Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   policy compile error (http://www.linux-archive.org/fedora-selinux-support/6382-policy-compile-error.html)

"Clarkson, Mike R (US SSA)" 11-27-2007 03:36 PM

policy compile error
 
I just downloaded the policy source from redhat (serefpolicy-2.4.6) and
attempted to build a strict-mls loadable module policy and got the
following compile error:

Compiling mls base module
/usr/bin/checkmodule -M base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
policy/modules/kernel/domain.te:174:ERROR 'unknown type ipsec_spd_t' at
token ';' on line 10298:
allow domain ipsec_spd_t:association polmatch;
#line 174
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/base.mod] Error 1


Here is the offending portion of domain.te:

ifdef(`enable_mls',`
tunable_policy(`allow_netlabel',`
kernel_raw_recvfrom_unlabeled(domain)
kernel_tcp_recvfrom_unlabeled(domain)
kernel_udp_recvfrom_unlabeled(domain)
')
tunable_policy(`allow_ipsec_label',`
ipsec_labeled(domain)
')
')


Since domain is a base module and ipsec is a loadable module, doesn't
the call to the ipsec_labeled interface need to be wrapped in an
optional_policy statement? Since nesting conditional statements aren't
supported, I had to comment out the tunable_policy statement to get this
to compile:
#tunable_policy(`allow_ipsec_label',`
optional_policy(`
ipsec_labeled(domain)
')
#')

What's the right fix for this?


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh 12-03-2007 02:59 PM

policy compile error
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Clarkson, Mike R (US SSA) wrote:
> I just downloaded the policy source from redhat (serefpolicy-2.4.6) and
> attempted to build a strict-mls loadable module policy and got the
> following compile error:
>
> Compiling mls base module
> /usr/bin/checkmodule -M base.conf -o tmp/base.mod
> /usr/bin/checkmodule: loading policy configuration from base.conf
> policy/modules/kernel/domain.te:174:ERROR 'unknown type ipsec_spd_t' at
> token ';' on line 10298:
> allow domain ipsec_spd_t:association polmatch;
> #line 174
> /usr/bin/checkmodule: error(s) encountered while parsing configuration
> make: *** [tmp/base.mod] Error 1
>
>
> Here is the offending portion of domain.te:
>
> ifdef(`enable_mls',`
> tunable_policy(`allow_netlabel',`
> kernel_raw_recvfrom_unlabeled(domain)
> kernel_tcp_recvfrom_unlabeled(domain)
> kernel_udp_recvfrom_unlabeled(domain)
> ')
> tunable_policy(`allow_ipsec_label',`
> ipsec_labeled(domain)
> ')
> ')
>
>
> Since domain is a base module and ipsec is a loadable module, doesn't
> the call to the ipsec_labeled interface need to be wrapped in an
> optional_policy statement? Since nesting conditional statements aren't
> supported, I had to comment out the tunable_policy statement to get this
> to compile:
> #tunable_policy(`allow_ipsec_label',`
> optional_policy(`
> ipsec_labeled(domain)
> ')
> #')
>
> What's the right fix for this?
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

You should move the option_policy lines outside of the tunable_policy,
then it should work.

Also on modules-mls.conf has ipsec as a base module. While targeted has
it as a module.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHVCf+rlYvE4MpobMRAsTCAJwIrOejaMnf5SSQ2CZCsX TPNnAuBQCfa/eP
tD0X+wuPOKgUEsSC7wF3wvw=
=sZM6
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 05:23 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.