Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: syntax error at token 'userdom_read_inherited_user_tmp_files' on Debian 10 #57

Closed
zhaofangfangdeepin opened this issue Aug 8, 2019 · 4 comments · Fixed by #64
Closed

BUG: syntax error at token 'userdom_read_inherited_user_tmp_files' on Debian 10 #57

zhaofangfangdeepin opened this issue Aug 8, 2019 · 4 comments · Fixed by #64
Labels
bug priority/medium

Comments

@zhaofangfangdeepin
Copy link

zhaofangfangdeepin commented Aug 8, 2019
edited

when i make it in debian10 . i get error like this:
`# make test
make -C policy load
make[1]: Entering directory '/home/deepin/selinux-testsuite/policy'

Test for "expand-check = 0" in /etc/selinux/semanage.conf

General policy build

make[2]: Entering directory '/home/deepin/selinux-testsuite/policy/test_policy'
Compiling default test_policy module
m4:test_policy.te:224: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:632: Warning: domain_auto_trans() has been deprecated, please use domain_auto_transition_pattern() instead.
m4:test_policy.te:638: Warning: domain_auto_trans() has been deprecated, please use domain_auto_transition_pattern() instead.
m4:test_policy.te:711: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:724: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1219: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1418: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1492: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1493: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1594: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1919: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:2760: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:2761: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
/usr/bin/checkmodule: loading policy configuration from tmp/test_policy.tmp
test_policy.te:2417:ERROR 'syntax error' at token 'userdom_read_inherited_user_tmp_files' on line 101090:
userdom_read_inherited_user_tmp_files(test_overlay_mounter_t)

/usr/bin/checkmodule: error(s) encountered while parsing configuration
make[2]: *** [/usr/share/selinux/devel/include/Makefile:166: tmp/test_policy.mod] Error 1
make[2]: Leaving directory '/home/deepin/selinux-testsuite/policy/test_policy'
make[1]: *** [Makefile:110: build_general] Error 2
make[1]: Leaving directory '/home/deepin/selinux-testsuite/policy'
make: *** [Makefile:7: test] Error 2
`
@pcmoore pcmoore changed the title test_policy.te:2417:ERROR 'syntax error' at token 'userdom_read_inherited_user_tmp_files' on line 101090: BUG: domain_trans() and domain_auto_trans() are deprecated on Debian 10 Aug 8, 2019
@pcmoore pcmoore changed the title BUG: domain_trans() and domain_auto_trans() are deprecated on Debian 10 BUG: syntax error at token 'userdom_read_inherited_user_tmp_files' on Debian 10 Aug 8, 2019
@pcmoore
Copy link
Member

pcmoore commented Aug 8, 2019

Hi @zhaofangfangdeepin, I don't currently have a Debian 10 system to debug/test this - are you able to investigate this further and perhaps supply a patch?

@WOnder93
Copy link
Member

WOnder93 commented Aug 9, 2019

From the error messages it looks like @zhaofangfangdeepin builds the test policy against refpolicy (or something very similar). I managed to reproduce almost the same errors on Fedora as follows:

# WARNING: These commands modify the system configuration!
dnf install -y selinux-policy-devel
git clone https://github.com/SELinuxProject/refpolicy
git clone https://github.com/SELinuxProject/selinux-testsuite
(cd refpolicy && make conf && make install install-headers)
ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
sed -i s/targeted/refpolicy/ /etc/selinux/config
(cd selinux-testsuite/policy/ && make POLDEV=/usr/share/selinux/refpolicy)

Output of the last command:

# General policy build
make[1]: Entering directory '/root/selinux-testsuite/policy/test_policy'
Compiling refpolicy test_policy module
m4:test_policy.te:224: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:491: Warning: mmap_file_perms is deprecated, please use mmap_exec_file_perms instead
m4:test_policy.te:632: Warning: domain_auto_trans() has been deprecated, please use domain_auto_transition_pattern() instead.
m4:test_policy.te:638: Warning: domain_auto_trans() has been deprecated, please use domain_auto_transition_pattern() instead.
m4:test_policy.te:711: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:724: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1219: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1418: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1492: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1493: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1594: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1919: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:2760: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:2761: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
test_policy.te:2417:ERROR 'syntax error' at token 'userdom_read_inherited_user_tmp_files' on line 98943:

userdom_read_inherited_user_tmp_files(test_overlay_mounter_t)
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make[1]: *** [/usr/share/selinux/refpolicy/Makefile:166: tmp/test_policy.mod] Error 1
make[1]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
make: *** [Makefile:110: build_general] Error 2

@pcmoore
Copy link
Member

pcmoore commented Aug 9, 2019

I had a hunch that might be the case; Debian tracks reference policy much closer than Fedora.

