Using the latest libsepol, libselinux, checkpolicy from [1] (also
tried [2]), I can''t get xen-unstable.hg/tools/flask/policy to build:
Using make:
------------------------------
[tom@Mavlo policy]$ make policy
cat: /selinux/policyvers: No such file or directory
Creating xenrefpolicy policy.conf
m4 -D self_contained_policy -s tmp/pre_te_files.conf
tmp/generated_definitions.conf tmp/all_interfaces.conf
tmp/all_attrs_types.conf policy/global_booleans policy/global_tunables
tmp/only_te_rules.conf tmp/all_post.conf > tmp/policy.conf.tmp
sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d <
tmp/policy.conf.tmp > policy.conf
Compiling xenrefpolicy policy.20
/usr/bin/checkpolicy -c 20 policy.conf -o policy.20
/usr/bin/checkpolicy: loading policy configuration from policy.conf
tmp/only_te_rules.conf":55:ERROR ''syntax error'' at token
'':'' on line 489:
################################################################################
allow dom0_t xen_t:xen {kexec readapic writeapic mtrr_read mtrr_add mtrr_del
checkpolicy: error(s) encountered while parsing configuration
make: *** [policy.20] Error 1
-----------------------------------
Direct checkpolicy call (after fixing that newline on the
''allow'') is the same:
------------------
[tom@Mavlo policy]$ /usr/bin/checkpolicy -d -c 20 policy.conf -o policy.20
/usr/bin/checkpolicy: loading policy configuration from policy.conf
tmp/only_te_rules.conf":55:ERROR ''syntax error'' at token
''xen'' on line 489:
################################################################################
allow dom0_t xen_t xen {kexec readapic writeapic mtrr_read mtrr_add
mtrr_del scheduler physinfo heap quirk readconsole writeconsole
settime microcode};
checkpolicy: error(s) encountered while parsing configuration
-------------------
I no longer remember anything about the syntax of this language -
could someone else give me a hand?
Thomas
[1] http://userspace.selinuxproject.org/releases/20090403/devel/
[2] http://userspace.selinuxproject.org/releases/20080909/stable/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
On 4/8/09 5:55 PM, "Thomas DuBuisson" <thomas.dubuisson@gmail.com> wrote:> Using the latest libsepol, libselinux, checkpolicy from [1] (also > tried [2]), I can''t get xen-unstable.hg/tools/flask/policy to build: > > Using make: > ------------------------------ > [tom@Mavlo policy]$ make policy > cat: /selinux/policyvers: No such file or directory > Creating xenrefpolicy policy.conf > m4 -D self_contained_policy -s tmp/pre_te_files.conf > tmp/generated_definitions.conf tmp/all_interfaces.conf > tmp/all_attrs_types.conf policy/global_booleans policy/global_tunables > tmp/only_te_rules.conf tmp/all_post.conf > tmp/policy.conf.tmp > sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < > tmp/policy.conf.tmp > policy.conf > Compiling xenrefpolicy policy.20 > /usr/bin/checkpolicy -c 20 policy.conf -o policy.20 > /usr/bin/checkpolicy: loading policy configuration from policy.conf > tmp/only_te_rules.conf":55:ERROR ''syntax error'' at token '':'' on line 489: > ############################################################################## > ## > allow dom0_t xen_t:xen {kexec readapic writeapic mtrr_read mtrr_add mtrr_del > checkpolicy: error(s) encountered while parsing configuration > make: *** [policy.20] Error 1 > ----------------------------------- > > Direct checkpolicy call (after fixing that newline on the ''allow'') is the > same: > ------------------ > [tom@Mavlo policy]$ /usr/bin/checkpolicy -d -c 20 policy.conf -o policy.20 > /usr/bin/checkpolicy: loading policy configuration from policy.conf > tmp/only_te_rules.conf":55:ERROR ''syntax error'' at token ''xen'' on line 489: > ############################################################################## > ## > allow dom0_t xen_t xen {kexec readapic writeapic mtrr_read mtrr_add > mtrr_del scheduler physinfo heap quirk readconsole writeconsole > settime microcode}; > checkpolicy: error(s) encountered while parsing configuration > -------------------I just checked, there doesn''t seem to be anything broken in the tree (I can build and load the sample policy). It''s hard to say what your problem is but I notice in your debug output that you are missing the colon separator between the types and the class, e.g. allow dom0_t xen_t: xen {kexec ....} Please check your edits and try make clean, make policy. You can call checkpolicy by hand as above but remember that policy.conf is created during the build process and any changes to the core policy files will not be reflected in policy.conf unless you rebuild it through the make file.> > I no longer remember anything about the syntax of this language - > could someone else give me a hand? > > Thomas > > [1] http://userspace.selinuxproject.org/releases/20090403/devel/ > [2] http://userspace.selinuxproject.org/releases/20080909/stable/ > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel-- George S. Coker, II <gscoker@alpha.ncsc.mil> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Oops, right you are on the colon, but it still doesn''t work correctly
(even updated, cleaned, rebuilt) which I''m guessing is something to do
with a broken checkpolicy install if it works for you. I''ll explore
that.
