search

SELinuxProject / selinux-testsuite

This is the upstream SELinux testsuite which is designed as a basic set of regression tests for the SELinux kernel functionality.
GNU General Public License v2.0
53 stars 43 forks source link

BUG: syntax error at token 'userdom_read_inherited_user_tmp_files' on Debian 10 #57

Closed zhaofangfangdeepin closed 5 years ago

zhaofangfangdeepin commented 5 years ago

when i make it in debian10 . i get error like this: `# make test make -C policy load make[1]: Entering directory '/home/deepin/selinux-testsuite/policy'

Test for "expand-check = 0" in /etc/selinux/semanage.conf

General policy build

make[2]: Entering directory '/home/deepin/selinux-testsuite/policy/test_policy' Compiling default test_policy module m4:test_policy.te:224: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead. m4:test_policy.te:632: Warning: domain_auto_trans() has been deprecated, please use domain_auto_transition_pattern() instead. m4:test_policy.te:638: Warning: domain_auto_trans() has been deprecated, please use domain_auto_transition_pattern() instead. m4:test_policy.te:711: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead. m4:test_policy.te:724: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead. m4:test_policy.te:1219: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead. m4:test_policy.te:1418: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead. m4:test_policy.te:1492: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead. m4:test_policy.te:1493: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead. m4:test_policy.te:1594: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead. m4:test_policy.te:1919: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead. m4:test_policy.te:2760: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead. m4:test_policy.te:2761: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead. /usr/bin/checkmodule: loading policy configuration from tmp/test_policy.tmp test_policy.te:2417:ERROR 'syntax error' at token 'userdom_read_inherited_user_tmp_files' on line 101090: userdom_read_inherited_user_tmp_files(test_overlay_mounter_t)

/usr/bin/checkmodule: error(s) encountered while parsing configuration make[2]: [/usr/share/selinux/devel/include/Makefile:166: tmp/test_policy.mod] Error 1 make[2]: Leaving directory '/home/deepin/selinux-testsuite/policy/test_policy' make[1]: [Makefile:110: build_general] Error 2 make[1]: Leaving directory '/home/deepin/selinux-testsuite/policy' make: *** [Makefile:7: test] Error 2 `

pcmoore commented 5 years ago

Hi @zhaofangfangdeepin, I don't currently have a Debian 10 system to debug/test this - are you able to investigate this further and perhaps supply a patch?

WOnder93 commented 5 years ago

From the error messages it looks like @zhaofangfangdeepin builds the test policy against refpolicy (or something very similar). I managed to reproduce almost the same errors on Fedora as follows:

# WARNING: These commands modify the system configuration!
dnf install -y selinux-policy-devel
git clone https://github.com/SELinuxProject/refpolicy
git clone https://github.com/SELinuxProject/selinux-testsuite
(cd refpolicy && make conf && make install install-headers)
ln -s include/Makefile /usr/share/selinux/refpolicy/Makefile
sed -i s/targeted/refpolicy/ /etc/selinux/config
(cd selinux-testsuite/policy/ && make POLDEV=/usr/share/selinux/refpolicy)

Output of the last command:

# General policy build
make[1]: Entering directory '/root/selinux-testsuite/policy/test_policy'
Compiling refpolicy test_policy module
m4:test_policy.te:224: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:491: Warning: mmap_file_perms is deprecated, please use mmap_exec_file_perms instead
m4:test_policy.te:632: Warning: domain_auto_trans() has been deprecated, please use domain_auto_transition_pattern() instead.
m4:test_policy.te:638: Warning: domain_auto_trans() has been deprecated, please use domain_auto_transition_pattern() instead.
m4:test_policy.te:711: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:724: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1219: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1418: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1492: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1493: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1594: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:1919: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:2760: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
m4:test_policy.te:2761: Warning: domain_trans() has been deprecated, please use domain_transition_pattern() instead.
test_policy.te:2417:ERROR 'syntax error' at token 'userdom_read_inherited_user_tmp_files' on line 98943:

userdom_read_inherited_user_tmp_files(test_overlay_mounter_t)
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make[1]: *** [/usr/share/selinux/refpolicy/Makefile:166: tmp/test_policy.mod] Error 1
make[1]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
make: *** [Makefile:110: build_general] Error 2
pcmoore commented 5 years ago

I had a hunch that might be the case; Debian tracks reference policy much closer than Fedora.

I'm fairly busy at the moment getting ready for LSS-NA, anyone want to take a look?

stephensmalley commented 5 years ago

Two options: 1) Add a conditional definition to policy/test_policy.if as we have done for some other interfaces that are Fedora-specific or version-specific. Closest analog in refpolicy would be userdom_read_user_tmp_files(), which would allow the same permissions plus open, which seemingly wouldn't matter here. 2) Delete the use of userdom_read_inherited_user_tmp_files() from policy/test_overlayfs.te. Offhand, I don't see where tests/overlay/* uses any user tmp files and removing it locally didn't appear to break anything or trigger any unexpected AVCs.