Package: checkpolicy Version: 1.30.10-2 Severity: normal After upgrading to checkpolicy 1.30.10-2, refpolicy no longer builds; the build fails when checkmodule is run on the strict policy's base.conf:
m4 -D strict_policy -D enable_mcs -D distro_debian -D direct_sysadm_daemon -D hide_broken_symptoms -D self_contained_policy policy/support/loadable_module.spt policy/support/misc_macros.spt policy/support/obj_perm_sets.spt tmp/generated_definitions.conf policy/global_booleans policy/global_tunables > tmp/global_bools.conf Creating refpolicy-strict base module base.conf cat tmp/pre_te_files.conf tmp/all_attrs_types.conf tmp/global_bools.conf tmp/only_te_rules.conf tmp/all_post.conf > base.conf Compiling refpolicy-strict base module /usr/bin/checkmodule -M base.conf -o tmp/base.mod /usr/bin/checkmodule: loading policy configuration from base.conf libsepol.expand_terule_helper: duplicate TE rule for httpd_suexec_t httpd_sys_content_t:process httpd_sys_script_t /usr/bin/checkmodule: expand module failed This failure didn't happen with 1.30.3-1. I'm assuming this is a regression in checkpolicy or something linked into it, since I don't see any duplicates rules in base.conf as it claims -- indeed I don't see that rule at all, though I'm still learning the policy language and could be mistaken about that. If I comment out this line: type_transition httpd_suexec_t httpdcontent:process httpd_sys_script_t; ... there's a similar error concerning "initrc_t insmod_exec_t:process insmod_t". If I also comment out this one: type_transition initrc_t insmod_exec_t:process insmod_t; ... then checkmodule runs to completion. As before, I don't see any duplication of that rule, but with the same caveats. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17-1-amd64-k8 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages checkpolicy depends on: ii libc6 2.3.6-19 GNU C Library: Shared libraries checkpolicy recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]