--------------------
[tom@Mavlo policy]$ /usr/bin/checkpolicy -d -c 20 policy.conf -o policy.20
/usr/bin/checkpolicy: loading policy configuration from policy.conf
tmp/only_te_rules.conf":55:ERROR ''syntax error'' at token
'':'' on line 491:
################################################################################
allow dom0_t xen_t:xen {kexec readapic writeapic mtrr_read mtrr_add
mtrr_del scheduler physinfo heap quirk readconsole writeconsole
settime microcode};
checkpolicy: error(s) encountered while parsing configuration
--------------------
Thomas
On Thu, Apr 9, 2009 at 6:46 AM, George S. Coker, II
<gscoker@alpha.ncsc.mil> wrote:>
>
>
> On 4/8/09 5:55 PM, "Thomas DuBuisson"
<thomas.dubuisson@gmail.com> wrote:
>
>> Using the latest libsepol, libselinux, checkpolicy from [1] (also
>> tried [2]), I can''t get xen-unstable.hg/tools/flask/policy to
build:
>>
>> Using make:
>> ------------------------------
>> [tom@Mavlo policy]$ make policy
>> cat: /selinux/policyvers: No such file or directory
>> Creating xenrefpolicy policy.conf
>> m4 -D self_contained_policy -s tmp/pre_te_files.conf
>> tmp/generated_definitions.conf tmp/all_interfaces.conf
>> tmp/all_attrs_types.conf policy/global_booleans policy/global_tunables
>> tmp/only_te_rules.conf tmp/all_post.conf > tmp/policy.conf.tmp
>> sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d <
>> tmp/policy.conf.tmp > policy.conf
>> Compiling xenrefpolicy policy.20
>> /usr/bin/checkpolicy -c 20 policy.conf -o policy.20
>> /usr/bin/checkpolicy: loading policy configuration from policy.conf
>> tmp/only_te_rules.conf":55:ERROR ''syntax error''
at token '':'' on line 489:
>>
##############################################################################
>> ##
>> allow dom0_t xen_t:xen {kexec readapic writeapic mtrr_read mtrr_add
mtrr_del
>> checkpolicy: error(s) encountered while parsing configuration
>> make: *** [policy.20] Error 1
>> -----------------------------------
>>
>> Direct checkpolicy call (after fixing that newline on the
''allow'') is the
>> same:
>> ------------------
>> [tom@Mavlo policy]$ /usr/bin/checkpolicy -d -c 20 policy.conf -o
policy.20
>> /usr/bin/checkpolicy: loading policy configuration from policy.conf
>> tmp/only_te_rules.conf":55:ERROR ''syntax error''
at token ''xen'' on line 489:
>>
##############################################################################
>> ##
>> allow dom0_t xen_t xen {kexec readapic writeapic mtrr_read mtrr_add
>> mtrr_del scheduler physinfo heap quirk readconsole writeconsole
>> settime microcode};
>> checkpolicy: error(s) encountered while parsing configuration
>> -------------------
>
> I just checked, there doesn''t seem to be anything broken in the
tree (I can
> build and load the sample policy).
>
> It''s hard to say what your problem is but I notice in your debug
output that
> you are missing the colon separator between the types and the class, e.g.
>
> allow dom0_t xen_t: xen {kexec ....}
>
> Please check your edits and try make clean, make policy. You can call
> checkpolicy by hand as above but remember that policy.conf is created
during
> the build process and any changes to the core policy files will not be
> reflected in policy.conf unless you rebuild it through the make file.
>
>
>>
>> I no longer remember anything about the syntax of this language -
>> could someone else give me a hand?
>>
>> Thomas
>>
>> [1] http://userspace.selinuxproject.org/releases/20090403/devel/
>> [2] http://userspace.selinuxproject.org/releases/20080909/stable/
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xensource.com
>> http://lists.xensource.com/xen-devel
>
> --
> George S. Coker, II <gscoker@alpha.ncsc.mil>
>
>
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel