quotes would not help: filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "`interface'") would be expanded to define(`filetrans_pattern',` allow $1 $2:dir rw_dir_perms; type_transition $1 $2:$4 $3 "interface"; ') which would be again expanded to interface macro definition. Therefore it's necessary double quotes: filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "``interface''") -> type_transition $1 $2:$4 $3 "`interface'"; *** Bug 2254169 has been marked as a duplicate of this bug. *** FEDORA-2024-2bc43119f3 (selinux-policy-40.23-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-2bc43119f3 FEDORA-2024-2bc43119f3 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-2bc43119f3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-2bc43119f3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2024-2bc43119f3 (selinux-policy-40.23-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report. selinux-policy-40.23-1.fc40 does NOT fix this bug: # rpm -qa 'selinux-policy*' selinux-policy-40.23-1.fc40.noarch selinux-policy-targeted-40.23-1.fc40.noarch selinux-policy-devel-40.23-1.fc40.noarch # dnf reinstall --refresh --enablerepo=updates-testing 'selinux-*' ... Running scriptlet: selinux-policy-devel-40.23-1.fc40.noarch 3/6 Illegal character '"' ... Switching the component, maybe parser needs to be updated?
In the policy we now have:
# This sequence of quotation marks is needed to prevent "interface"
# from being interpreted as a keyword and further parsed by m4 macros
filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "``interface''")
It is still happening... Upgrading : selinux-policy-devel-40.24-1.fc40.noarch 93/224 Running scriptlet: selinux-policy-devel-40.24-1.fc40.noarch 93/224 Illegal character '"' This is fixed in policycoreutils-3.7-4.fc42.x86_64 I have policycoreutils-3.7-5.fc41.x86_64 and still can see in DNF5 output when reinstalling selinux-policy-devel-0:41.27-1.fc41.noarch:
>>> Running post-install scriptlet: selinux-policy-devel-0:41.27-1.fc41.noarch
>>> Finished post-install scriptlet: selinux-policy-devel-0:41.27-1.fc41.noarch
>>> Scriptlet output:
>>> /usr/share/selinux/devel/include/contrib/virt.if: Syntax error on line 169 ` [type=TICK]
>>> /usr/share/selinux/devel/include/contrib/virt.if: Syntax error on line 220 ' [type=SQUOTE]
FEDORA-2025-e94bfc5f12 (policycoreutils-3.7-6.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2025-e94bfc5f12 FEDORA-2025-e94bfc5f12 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-e94bfc5f12` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-e94bfc5f12 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-e94bfc5f12 (policycoreutils-3.7-6.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report. |