Bug 739866 - checkpolicy cannot parse /selinux/policy on ppc64 and s390x
Summary: checkpolicy cannot parse /selinux/policy on ppc64 and s390x
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: kernel
Version: 6.2
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Paul Moore
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 767187
TreeView+ depends on / blocked
 
Reported: 2011-09-20 09:17 UTC by Karel Srot
Modified: 2014-10-14 05:07 UTC (History)
8 users (show)

Fixed In Version: kernel-2.6.32-471.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-14 05:07:53 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1392 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2014-10-14 01:28:44 UTC

Description Karel Srot 2011-09-20 09:17:26 UTC
Description of problem:

appears on ppc64 and s390x 

[root@auto-ppcp-001 ~]# checkpolicy -Mdb /selinux/policy
checkpolicy:  loading policy configuration from /selinux/policy
libsepol.policydb_index_others: security:  9 users, 13 roles, 3546 types, 176 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  81 classes, 220670 rules, 252160 cond rules
security: ebitmap: map size 3264 does not match my size 64 (high bit was 3360)
checkpolicy:  error(s) encountered while parsing configuration

[root@auto-ppcp-001 ~]# checkpolicy -Mdb /etc/selinux/targeted/policy/policy.24
checkpolicy:  loading policy configuration from /etc/selinux/targeted/policy/policy.24
libsepol.policydb_index_others: security:  9 users, 13 roles, 3546 types, 176 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  81 classes, 220670 rules, 252160 cond rules
checkpolicy:  policy configuration loaded

Select an option:
0)  Call compute_access_vector
1)  Call sid_to_context
2)  Call context_to_sid
3)  Call transition_sid
4)  Call member_sid
5)  Call change_sid
6)  Call list_sids
7)  Call load_policy
8)  Call fs_sid
9)  Call port_sid
a)  Call netif_sid
b)  Call node_sid
c)  Call fs_use
d)  Call genfs_sid
e)  Call get_user_sids
f)  display conditional bools
g)  display conditional expressions
h)  change a boolean value
m)  Show menu again
q)  Exit

Choose:  q



[root@auto-ppcp-001 ~]# rpm -q checkpolicy selinux-policy kernel
checkpolicy-2.0.22-1.el6.ppc64
selinux-policy-3.7.19-110.el6.noarch
kernel-2.6.32-192.el6.ppc64
kernel-2.6.32-197.el6.ppc64
kernel-2.6.32-198.el6.ppc64
[root@auto-ppcp-001 ~]# uname -a
Linux auto-ppcp-001.ss.eng.bos.redhat.com 2.6.32-198.el6.ppc64 #1 SMP Thu Sep 15 23:44:30 EDT 2011 ppc64 ppc64 ppc64 GNU/Linux

Comment 1 Eric Paris 2011-09-20 11:46:33 UTC
reassigning to kernel.  I'll have to take a closer look at the bitmap writeback code.  Is pagesize != 4096 on these platforms? (I didn't think it mattered, but it's the only thing I can think of that would be different with the platform and possibly wrong with the code)

Comment 2 Karel Srot 2011-09-20 12:05:36 UTC
s390x says 65536 B, ppc64 4096 B.

Comment 3 Stephen Smalley 2011-09-20 14:24:36 UTC
If you copy the file first, does that make any difference?
cp /selinux/policy mypolicy
checkpolicy -Mdb mypolicy

That would exercise the read()-based interface rather than the mmap()-based one.

Could also be an endianness issue.  Policy should be in little endian format and converted when read/written.  Maybe something didn't get converted when writing it out in the kernel.

Also somewhat complicated by the fact that the kernel ebitmap is no longer identical to the userspace one and has to be converted.

Comment 4 Karel Srot 2011-09-20 14:32:02 UTC
(In reply to comment #3)
> If you copy the file first, does that make any difference?
> cp /selinux/policy mypolicy
> checkpolicy -Mdb mypolicy

no difference

Comment 6 RHEL Product and Program Management 2012-05-03 05:36:04 UTC
Since RHEL 6.3 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 7 RHEL Product and Program Management 2014-03-26 00:22:18 UTC
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.

Comment 12 Rafael Aquini 2014-05-30 02:24:43 UTC
Patch(es) available on kernel-2.6.32-471.el6

Comment 16 errata-xmlrpc 2014-10-14 05:07:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-1392.html


Note You need to log in before you can comment on or make changes to this bug.