Bug#382753: policycoreutils: checkmodule produces unpackageable policy modules on powerpc

[aqua]

Package: policycoreutils
Version: 1.30-2
Severity: normal


When run on ppc, checkmodule seems to be producing compiled policy modules
which can't be read by semodule_package.  AIUI, the compiled modules are
intended to be identical across architectures, but compiling the same text
policy on ppc and amd64 produces compiled modules that differ slightly.  The
module compiled with the amd64 checkmodule can be read just fine by
semodule_package on both architectures, while the output of the ppc
checkmodule can't be read by either one; attempting to do so produces a
"conditional expressions uses [sic] unknown bool" error.

Repro procedure:

Take a short, simple policy module:

$ cat>test.te
module test 1.0;

require {
        class chr_file ioctl;
        type devpts_t;
        type httpd_t;
};

allow httpd_t devpts_t:chr_file ioctl;


Compile and package it.  First, on amd64:

[EMAIL PROTECTED]:/tmp/p
$ checkmodule -m -M test.te -o test.mod
checkmodule:  loading policy configuration from test.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 5) to test.mod

... then on ppc:

[jezebel:/tmp/p2]
% checkmodule -m -M test.te -o test.mod
checkmodule:  loading policy configuration from test.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 5) to test.mod

Now try to package them:

[EMAIL PROTECTED]:/tmp/p
$ semodule_package -o test.pp -m test.mod ; echo $?
0

[jezebel:/tmp/p2]
% semodule_package -o test.pp -m test.mod ; echo $?
security: conditional expressions uses unknown bool 1; max is 0.
semodule_package:  Error while reading policy module from test.mod
1

[ that isn't exactly the error message the stock package would give, since I
adjusted the error printf() call in libsepol1's expr_isvalid() trying to figure
this out ]

The files differ slightly:

--- test.mod.hex        2006-08-12 22:49:01.000000000 -0700
+++ test.mod.amd64.hex  2006-08-12 22:49:01.000000000 -0700
@@ -16,7 +16,7 @@
 000000f0  00 00 00 40 00 00 00 00  00 00 00 00 00 00 00 68  |[EMAIL PROTECTED]|
 00000100  74 74 70 64 5f 74 00 00  00 00 00 00 00 00 00 00  |ttpd_t..........|
 00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000120  00 00 00 00 00 00 01 00  00 00 00 00 00 01 01 00  |................|
+00000120  00 00 00 00 00 00 01 00  00 00 01 00 00 00 01 00  |................|
 00000130  00 00 00 00 00 00 00 00  00 00 01 00 00 00 01 00  |................|
 00000140  00 00 00 00 00 00 40 00  00 00 40 00 00 00 01 00  |[EMAIL 
PROTECTED]@.....|
 00000150  00 00 00 00 00 00 02 00  00 00 00 00 00 00 40 00  |[EMAIL PROTECTED]|

The ppc machine can read the amd64 test.mod just fine:

[jezebel:/tmp/p2]
% semodule_package -o test.pp -m test.mod.amd64 ; echo $?
0

But the ppc-generated test.mod doesn't work on amd64 either:

[EMAIL PROTECTED]:/tmp/p
$ semodule_package -o test.pp -m test.mod.ppc ; echo $?
security: conditional expressions uses unknown bool.
semodule_package:  Error while reading policy module from test.mod.ppc
1

Once packaged (using the amd64-compiled module in both places), the resulting
policy packages are identical:

% sha1sum test.pp.*
e3fed973b36c028d4b6c34b7d8f4dda841b7ac0f  test.pp.amd64
e3fed973b36c028d4b6c34b7d8f4dda841b7ac0f  test.pp.ppc


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: powerpc (ppc)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.6
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages policycoreutils depends on:
ii  libc6                         2.3.6-15   GNU C Library: Shared libraries
ii  libpam0g                      0.79-3.1   Pluggable Authentication Modules l
ii  libselinux1                   1.30.22-1  SELinux shared libraries
ii  libsemanage1                  1.6-1      shared libraries used by SELinux p
ii  libsepol1                     1.12.24-1  Security Enhanced Linux policy lib
ii  python-selinux [python2.4-sel 1.30.22-1  Python bindings to SELinux shared 
ii  python2.4                     2.4.3-8    An interactive high-level object-o
ii  python2.4-semanage            1.6-1      Python2.4 bindings  for SELinux po

policycoreutils recommends no packages.

-- no debconf information

module test 1.0;

require {
	class chr_file ioctl;
        type devpts_t;
        type httpd_t;
};

allow httpd_t devpts_t:chr_file ioctl;

test.mod.amd64
Description: Binary data

test.mod.ppc
Description: Binary data

test.pp.amd64
Description: Binary data

test.pp.ppc
Description: Binary data