Bug 470316

Summary: semodule segfaults when loading a base policy with fewer categories than the currently loaded policy
Product: Red Hat Enterprise Linux 5 Reporter: Stuart Sears <ssears>
Component: libsepolAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NEXTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.2CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-21 14:36:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stuart Sears 2008-11-06 17:12:00 UTC 
Description of problem:
When building a new base policy module from the serefpolicy sources (in our source RPM), loading the new base policy segfaults if you have fewer than 1024 categories defined.

Version-Release number of selected component (if applicable):
policycoreutils-1.33.12-12.el5
(1.33.12-14 has the same issue)

How reproducible:
Every time

Steps to Reproduce:
1. unpack the source RPM (selinux-policy-2.4.6-106.el5_1.3)
rpmbuild -bp <specfile>
then in the serefpolicy directory...

2. edit build.conf:
DISTRO=redhat
TYPE=targeted-mcs
NAME=targeted
POLY=y
MONOLITHIC=n
QUIET=n
DIRECT_INITRC=y

3. make bare
4. make conf

5. cp %_topdir/SOURCES/modules,booleans .conf into the policy dir.

6. build the base policy
make base.pp

then try and load your new base policy module with 

7. semodule -b base.pp
  
Actual results:

Segmentation fault with no additional error messaged


Expected results:
new base policy loads (or fails with a comprehensible error message)

Additional info:
This appears to be related to the number of categories in the new base (256), when existing/loaded policy modules expect more (1024).
A more meaningful error message would be nice, rather than just a segfault :)
Comment 3 Daniel Walsh 2009-12-21 14:36:41 UTC 
This has been fixed in upstream, I will work in RHEL6.  But I think we just need to close next release for now.  Not a problem many customers will face.