From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BF5F2139694 for ; Thu, 2 Mar 2017 10:17:55 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5AB1321C09E; Thu, 2 Mar 2017 10:17:54 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2A66521C09E for ; Thu, 2 Mar 2017 10:17:54 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 10EC73416EE for ; Thu, 2 Mar 2017 10:17:53 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 75C3B59B0 for ; Thu, 2 Mar 2017 10:17:51 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1488449810.f95f7ed0d8bdb0bcfd8571363e5bb11799cf4678.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: / X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: Rules.modular X-VCS-Directories: / X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: f95f7ed0d8bdb0bcfd8571363e5bb11799cf4678 X-VCS-Branch: master Date: Thu, 2 Mar 2017 10:17:51 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 35b04780-5bb5-4d1b-a625-ab424408eb76 X-Archives-Hash: f178279a9882a19547dc7c48cbb25805 commit: f95f7ed0d8bdb0bcfd8571363e5bb11799cf4678 Author: Nicolas Iooss m4x org> AuthorDate: Mon Feb 27 21:02:52 2017 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Thu Mar 2 10:16:50 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f95f7ed0 Make "validate" target verify file contexts When I synchronized my personal policy with the git master branch, "git rebase" merged the file contexts I have defined for some systemd components with the ones which have recently been merged. This resulted in duplicated file contexts in systemd.fc, which made the policy unable to be loaded. This issue has not been detected by "make validate" because this command only verifies policy linking, not the correctness of the file contexts. Moreover this behavior of "make validate" only happens when building a modular policy. Indeed Rules.monolithic calls setfiles in order to validate the file contexts: validate: $(fc) $(polver) @echo "Validating $(NAME) file_contexts." $(verbose) $(SETFILES) -q -c $(polver) $(fc) @echo "Success." Invoke setfiles in Rules.modular too in order to catch issues in file contexts with "make validate". With the issue I experienced, I would have got the following message: Validating policy file contexts. /sbin/setfiles -q -c tmp/policy.bin tmp/all_mods.fc tmp/all_mods.fc: Multiple same specifications for /run/systemd/machines(/.*)?. tmp/all_mods.fc: Invalid argument make: *** [Rules.modular:210: validate] Error 1 While at it, simplify .SECONDARY definition with a newly-introduced $(all_mod_fc) variable. Rules.modular | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/Rules.modular b/Rules.modular index 60fe5549..49d3cca9 100644 --- a/Rules.modular +++ b/Rules.modular @@ -5,6 +5,7 @@ all_modules := $(base_mods) $(mod_mods) $(off_mods) all_interfaces := $(all_modules:.te=.if) +all_mod_fc := $(addprefix $(tmpdir)/,$(notdir $(all_modules:.te=.mod.fc))) base_pkg := $(builddir)base.pp base_fc := $(builddir)base.fc @@ -30,7 +31,7 @@ vpath %.te $(all_layers) vpath %.if $(all_layers) vpath %.fc $(all_layers) -.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod.fc)) +.SECONDARY: $(all_mod_fc:.mod.fc=.mod) $(all_mod_fc) ######################################## # @@ -85,6 +86,9 @@ $(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc @test -d $(builddir) || mkdir -p $(builddir) $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc +$(tmpdir)/all_mods.fc: $(all_mod_fc) + $(verbose) cat $^ > $@ + ######################################## # # Create a base module package @@ -198,10 +202,12 @@ $(appdir)/customizable_types: $(base_conf) # # Validate linking and expanding of modules # -validate: $(base_pkg) $(mod_pkgs) +validate: $(base_pkg) $(mod_pkgs) $(tmpdir)/all_mods.fc @echo "Validating policy linking." - $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^ + $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $(base_pkg) $(mod_pkgs) $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin + @echo "Validating policy file contexts." + $(verbose) $(SETFILES) -q -c $(tmpdir)/policy.bin $(tmpdir)/all_mods.fc @echo "Success." ########################################