Bug 470316 - semodule segfaults when loading a base policy with fewer categories than the currently loaded policy
semodule segfaults when loading a base policy with fewer categories than the ...
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: libsepol (Show other bugs)
5.2
i386 Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-06 12:12 EST by Stuart Sears
Modified: 2009-12-21 09:36 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-12-21 09:36:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stuart Sears 2008-11-06 12:12:00 EST
Description of problem:
When building a new base policy module from the serefpolicy sources (in our source RPM), loading the new base policy segfaults if you have fewer than 1024 categories defined.

Version-Release number of selected component (if applicable):
policycoreutils-1.33.12-12.el5
(1.33.12-14 has the same issue)

How reproducible:
Every time

Steps to Reproduce:
1. unpack the source RPM (selinux-policy-2.4.6-106.el5_1.3)
rpmbuild -bp <specfile>
then in the serefpolicy directory...

2. edit build.conf:
DISTRO=redhat
TYPE=targeted-mcs
NAME=targeted
POLY=y
MONOLITHIC=n
QUIET=n
DIRECT_INITRC=y

3. make bare
4. make conf

5. cp %_topdir/SOURCES/modules,booleans .conf into the policy dir.

6. build the base policy
make base.pp

then try and load your new base policy module with 

7. semodule -b base.pp
  
Actual results:

Segmentation fault with no additional error messaged


Expected results:
new base policy loads (or fails with a comprehensible error message)

Additional info:
This appears to be related to the number of categories in the new base (256), when existing/loaded policy modules expect more (1024).
A more meaningful error message would be nice, rather than just a segfault :)
Comment 3 Daniel Walsh 2009-12-21 09:36:41 EST
This has been fixed in upstream, I will work in RHEL6.  But I think we just need to close next release for now.  Not a problem many customers will face.

Note You need to log in before you can comment on or make changes to this bug.