|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
So far I am not 100% sure, but I am extra sure that certain cautions must be taken when requiring a module to be built into base.pp rather than as loadable module. In particular, while building the base module the "self_contained_policy" macro is defined, exactly the same as when building a monolithic policy image, which will influence if the gen_require() macro would be properly expanded to the "require" keyword. Below is the definition of the gen_require() macro:
} # end require
} # end require
Where we can clearly see that if the "self_contained_policy" is defined, ONLY WHEN the "__in_optional_policy" is also defined, would gen_require() be expaned to the require keyword. BTW, "__in_optional_policy" is defined only within an optional_policy() block! .
That's why I take it for granted that you would have to include the actual definition of a role attribute along with the module that requires it into the base module.
> Date: Thu, 9 Feb 2012 22:58:47 +0000
> From: martin@xxxxxxxxxxxxxx
> To: selinux@xxxxxxxxxxxxx
> Subject: role_fix_callback assertion with sysadm in base
> I tried to build latest git refpolicy (6da98efd) using latest
> checkpolicy and libsepol (339f8079) with the attached modules.conf.
> In particular this puts sysadm into base.pp, and minimal other things.
> I get the following error.
> Compiling refpolicy base module
> /usr/bin/checkmodule base.conf -o tmp/base.mod
> /usr/bin/checkmodule: loading policy configuration from base.conf
> checkmodule: expand.c:700: role_fix_callback: Assertion `new_role !=
> ((void *)0) && new_role->flavor == 1' failed.
> make: *** [tmp/base.mod] Aborted
> Martin Orr
[Fedora Users] [Fedora Legacy] [Fedora Desktop] [Yosemite Photos] [Yosemite News] [Yosemite Campsites] [KDE Users] [Gnome Users]