Bug 186344 - checkpolicy does not work on PowerPC
checkpolicy does not work on PowerPC
Product: Fedora
Classification: Fedora
Component: checkpolicy (Show other bugs)
powerpc Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2006-03-22 20:35 EST by W. Michael Petullo
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version: 1.12.4-1.fc5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-09 16:58:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
File generated on PowerPC as requested (1.01 KB, application/octet-stream)
2006-03-24 10:33 EST, W. Michael Petullo
no flags Details
Source code to policy fragment (244 bytes, text/plain)
2006-03-24 11:11 EST, W. Michael Petullo
no flags Details
Convert num_decls to little endian prior to writing it to the module. (731 bytes, patch)
2006-03-24 11:34 EST, Stephen Smalley
no flags Details | Diff

  None (edit)
Description W. Michael Petullo 2006-03-22 20:35:57 EST
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1.  Create the following local.te:

module local 1.0;

require {
        role object_r;
        role system_r;

        class fifo_file getattr;
        class fifo_file write;

        type httpd_sys_content_t;
        type httpd_sys_script_t;

allow httpd_sys_script_t httpd_sys_content_t:fifo_file { getattr write };

2.  checkmodule -M -m -o appliance-config.mod appliance-config.te

3.  semodule_package -o appliance-config.pp -m appliance-config.mod
Actual results:
security: conditional expressions uses unknown operator.
semodule_package:  Error while reading policy module from appliance-config.mod

Expected results:
the policy module should be processed correctly as it is on i386.

Additional info:
I am using the following packages:

Comment 1 Stephen Smalley 2006-03-23 09:26:38 EST
Don't have ppc hardware myself, and the above sequence worked on x86.
Can you attach the .mod file to this bug report please?

There was a bug fix in libsepol 1.12.1 to fix a problem in
sepol_module_package_write, but your bug report suggests a problem during the
reading of the binary policy module file, so likely not relevant.
Comment 2 W. Michael Petullo 2006-03-24 10:33:11 EST
Created attachment 126637 [details]
File generated on PowerPC as requested
Comment 3 Joshua Brindle 2006-03-24 10:40:14 EST
Can you also attach the source used to generate this binary please?
Comment 4 Stephen Smalley 2006-03-24 11:08:11 EST
I'm assuming the source is what he listed in the bug report originally
as local.te (which had no conditionals at all).  Is that correct?
Comment 5 W. Michael Petullo 2006-03-24 11:11:59 EST
Created attachment 126643 [details]
Source code to policy fragment

This is the source code to the policy fragment.  It should match what was
posted earlier.
Comment 6 Stephen Smalley 2006-03-24 11:24:43 EST
Yes, that matches.  Joshua - he is compiling with -M, so keep that in mind.
Compiling it locally on x86 and comparing the two .mod files, they differ at
bytes 406 (1 vs. 0) and 409 (0 vs. 1).
Comment 7 Stephen Smalley 2006-03-24 11:34:45 EST
Created attachment 126652 [details]
Convert num_decls to little endian prior to writing it to the module.

Given the info so far, I started looking for cases where we might be writing
out module data without converting to little endian, as all of the data is
supposed to be written out in that form and converted back upon reading.  Looks
like avrule_block_write was missing a case.  Please review attached patch. 
Note that libsepol must be rebuilt and then checkpolicy rebuilt against it, as
checkpolicy uses the static lib.
Comment 8 Stephen Smalley 2006-03-24 12:10:27 EST
Patch applied to libsepol 1.12.2 upstream.
Comment 9 Daniel Walsh 2006-05-09 16:58:56 EDT
Fixed in libsepol 1.12.4-1.fc5

Note You need to log in before you can comment on or make changes to this bug.