Description of problem: I'm not able to build selinux policy modules using selinux-policy-devel and checkpolicy. The same selinux policy module source that works fine in F8 fails to build in F9: [roth@huggy selinux]$ make NAME=targeted -f /usr/share/selinux/devel/Makefile Compiling targeted ursus-mock-utils module /usr/bin/checkmodule: loading policy configuration from tmp/ursus-mock-utils.tmp ursus-mock-utils.te":12:ERROR 'syntax error' at token '3.2.3.80' on line 1019: #line 12 module ursus_mock_utils 3.2.3.80; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/ursus-mock-utils.mod] Error 1 Help me out here -- has the macro API for policy modules changed recently? Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-35.fc9.noarch selinux-policy-targeted-3.3.1-35.fc9.noarch checkpolicy-2.0.14-1.fc9.x86_64 How reproducible: Always Steps to Reproduce: 1. Create an empty .if file 2. Create an empty .fc file 3. Create a .te file with a single policy_module statement 4. Compile using the above statement Actual results: Expected results: Additional info:
Does policy_module(ursus_mock_utils, 3.2.3.80) work
That's pretty much the exact syntax I was using (but without the whitespace). It doesn't work.
Fun! I noodled around with it a bit more, and noticed that the example policy module *does* work. It turns out that the culprit is the version number. A two-part (3.2) or three-part (3.2.3) version number works, but a four-part version (3.2.3.80) does not. All because I wanted to test a pre-release build of my package... This does appear to be a new behavior with the policy toolchain shipping with F9. I'll continue to assert that this a bug, but clearly not high- or medium-priority since the workaround is obvious.
Looks like this regression was introduced in checkpolicy version 2.0.5. It is a checkpolicy bug, not a libsepol bug.
I've notified the responsible party of the regression. BTW, please take these kinds of bug reports to selinux.gov. Don't just cc me on them.
Created attachment 304529 [details] Patch for checkpolicy
Patch works for me Fixed in checkpolicy-2.0.14-2
I don't know how exactly is policy_module() defined, but what about one-part version number? Example: policy_module(ursus_mock_utils,1)
That is a macro definition and would have to go through m4 to get to something that looks like module ursus_mock_utils 1; Which should work.
I guess this is still broken. # more empty.te policy_module(empty,1) # make -f /usr/share/selinux/devel/Makefile Compiling targeted empty module /usr/bin/checkmodule: loading policy configuration from tmp/empty.tmp empty.te":1:ERROR 'syntax error' at token '1' on line 1022: module dan 1; #line 1 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/empty.mod] Error 1 # more empty.te policy_module(empty,1.0) # make -f /usr/share/selinux/devel/Makefile Compiling targeted empty module /usr/bin/checkmodule: loading policy configuration from tmp/empty.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/empty.mod Creating targeted empty.pp policy package rm tmp/empty.mod tmp/empty.mod.fc
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle. Changing version to '14'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This message is a notice that Fedora 14 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 14. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '14' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 14 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping