Bug 604707 - libsepol.expand_module: Error while indexing out symbols
libsepol.expand_module: Error while indexing out symbols
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: libsepol (Show other bugs)
5.5
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-16 10:45 EDT by Joshua Roys
Modified: 2011-10-18 15:15 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-10-18 15:15:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Role remap patch (13.07 KB, patch)
2010-06-16 10:58 EDT, Joshua Brindle
no flags Details | Diff
modified patch for RHEL 5 (12.87 KB, patch)
2010-07-09 16:14 EDT, Jeff Bastian
no flags Details | Diff

  None (edit)
Description Joshua Roys 2010-06-16 10:45:23 EDT
Description of problem:
policy module fails to install

Version-Release number of selected component (if applicable):
libsepol-1.15.2-3.el5
policycoreutils-1.33.12-14.8.el5
libsemanage-1.9.1-4.4.el5

How reproducible:
semodule -vi foo.pp

Actual results:
Attempting to install module '/usr/share/selinux/targeted/tomcat.pp':
Ok: return value of 0.
Committing changes:
libsepol.expand_module: Error while indexing out symbols
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

Expected results:
successful load
Comment 1 Joshua Brindle 2010-06-16 10:58:34 EDT
Created attachment 424491 [details]
Role remap patch

This is from the selinux-historical repo, it is a patch with commit ids:

39355d9b2c7c2234e9307f5a5dce861f897547c4 and
e27a27c1bed4802688e426c1bdbbbd5f947c88c7

information on the patch is available at:
http://marc.info/?l=selinux&m=121191917322066&w=2
Comment 2 Jeff Bastian 2010-07-09 15:37:32 EDT
The patch in comment 1 needs some work for RHEL 5's libsepol.

The first file in the patch, policy_define.c, doesn't exist for RHEL 5.  I see it in setools-3.3.7-2.el6 source for RHEL 6, but not for the older setools-3.0-3.el5 in RHEL 5.


$ cd RHEL-5/libsepol-1.15.2/
$ patch -p2 < /tmp/role-remap.patch
can't find file to patch at input line 5
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:                                                
--------------------------                                                      
|diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c         
|index eb46268..9f49043 100644                                                  
|--- a/checkpolicy/policy_define.c                                              
|+++ b/checkpolicy/policy_define.c                                              
--------------------------                                                      
File to patch:                                                                  
Skip this patch? [y] 
Skipping patch.
1 out of 1 hunk ignored
patching file include/sepol/policydb/expand.h
Hunk #1 FAILED at 43.
Hunk #2 FAILED at 59.
2 out of 2 hunks FAILED -- saving rejects to file include/sepol/policydb/expand.h.rej
patching file src/expand.c
Hunk #1 FAILED at 41.
Hunk #2 succeeded at 66 with fuzz 1 (offset 14 lines).
Hunk #3 FAILED at 167.
Hunk #4 succeeded at 329 with fuzz 1 (offset 15 lines).
Hunk #5 succeeded at 561 (offset 25 lines).
Hunk #6 FAILED at 569.
Hunk #7 FAILED at 596.
Hunk #8 FAILED at 610.
Hunk #9 FAILED at 629.
Hunk #10 FAILED at 736.
Hunk #11 FAILED at 800.
Hunk #12 FAILED at 982.
Hunk #13 FAILED at 1049.
Hunk #14 FAILED at 1102.
Hunk #15 FAILED at 1702.
Hunk #16 FAILED at 1886.
Hunk #17 FAILED at 1914.
Hunk #18 FAILED at 1959.
Hunk #19 FAILED at 1973.
Hunk #20 FAILED at 2283.
Hunk #21 FAILED at 2294.
Hunk #22 succeeded at 2305 (offset -48 lines).
Hunk #23 succeeded at 2418 with fuzz 1 (offset -43 lines).
Hunk #24 FAILED at 2525.
19 out of 24 hunks FAILED -- saving rejects to file src/expand.c.rej
patching file src/policydb.c
Reversed (or previously applied) patch detected!  Assume -R? [n] 
Apply anyway? [n] 
Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file src/policydb.c.rej
patching file src/users.c
Reversed (or previously applied) patch detected!  Assume -R? [n] 
Apply anyway? [n] 
Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file src/users.c.rej
Comment 3 Jeff Bastian 2010-07-09 15:44:52 EDT
Oops, the errors in comment 2 are from trying to apply the patch twice.

