Bug 470316 - semodule segfaults when loading a base policy with fewer categories than the currently loaded policy
semodule segfaults when loading a base policy with fewer categories than the ...
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: libsepol (Show other bugs)
i386 Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2008-11-06 12:12 EST by Stuart Sears
Modified: 2009-12-21 09:36 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-12-21 09:36:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stuart Sears 2008-11-06 12:12:00 EST
Description of problem:
When building a new base policy module from the serefpolicy sources (in our source RPM), loading the new base policy segfaults if you have fewer than 1024 categories defined.

Version-Release number of selected component (if applicable):
(1.33.12-14 has the same issue)

How reproducible:
Every time

Steps to Reproduce:
1. unpack the source RPM (selinux-policy-2.4.6-106.el5_1.3)
rpmbuild -bp <specfile>
then in the serefpolicy directory...

2. edit build.conf:

3. make bare
4. make conf

5. cp %_topdir/SOURCES/modules,booleans .conf into the policy dir.

6. build the base policy
make base.pp

then try and load your new base policy module with 

7. semodule -b base.pp
Actual results:

Segmentation fault with no additional error messaged

Expected results:
new base policy loads (or fails with a comprehensible error message)

Additional info:
This appears to be related to the number of categories in the new base (256), when existing/loaded policy modules expect more (1024).
A more meaningful error message would be nice, rather than just a segfault :)
Comment 3 Daniel Walsh 2009-12-21 09:36:41 EST
This has been fixed in upstream, I will work in RHEL6.  But I think we just need to close next release for now.  Not a problem many customers will face.

Note You need to log in before you can comment on or make changes to this bug.