Description of problem: Version-Release number of selected component (if applicable): checkpolicy-1.29.4-1 How reproducible: Every time Steps to Reproduce: 1. Create the following local.te: module local 1.0; require { role object_r; role system_r; class fifo_file getattr; class fifo_file write; type httpd_sys_content_t; type httpd_sys_script_t; }; allow httpd_sys_script_t httpd_sys_content_t:fifo_file { getattr write }; 2. checkmodule -M -m -o appliance-config.mod appliance-config.te 3. semodule_package -o appliance-config.pp -m appliance-config.mod Actual results: security: conditional expressions uses unknown operator. semodule_package: Error while reading policy module from appliance-config.mod Expected results: the policy module should be processed correctly as it is on i386. Additional info: I am using the following packages: selinux-policy-2.2.23-15 libselinux-python-1.29.7-1.2 libselinux-1.29.7-1.2 selinux-policy-targeted-2.2.23-15 policycoreutils-1.29.26-6 checkpolicy-1.29.4-1
Don't have ppc hardware myself, and the above sequence worked on x86. Can you attach the .mod file to this bug report please? There was a bug fix in libsepol 1.12.1 to fix a problem in sepol_module_package_write, but your bug report suggests a problem during the reading of the binary policy module file, so likely not relevant.
Created attachment 126637 [details] File generated on PowerPC as requested
Can you also attach the source used to generate this binary please?
I'm assuming the source is what he listed in the bug report originally as local.te (which had no conditionals at all). Is that correct?
Created attachment 126643 [details] Source code to policy fragment This is the source code to the policy fragment. It should match what was posted earlier.
Yes, that matches. Joshua - he is compiling with -M, so keep that in mind. Compiling it locally on x86 and comparing the two .mod files, they differ at bytes 406 (1 vs. 0) and 409 (0 vs. 1).
Created attachment 126652 [details] Convert num_decls to little endian prior to writing it to the module. Given the info so far, I started looking for cases where we might be writing out module data without converting to little endian, as all of the data is supposed to be written out in that form and converted back upon reading. Looks like avrule_block_write was missing a case. Please review attached patch. Note that libsepol must be rebuilt and then checkpolicy rebuilt against it, as checkpolicy uses the static lib.
Patch applied to libsepol 1.12.2 upstream.
Fixed in libsepol 1.12.4-1.fc5