Bug 722506

Summary: some .te files cannot be compiled because interfaces contain errors
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-117.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:09:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 748554    
Attachments:
Description Flags
compilation errors found today
none
another set of errors
none
yet another set of errors
none
list of compilation errors I found today none

Description Milos Malik 2011-07-15 14:43:27 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-93.el6_1.2.noarch
selinux-policy-targeted-3.7.19-93.el6_1.2.noarch
selinux-policy-mls-3.7.19-93.el6_1.2.noarch
selinux-policy-doc-3.7.19-93.el6_1.2.noarch
selinux-policy-minimum-3.7.19-93.el6_1.2.noarch

How reproducible:
always

Steps to Reproduce:
1) create a .te file which contains following lines:
policy_module(pokus,1.0)
type test_domain_t;
domain_type(test_domain_t)
type test_domain2_t;
domain_type(test_domain2_t)
type test_private_t;
role test_r;
cron_rw_inherited_spool_files( test_domain_t)

2) run following command in the same directory:
make -f /usr/share/selinux/devel/Makefile
  
Actual results:
Compiling targeted cron_rw_inherited_spool_files module
/usr/bin/checkmodule:  loading policy configuration from tmp/cron_rw_inherited_spool_files.tmp
cron_rw_inherited_spool_files.te":8:ERROR 'unknown type cron_spool_t' at token ';' on line 4194:
    allow test_domain_t cron_spool_t:file { getattr read write append ioctl lock };
#line 8
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/cron_rw_inherited_spool_files.mod] Error 1

Expected results:
no errors
Comment 1 Milos Malik 2011-07-15 14:50:39 UTC 
Another input file
===========
policy_module(pokus,1.0)
type test_domain_t;
domain_type(test_domain_t)
type test_domain2_t;
domain_type(test_domain2_t)
type test_private_t;
role test_r;
inn_exec( test_domain_t)

Similar output
=========
Compiling targeted inn_exec module
/usr/bin/checkmodule:  loading policy configuration from tmp/inn_exec.tmp
inn_exec.te":8:ERROR 'unknown type innd_exec_t' at token ';' on line 4194:
	allow test_domain_t innd_exec_t:file { { getattr open read execute ioctl } ioctl lock execute_no_trans };
#line 8
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/inn_exec.mod] Error 1
Comment 2 Milos Malik 2011-07-15 14:53:09 UTC 
Yet another input file
=============
policy_module(pokus,1.0)
type test_domain_t;
domain_type(test_domain_t)
type test_domain2_t;
domain_type(test_domain2_t)
type test_private_t;
role test_r;
matahari_admin( test_domain_t, test_r)

Similar output
=========
Compiling targeted matahari_admin module
/usr/bin/checkmodule:  loading policy configuration from tmp/matahari_admin.tmp
matahari_admin.te":8:ERROR 'unknown type matahari_initrc_exec_t' at token ';' on line 4240:
	allow test_domain_t matahari_initrc_exec_t:file { getattr open read execute };
#line 8
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/matahari_admin.mod] Error 1
Comment 3 Miroslav Grepl 2011-07-15 14:56:57 UTC 
Milos,
actually a file which will contain a list of these errors as an attachment would be fine.
Comment 5 Milos Malik 2011-07-15 15:27:50 UTC 
That's all for today.

Compiling targeted oddjob_dontaudit_rw_fifo_file module
/usr/bin/checkmodule:  loading policy configuration from tmp/oddjob_dontaudit_rw_fifo_file.tmp
oddjob_dontaudit_rw_fifo_file.te":8:ERROR 'unknown type oddjob_t' at token ';' on line 4194:
        dontaudit test_domain_t oddjob_t:fifo_file { getattr read write append ioctl lock };
#line 8
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/oddjob_dontaudit_rw_fifo_file.mod] Error 1
Comment 6 Daniel Walsh 2011-07-15 17:42:10 UTC 
Do you have a shell script to check all of these?
Comment 7 Miroslav Grepl 2011-07-18 04:45:33 UTC 
I added some fixes to Fedora

http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commit;h=6055344bc6b72922019a5390d2389b74d95c535e

which I guess we also need to add to RHEL6.

Milos,
also interfaces_compile_test can be run for all *.if, but interfaces_load_test can be run only for modules which are loaded in policy.
Comment 8 Miroslav Grepl 2011-07-18 04:48:24 UTC 
(In reply to comment #6)
> Do you have a shell script to check all of these?

Actually we are working on this and others scripts which will be used for policy testing. 

These are just the first results unfinished test scripts.
Comment 9 Milos Malik 2011-07-18 06:20:40 UTC 
(In reply to comment #6)
> Do you have a shell script to check all of these?

I'm working on it right now.
Comment 10 Milos Malik 2011-07-18 08:37:15 UTC 
Created attachment 513582 [details]
compilation errors found today
Comment 11 Milos Malik 2011-07-18 15:37:17 UTC 
Created attachment 513640 [details]
another set of errors
Comment 12 Milos Malik 2011-07-18 15:46:56 UTC 
Interfaces defined in following files remain to be checked (compiled):
devices.if
domain.if
kernel.if
userdomain.if
corenetwork.if

These .if files contain huge number of interfaces, which I plan to divide into smaller groups because of error messages printed by "make -f /usr/share/selinux/devel/Makefile".
Comment 13 Milos Malik 2011-07-19 07:45:09 UTC 
Created attachment 513726 [details]
yet another set of errors
Comment 14 Milos Malik 2011-07-19 07:46:15 UTC 
corenetwork.if is the only .if file not inspected yet.
Comment 15 Milos Malik 2011-07-21 07:14:57 UTC 
# rpm -q selinux-policy
selinux-policy-3.7.19-103.el6.noarch

Compiling targeted apache_domtrans_sys_script module
/usr/bin/checkmodule:  loading policy configuration from tmp/apache_domtrans_sys_script.tmp
apache_domtrans_sys_script.te":14:ERROR 'unknown type httpd_sys_script_exec_t' at token ';' on line 4458:
        allow test_domain_t  httpd_sys_script_exec_t:file { getattr open read execute };
#line 14
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/apache_domtrans_sys_script.mod] Error 1
Comment 16 Miroslav Grepl 2011-08-10 16:10:51 UTC 
Fixed in selinux-policy-3.7.19-107.el6
Comment 21 Milos Malik 2011-08-22 13:56:06 UTC 
Created attachment 519284 [details]
list of compilation errors I found today
Comment 22 Miroslav Grepl 2011-08-23 11:14:16 UTC 
I have found other issues. I will send you a python script which I use.
Comment 23 Miroslav Grepl 2011-09-08 14:33:13 UTC 
Fixed in selinux-policy-3.7.19-110.el6
Comment 30 Miroslav Grepl 2011-10-12 18:21:46 UTC 
Fixed in selinux-policy-3.7.19-116.el6
Comment 34 errata-xmlrpc 2011-12-06 10:09:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html