Bug 739866

Summary: checkpolicy cannot parse /selinux/policy on ppc64 and s390x
Product: Red Hat Enterprise Linux 6 Reporter: Karel Srot <ksrot>
Component: kernelAssignee: Paul Moore <pmoore>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: ccui, dwalsh, eparis, lilu, liwan, mmalik, pgraner, sdsmall
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: kernel-2.6.32-471.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 05:07:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 767187    

Description Karel Srot 2011-09-20 09:17:26 UTC 
Description of problem:

appears on ppc64 and s390x 

[root@auto-ppcp-001 ~]# checkpolicy -Mdb /selinux/policy
checkpolicy:  loading policy configuration from /selinux/policy
libsepol.policydb_index_others: security:  9 users, 13 roles, 3546 types, 176 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  81 classes, 220670 rules, 252160 cond rules
security: ebitmap: map size 3264 does not match my size 64 (high bit was 3360)
checkpolicy:  error(s) encountered while parsing configuration

[root@auto-ppcp-001 ~]# checkpolicy -Mdb /etc/selinux/targeted/policy/policy.24
checkpolicy:  loading policy configuration from /etc/selinux/targeted/policy/policy.24
libsepol.policydb_index_others: security:  9 users, 13 roles, 3546 types, 176 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  81 classes, 220670 rules, 252160 cond rules
checkpolicy:  policy configuration loaded

Select an option:
0)  Call compute_access_vector
1)  Call sid_to_context
2)  Call context_to_sid
3)  Call transition_sid
4)  Call member_sid
5)  Call change_sid
6)  Call list_sids
7)  Call load_policy
8)  Call fs_sid
9)  Call port_sid
a)  Call netif_sid
b)  Call node_sid
c)  Call fs_use
d)  Call genfs_sid
e)  Call get_user_sids
f)  display conditional bools
g)  display conditional expressions
h)  change a boolean value
m)  Show menu again
q)  Exit

Choose:  q



[root@auto-ppcp-001 ~]# rpm -q checkpolicy selinux-policy kernel
checkpolicy-2.0.22-1.el6.ppc64
selinux-policy-3.7.19-110.el6.noarch
kernel-2.6.32-192.el6.ppc64
kernel-2.6.32-197.el6.ppc64
kernel-2.6.32-198.el6.ppc64
[root@auto-ppcp-001 ~]# uname -a
Linux auto-ppcp-001.ss.eng.bos.redhat.com 2.6.32-198.el6.ppc64 #1 SMP Thu Sep 15 23:44:30 EDT 2011 ppc64 ppc64 ppc64 GNU/Linux
Comment 1 Eric Paris 2011-09-20 11:46:33 UTC 
reassigning to kernel.  I'll have to take a closer look at the bitmap writeback code.  Is pagesize != 4096 on these platforms? (I didn't think it mattered, but it's the only thing I can think of that would be different with the platform and possibly wrong with the code)
Comment 2 Karel Srot 2011-09-20 12:05:36 UTC 
s390x says 65536 B, ppc64 4096 B.
Comment 3 Stephen Smalley 2011-09-20 14:24:36 UTC 
If you copy the file first, does that make any difference?
cp /selinux/policy mypolicy
checkpolicy -Mdb mypolicy

That would exercise the read()-based interface rather than the mmap()-based one.

Could also be an endianness issue.  Policy should be in little endian format and converted when read/written.  Maybe something didn't get converted when writing it out in the kernel.

Also somewhat complicated by the fact that the kernel ebitmap is no longer identical to the userspace one and has to be converted.
Comment 4 Karel Srot 2011-09-20 14:32:02 UTC 
(In reply to comment #3)
> If you copy the file first, does that make any difference?
> cp /selinux/policy mypolicy
> checkpolicy -Mdb mypolicy

no difference
Comment 6 RHEL Program Management 2012-05-03 05:36:04 UTC 
Since RHEL 6.3 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 7 RHEL Program Management 2014-03-26 00:22:18 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
Comment 12 Rafael Aquini 2014-05-30 02:24:43 UTC 
Patch(es) available on kernel-2.6.32-471.el6
Comment 16 errata-xmlrpc 2014-10-14 05:07:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-1392.html