Bug 444451 - Can't build selinux policy modules
Can't build selinux policy modules
Product: Fedora
Classification: Fedora
Component: checkpolicy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: 588260
  Show dependency treegraph
Reported: 2008-04-28 10:29 EDT by Carl Roth
Modified: 2016-08-31 03:41 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 588260 (view as bug list)
Last Closed: 2012-08-16 18:07:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch for checkpolicy (1.61 KB, patch)
2008-05-05 11:25 EDT, Stephen Smalley
no flags Details | Diff

  None (edit)
Description Carl Roth 2008-04-28 10:29:33 EDT
Description of problem:

I'm not able to build selinux policy modules using selinux-policy-devel and
checkpolicy.  The same selinux policy module source that works fine in F8 fails
to build in F9:

[roth@huggy selinux]$ make NAME=targeted -f /usr/share/selinux/devel/Makefile
Compiling targeted ursus-mock-utils module
/usr/bin/checkmodule:  loading policy configuration from tmp/ursus-mock-utils.tmp
ursus-mock-utils.te":12:ERROR 'syntax error' at token '' on line 1019:
#line 12
                module ursus_mock_utils;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/ursus-mock-utils.mod] Error 1

Help me out here -- has the macro API for policy modules changed recently?

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create an empty .if file
2. Create an empty .fc file
3. Create a .te file with a single policy_module statement
4. Compile using the above statement

Actual results:

Expected results:

Additional info:
Comment 1 Daniel Walsh 2008-04-28 15:26:32 EDT


Comment 2 Carl Roth 2008-04-29 10:31:06 EDT
That's pretty much the exact syntax I was using (but without the whitespace). 
It doesn't work.
Comment 3 Carl Roth 2008-04-29 10:37:32 EDT
Fun!  I noodled around with it a bit more, and noticed that the example policy
module *does* work.  It turns out that the culprit is the version number.  A
two-part (3.2) or three-part (3.2.3) version number works, but a four-part
version ( does not.  All because I wanted to test a pre-release build
of my package...

This does appear to be a new behavior with the policy toolchain shipping with F9.

I'll continue to assert that this a bug, but clearly not high- or
medium-priority since the workaround is obvious.
Comment 4 Stephen Smalley 2008-05-05 08:30:14 EDT
Looks like this regression was introduced in checkpolicy version 2.0.5.
It is a checkpolicy bug, not a libsepol bug.
Comment 5 Stephen Smalley 2008-05-05 08:36:44 EDT
I've notified the responsible party of the regression.
BTW, please take these kinds of bug reports to selinux@tycho.nsa.gov.
Don't just cc me on them.
Comment 6 Stephen Smalley 2008-05-05 11:25:55 EDT
Created attachment 304529 [details]
Patch for checkpolicy
Comment 7 Daniel Walsh 2008-05-06 14:42:05 EDT
Patch works for me

Fixed in checkpolicy-2.0.14-2
Comment 9 Milos Malik 2009-11-12 05:32:10 EST
I don't know how exactly is policy_module() defined, but what about one-part version number?

Comment 10 Daniel Walsh 2009-11-12 08:41:08 EST
That is a macro definition and would have to go through m4 to get to something that looks like

module ursus_mock_utils 1;

Which should work.
Comment 11 Daniel Walsh 2010-05-03 09:49:05 EDT
I guess this is still broken.

# more empty.te 

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted empty module
/usr/bin/checkmodule:  loading policy configuration from tmp/empty.tmp
empty.te":1:ERROR 'syntax error' at token '1' on line 1022:
		module dan 1;
#line 1
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/empty.mod] Error 1

# more empty.te 
# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted empty module
/usr/bin/checkmodule:  loading policy configuration from tmp/empty.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/empty.mod
Creating targeted empty.pp policy package
rm tmp/empty.mod tmp/empty.mod.fc
Comment 12 Bug Zapper 2010-07-30 06:31:57 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.

More information and reason for this action is here:
Comment 13 Fedora End Of Life 2012-08-16 18:07:36 EDT
This message is a notice that Fedora 14 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 14. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 14 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 

Note You need to log in before you can comment on or make changes to this bug.