I'm fairly busy at the moment getting ready for LSS-NA, anyone want to take a look?

@stephensmalley
Copy link
Member

Two options:

  1. Add a conditional definition to policy/test_policy.if as we have done for some other interfaces that are Fedora-specific or version-specific. Closest analog in refpolicy would be userdom_read_user_tmp_files(), which would allow the same permissions plus open, which seemingly wouldn't matter here.
  2. Delete the use of userdom_read_inherited_user_tmp_files() from policy/test_overlayfs.te. Offhand, I don't see where tests/overlay/* uses any user tmp files and removing it locally didn't appear to break anything or trigger any unexpected AVCs.

WOnder93 added a commit to WOnder93/selinux-testsuite that referenced this issue Sep 11, 2019
@WOnder93
policy: fix some build errors under refpolicy
87f9d96 
Replace deprecated macros with new ones. Fedora's policy has both;
refpolicy just the new ones.

Partially addresses issue SELinuxProject#57.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
@WOnder93 WOnder93 mentioned this issue Sep 11, 2019
Merged
stephensmalley pushed a commit that referenced this issue Sep 11, 2019
@WOnder93 @stephensmalley
policy: fix some build errors under refpolicy
21fd756 
Replace deprecated macros with new ones. Fedora's policy has both;
refpolicy just the new ones.

Partially addresses issue #57.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
WOnder93 added a commit to WOnder93/selinux-testsuite that referenced this issue Sep 16, 2019
@WOnder93
policy: fix some build errors under refpolicy
c72fbd4 
Replace deprecated macros with new ones. Fedora's policy has both;
refpolicy just the new ones.

Partially addresses issue SELinuxProject#57.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
WOnder93 added a commit to WOnder93/selinux-testsuite that referenced this issue Sep 16, 2019
@WOnder93
policy: fix some build errors under refpolicy
94e684f 
Replace deprecated macros with new ones. Fedora's policy has both;
refpolicy just the new ones.

Partially addresses issue SELinuxProject#57.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
WOnder93 added a commit to WOnder93/selinux-testsuite that referenced this issue Sep 16, 2019
@WOnder93
policy: fix some build errors under refpolicy
a3d2a1f 
Replace deprecated macros with new ones. Fedora's policy has both;
refpolicy just the new ones.

Partially addresses issue SELinuxProject#57.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
@stephensmalley stephensmalley mentioned this issue Sep 18, 2019
Merged
WOnder93 added a commit to WOnder93/selinux-testsuite that referenced this issue Sep 19, 2019
@WOnder93
policy: fix some build errors under refpolicy
2ff0679 
Replace deprecated macros with new ones. Fedora's policy has both;
refpolicy just the new ones.

Partially addresses issue SELinuxProject#57.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
WOnder93 pushed a commit to WOnder93/selinux-testsuite that referenced this issue Sep 19, 2019
@stephensmalley @WOnder93
selinux-testsuite: drop use of userdom_read_inherited_user_tmp_files
8730038 
The overlay test policy had two calls to the
userdom_read_inherited_user_tmp_files() policy interface.
This is a Fedora-specific interface that is not present in
refpolicy and therefore prevents building the test policy on
other distributions.  Further, there is no clear reason why
the calls to this interface are needed for the overlay tests;
the tests are not inheriting open /tmp files.  Remove the
calls.

Fixes: SELinuxProject#57
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
@WOnder93 WOnder93 mentioned this issue Sep 19, 2019
Closed
WOnder93 pushed a commit to WOnder93/selinux-testsuite that referenced this issue Sep 19, 2019
@stephensmalley @WOnder93
selinux-testsuite: drop use of userdom_read_inherited_user_tmp_files
86d0e5c 
The overlay test policy had two calls to the
userdom_read_inherited_user_tmp_files() policy interface.
This is a Fedora-specific interface that is not present in
refpolicy and therefore prevents building the test policy on
other distributions.  Further, there is no clear reason why
the calls to this interface are needed for the overlay tests;
the tests are not inheriting open /tmp files.  Remove the
calls.

Fixes: SELinuxProject#57
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Tested-by: Ondrej Mosnacek <omosnace@redhat.com>
stephensmalley pushed a commit to stephensmalley/selinux-testsuite that referenced this issue Sep 19, 2019
@WOnder93 @stephensmalley
policy: fix some build errors under refpolicy
286df8a 
Replace deprecated macros with new ones. Fedora's policy has both;
refpolicy just the new ones.

Partially addresses issue SELinuxProject#57.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug priority/medium
Projects
None yet
Milestone
No milestone
4 participants
@WOnder93 @stephensmalley @pcmoore @zhaofangfangdeepin