Unclear error message on compilation failure with 3.4

[jpichon]

The validation in 3.4 is much improved and revealed an issue in our gen_require() section (we had mistakenly defined "class capability setpgid;" instead of "class process setpgid;" (Launchpad 1977873#comment10), which must have failed silently until now).

However there were no hints in the error message to help us pinpoint what or what line caused the issue in the file after the problem was surfaced. I created the minimum file to reproduce it here:

$ cat my-test.te
policy_module(my-test, 0.1)

gen_require(`
    class capability setpgid;
')

$ make -f /usr/share/selinux/devel/Makefile my-test.pp
Compiling targeted my-test module
Creating targeted my-test.pp policy package
/usr/bin/semodule_package:  Error while reading policy module from tmp/my-test.mod
make: *** [/usr/share/selinux/devel/include/Makefile:165: my-test.pp] Error 1
rm tmp/my-test.mod.fc tmp/my-test.mod

$ rpm -qa | grep libsepol
libsepol-3.4-1.1.el9.x86_64

compared to before, only for reference:

$ make -f /usr/share/selinux/devel/Makefile my-test.pp
Compiling targeted my-test module
Creating targeted my-test.pp policy package
rm tmp/my-test.mod.fc tmp/my-test.mod

$ rpm -qa | grep sepol
libsepol-3.3-2.el9.x86_64

It would be nice to give a hint to the end-user as to what is wrong so it's easier to fix it.

[cgzones]

The reason why no informative error message is printed is due to the nature of the error.

E.g. using

gen_require(`
     class ipc setpgid;
')

produces the following output:

make -f /usr/share/selinux/debian/include/Makefile load
Compiling debian my-test-2 module
Creating debian my-test-2.pp policy package
Loading debian modules: my-test-2
Failed to resolve permission setpgid
Failed to resolve allow statement at /var/lib/selinux/debian/tmp/modules/400/my-test-2/cil:4
Failed to resolve AST
/usr/sbin/semodule:  Failed!
make: *** [/usr/share/selinux/debian/include/Makefile:142: tmp/loaded] Error 1
rm tmp/my-test-2.mod.fc tmp/my-test-2.mod

The security class capability has already 32 permissions (the maximum amount) assigned. The required permissions setpgid gets added and triggers the check https://github.com/SELinuxProject/selinux/blob/1eb6229a48d2b8ca08a230e7c60176c56c5cb6d5/libsepol/src/policydb.c#L2270-L2271 introduced in https://github.com/SELinuxProject/selinux/commit/97af65f69644a3233d073ae93980a0d2e51f42e1.

Checkmodule could retain such require statements:

diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
index 129650fa..3188af89 100644
--- a/checkpolicy/module_compiler.c
+++ b/checkpolicy/module_compiler.c
@@ -851,6 +851,14 @@ int require_class(int pass)
                                free(perm_id);
                                return -1;
                        }
+                       if (datum->permissions.nprim >= PERM_SYMTAB_SIZE) {
+                               yyerror2("Class %s would have too many permissions "
+                                        "to fit in an access vector with permission %s",
+                                        policydbp->p_class_val_to_name[datum->s.value - 1],
+                                        perm_id);
+                               free(perm_id);
+                               return -1;
+                       }
                        allocated = 1;
                        if ((perm = malloc(sizeof(*perm))) == NULL) {
                                yyerror("Out of memory!");

Result:

checkmodule -m tmp/my-test.tmp -o tmp/my-test.mod
my-test.te:3:ERROR 'Class capability would have too many permissions to fit in an access vector with permission setpgid' at token ';' on line 3830:
        class capability setpgid;
#line 3
checkmodule:  error(s) encountered while parsing configuration
make: *** [Makefile:160: tmp/my-test.mod] Error 1

[jpichon]

Thanks for the explanation. This example looks great to me, clearly showing the line that causes the issue.