739866 – checkpolicy cannot parse /selinux/policy on ppc64 and s390x

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 739866 - checkpolicy cannot parse /selinux/policy on ppc64 and s390x

Summary: checkpolicy cannot parse /selinux/policy on ppc64 and s390x

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Paul Moore
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	767187
TreeView+	depends on / blocked

Reported:	2011-09-20 09:17 UTC by Karel Srot
Modified:	2014-10-14 05:07 UTC (History)
CC List:	8 users (show)
Fixed In Version:	kernel-2.6.32-471.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-14 05:07:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:1392	0	normal	SHIPPED_LIVE	Important: kernel security, bug fix, and enhancement update	2014-10-14 01:28:44 UTC

Description Karel Srot 2011-09-20 09:17:26 UTC

Description of problem:

appears on ppc64 and s390x 

[root@auto-ppcp-001 ~]# checkpolicy -Mdb /selinux/policy
checkpolicy:  loading policy configuration from /selinux/policy
libsepol.policydb_index_others: security:  9 users, 13 roles, 3546 types, 176 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  81 classes, 220670 rules, 252160 cond rules
security: ebitmap: map size 3264 does not match my size 64 (high bit was 3360)
checkpolicy:  error(s) encountered while parsing configuration

[root@auto-ppcp-001 ~]# checkpolicy -Mdb /etc/selinux/targeted/policy/policy.24
checkpolicy:  loading policy configuration from /etc/selinux/targeted/policy/policy.24
libsepol.policydb_index_others: security:  9 users, 13 roles, 3546 types, 176 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  81 classes, 220670 rules, 252160 cond rules
checkpolicy:  policy configuration loaded

Select an option:
0)  Call compute_access_vector
1)  Call sid_to_context
2)  Call context_to_sid
3)  Call transition_sid
4)  Call member_sid
5)  Call change_sid
6)  Call list_sids
7)  Call load_policy
8)  Call fs_sid
9)  Call port_sid
a)  Call netif_sid
b)  Call node_sid
c)  Call fs_use
d)  Call genfs_sid
e)  Call get_user_sids
f)  display conditional bools
g)  display conditional expressions
h)  change a boolean value
m)  Show menu again
q)  Exit

Choose:  q



[root@auto-ppcp-001 ~]# rpm -q checkpolicy selinux-policy kernel
checkpolicy-2.0.22-1.el6.ppc64
selinux-policy-3.7.19-110.el6.noarch
kernel-2.6.32-192.el6.ppc64
kernel-2.6.32-197.el6.ppc64
kernel-2.6.32-198.el6.ppc64
[root@auto-ppcp-001 ~]# uname -a
Linux auto-ppcp-001.ss.eng.bos.redhat.com 2.6.32-198.el6.ppc64 #1 SMP Thu Sep 15 23:44:30 EDT 2011 ppc64 ppc64 ppc64 GNU/Linux

Comment 1 Eric Paris 2011-09-20 11:46:33 UTC

reassigning to kernel.  I'll have to take a closer look at the bitmap writeback code.  Is pagesize != 4096 on these platforms? (I didn't think it mattered, but it's the only thing I can think of that would be different with the platform and possibly wrong with the code)

Comment 2 Karel Srot 2011-09-20 12:05:36 UTC

s390x says 65536 B, ppc64 4096 B.

Comment 3 Stephen Smalley 2011-09-20 14:24:36 UTC

If you copy the file first, does that make any difference?
cp /selinux/policy mypolicy
checkpolicy -Mdb mypolicy

That would exercise the read()-based interface rather than the mmap()-based one.

Could also be an endianness issue.  Policy should be in little endian format and converted when read/written.  Maybe something didn't get converted when writing it out in the kernel.

Also somewhat complicated by the fact that the kernel ebitmap is no longer identical to the userspace one and has to be converted.

Comment 4 Karel Srot 2011-09-20 14:32:02 UTC

(In reply to comment #3)
> If you copy the file first, does that make any difference?
> cp /selinux/policy mypolicy
> checkpolicy -Mdb mypolicy

no difference

Comment 6 RHEL Program Management 2012-05-03 05:36:04 UTC

Since RHEL 6.3 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 7 RHEL Program Management 2014-03-26 00:22:18 UTC

This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.

Comment 12 Rafael Aquini 2014-05-30 02:24:43 UTC

Patch(es) available on kernel-2.6.32-471.el6

Comment 16 errata-xmlrpc 2014-10-14 05:07:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-1392.html

Note You need to log in before you can comment on or make changes to this bug.