Bug 739866 - checkpolicy cannot parse /selinux/policy on ppc64 and s390x
Summary: checkpolicy cannot parse /selinux/policy on ppc64 and s390x
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: kernel
Version: 6.2
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Paul Moore
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 767187
TreeView+ depends on / blocked
 
Reported: 2011-09-20 09:17 UTC by Karel Srot
Modified: 2014-10-14 05:07 UTC (History)
8 users (show)

Fixed In Version: kernel-2.6.32-471.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-14 05:07:53 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1392 0 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2014-10-14 01:28:44 UTC

Description Karel Srot 2011-09-20 09:17:26 UTC 
Description of problem:

appears on ppc64 and s390x 

[root@auto-ppcp-001 ~]# checkpolicy -Mdb /selinux/policy
checkpolicy:  loading policy configuration from /selinux/policy
libsepol.policydb_index_others: security:  9 users, 13 roles, 3546 types, 176 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  81 classes, 220670 rules, 252160 cond rules
security: ebitmap: map size 3264 does not match my size 64 (high bit was 3360)
checkpolicy:  error(s) encountered while parsing configuration

[root@auto-ppcp-001 ~]# checkpolicy -Mdb /etc/selinux/targeted/policy/policy.24
checkpolicy:  loading policy configuration from /etc/selinux/targeted/policy/policy.24
libsepol.policydb_index_others: security:  9 users, 13 roles, 3546 types, 176 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  81 classes, 220670 rules, 252160 cond rules
checkpolicy:  policy configuration loaded

Select an option:
0)  Call compute_access_vector
1)  Call sid_to_context
2)  Call context_to_sid
3)  Call transition_sid
4)  Call member_sid
5)  Call change_sid
6)  Call list_sids
7)  Call load_policy
8)  Call fs_sid
9)  Call port_sid
a)  Call netif_sid
b)  Call node_sid
c)  Call fs_use
d)  Call genfs_sid
e)  Call get_user_sids
f)  display conditional bools
g)  display conditional expressions
h)  change a boolean value
m)  Show menu again
q)  Exit

Choose:  q



[root@auto-ppcp-001 ~]# rpm -q checkpolicy selinux-policy kernel
checkpolicy-2.0.22-1.el6.ppc64
selinux-policy-3.7.19-110.el6.noarch
kernel-2.6.32-192.el6.ppc64
kernel-2.6.32-197.el6.ppc64
kernel-2.6.32-198.el6.ppc64
[root@auto-ppcp-001 ~]# uname -a
Linux auto-ppcp-001.ss.eng.bos.redhat.com 2.6.32-198.el6.ppc64 #1 SMP Thu Sep 15 23:44:30 EDT 2011 ppc64 ppc64 ppc64 GNU/Linux
Comment 1 Eric Paris 2011-09-20 11:46:33 UTC 
reassigning to kernel.  I'll have to take a closer look at the bitmap writeback code.  Is pagesize != 4096 on these platforms? (I didn't think it mattered, but it's the only thing I can think of that would be different with the platform and possibly wrong with the code)
Comment 2 Karel Srot 2011-09-20 12:05:36 UTC 
s390x says 65536 B, ppc64 4096 B.
Comment 3 Stephen Smalley 2011-09-20 14:24:36 UTC 
If you copy the file first, does that make any difference?
cp /selinux/policy mypolicy
checkpolicy -Mdb mypolicy

That would exercise the read()-based interface rather than the mmap()-based one.

Could also be an endianness issue.  Policy should be in little endian format and converted when read/written.  Maybe something didn't get converted when writing it out in the kernel.

Also somewhat complicated by the fact that the kernel ebitmap is no longer identical to the userspace one and has to be converted.
Comment 4 Karel Srot 2011-09-20 14:32:02 UTC 
(In reply to comment #3)
> If you copy the file first, does that make any difference?
> cp /selinux/policy mypolicy
> checkpolicy -Mdb mypolicy

no difference
Comment 6 RHEL Program Management 2012-05-03 05:36:04 UTC 
Since RHEL 6.3 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 7 RHEL Program Management 2014-03-26 00:22:18 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
Comment 12 Rafael Aquini 2014-05-30 02:24:43 UTC 
Patch(es) available on kernel-2.6.32-471.el6
Comment 16 errata-xmlrpc 2014-10-14 05:07:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-1392.html
Note You need to log in before you can comment on or make changes to this bug.