Here's starting from scratch; it's much cleaner but still has a few problems:

$ patch -p2 < /tmp/role-remap.patch
can't find file to patch at input line 5
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
|index eb46268..9f49043 100644
|--- a/checkpolicy/policy_define.c
|+++ b/checkpolicy/policy_define.c
--------------------------
File to patch: 
Skip this patch? [y] 
Skipping patch.
1 out of 1 hunk ignored
patching file include/sepol/policydb/expand.h
Hunk #1 FAILED at 43.
Hunk #2 succeeded at 57 (offset -2 lines).
1 out of 2 hunks FAILED -- saving rejects to file include/sepol/policydb/expand.h.rej
patching file src/expand.c
Hunk #1 FAILED at 41.
Hunk #2 succeeded at 49 (offset -3 lines).
Hunk #3 succeeded at 157 (offset -10 lines).
Hunk #4 succeeded at 304 (offset -10 lines).
Hunk #5 succeeded at 517 (offset -19 lines).
Hunk #6 succeeded at 550 (offset -19 lines).
Hunk #7 succeeded at 580 (offset -19 lines).
Hunk #8 succeeded at 595 (offset -19 lines).
Hunk #9 succeeded at 613 (offset -19 lines).
Hunk #10 succeeded at 716 (offset -19 lines).
Hunk #11 succeeded at 781 (offset -19 lines).
Hunk #12 succeeded at 957 (offset -21 lines).
Hunk #13 succeeded at 1026 (offset -21 lines).
Hunk #14 succeeded at 1079 (offset -21 lines).
Hunk #15 succeeded at 1639 (offset -61 lines).
Hunk #16 succeeded at 1823 (offset -61 lines).
Hunk #17 succeeded at 1834 (offset -61 lines).
Hunk #18 succeeded at 1879 (offset -61 lines).
Hunk #19 succeeded at 1895 (offset -61 lines).
Hunk #20 FAILED at 2276.
Hunk #21 FAILED at 2287.
Hunk #22 succeeded at 2249 (offset -97 lines).
Hunk #23 succeeded at 2357 (offset -97 lines).
Hunk #24 FAILED at 2518.
4 out of 24 hunks FAILED -- saving rejects to file src/expand.c.rej
patching file src/policydb.c
Hunk #1 succeeded at 521 (offset -38 lines).
patching file src/users.c
Comment 4 Jeff Bastian 2010-07-09 16:14:31 EDT
Created attachment 430752 [details]
modified patch for RHEL 5

I've made some adjustments to the patch from comment 1 so it applies cleanly to RHEL 5's libsepol.

Comments & concerns:
1. I ignored the first hunk for checkpolicy/policy_define.c
2. The failed hunks for expand.h and expand.c were because the boolmap
   variable was not defined.  I added it as the original patch showed.
3. The remainder of the hunks were just line fuzziness problems.

I have NOT attempted to compile libsepol with this patch yet.
Comment 5 Jeff Bastian 2010-07-09 17:35:34 EDT
It compiled cleanly for me and tools like restorecon, setsebool, semodule, and semanage still seem to work correctly.
Comment 7 Jeff Bastian 2010-07-09 17:40:40 EDT
Joshua Roys, can you attach the source for your reproducer module so I can test to see if the patch fixes the original problem?  Or, if you'd prefer, can you test with the patch?
Comment 9 Josh 2010-07-30 15:55:21 EDT
(In reply to comment #7)
> Joshua Roys, can you attach the source for your reproducer module so I can test
> to see if the patch fixes the original problem?  Or, if you'd prefer, can you
> test with the patch?    

I can confirm that this patch fixes the original problem.

-josh
Comment 10 Miroslav Grepl 2010-08-05 04:32:05 EDT
> How reproducible:
> semodule -vi foo.pp
> 
> Actual results:
> Attempting to install module '/usr/share/selinux/targeted/tomcat.pp':
> Ok: return value of 0.
> Committing changes:
> libsepol.expand_module: Error while indexing out symbols
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule:  Failed!
> 
> Expected results:
> successful load    

Would it be possible to attach tomcat.te file?
Comment 12 RHEL Product and Program Management 2011-05-31 10:27:12 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Note You need to log in before you can comment on or make changes to this bug.