From 4bd455bf90f156ff24e437555b98e4378c6d28b8 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Mon, 27 Feb 2017 22:02:52 +0100
Subject: [PATCH 1/2] Make "validate" target verify file contexts

When I synchronized my personal policy with the git master branch, "git
rebase" merged the file contexts I have defined for some systemd
components with the ones which have recently been merged. This resulted
in duplicated file contexts in systemd.fc, which made the policy unable
to be loaded.

This issue has not been detected by "make validate" because this command
only verifies policy linking, not the correctness of the file contexts.
Moreover this behavior of "make validate" only happens when building a
modular policy. Indeed Rules.monolithic calls setfiles in order to
validate the file contexts:

    validate: $(fc) $(polver)
        @echo "Validating $(NAME) file_contexts."
        $(verbose) $(SETFILES) -q -c $(polver) $(fc)
        @echo "Success."

Invoke setfiles in Rules.modular too in order to catch issues in file
contexts with "make validate". With the issue I experienced, I would
have got the following message:

    Validating policy file contexts.
    /sbin/setfiles -q -c tmp/policy.bin tmp/all_mods.fc
    tmp/all_mods.fc: Multiple same specifications for /run/systemd/machines(/.*)?.
    tmp/all_mods.fc: Invalid argument
    make: *** [Rules.modular:210: validate] Error 1

While at it, simplify .SECONDARY definition with a newly-introduced
$(all_mod_fc) variable.
---
 Rules.modular | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/Rules.modular b/Rules.modular
index 60fe55496..49d3cca91 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -5,6 +5,7 @@
 
 all_modules := $(base_mods) $(mod_mods) $(off_mods)
 all_interfaces := $(all_modules:.te=.if)
+all_mod_fc := $(addprefix $(tmpdir)/,$(notdir $(all_modules:.te=.mod.fc)))
 
 base_pkg := $(builddir)base.pp
 base_fc := $(builddir)base.fc
@@ -30,7 +31,7 @@ vpath %.te $(all_layers)
 vpath %.if $(all_layers)
 vpath %.fc $(all_layers)
 
-.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod.fc))
+.SECONDARY: $(all_mod_fc:.mod.fc=.mod) $(all_mod_fc)
 
 ########################################
 #
@@ -85,6 +86,9 @@ $(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
 	@test -d $(builddir) || mkdir -p $(builddir)
 	$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
 
+$(tmpdir)/all_mods.fc: $(all_mod_fc)
+	$(verbose) cat $^ > $@
+
 ########################################
 #
 # Create a base module package
@@ -198,10 +202,12 @@ $(appdir)/customizable_types: $(base_conf)
 #
 # Validate linking and expanding of modules
 #
-validate: $(base_pkg) $(mod_pkgs)
+validate: $(base_pkg) $(mod_pkgs) $(tmpdir)/all_mods.fc
 	@echo "Validating policy linking."
-	$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
+	$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $(base_pkg) $(mod_pkgs)
 	$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
+	@echo "Validating policy file contexts."
+	$(verbose) $(SETFILES) -q -c $(tmpdir)/policy.bin $(tmpdir)/all_mods.fc
 	@echo "Success."
 
 ########################################

From 2e2088b4010623568eb2bfd8b13a7799af66723c Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Mon, 27 Feb 2017 22:24:02 +0100
Subject: [PATCH 2/2] devices: fix Debian file contexts

When using setfiles to validate file contexts of Debian modular policy
(with DISTRO=debian and MONOLITHIC=n), it fails with:

    tmp/all_mods.fc:  line 527 is missing fields
    tmp/all_mods.fc:  line 527 is missing fields
    tmp/all_mods.fc: Invalid argument

Here is the content of tmp/all_mods.fc around line 527:

    # this is a static /dev dir "backup mount"
    # if you want to disable udev, youll have to boot permissive and relabel!
    /dev/\.static           -d      system_u:object_r:device_t
    /dev/\.static/dev       -d      system_u:object_r:device_t
    /dev/\.static/dev/(.*)?         <<none>>
    '

The quote of "you'll" has been eaten by m4 and there is a spurious quote
on the last line, which is reported by setfiles. Fix this by removing
the quote in the comment.

Here is an example of a failed build on Travis-CI:
https://travis-ci.org/fishilico/selinux-refpolicy-patched/jobs/205951446
---
 policy/modules/kernel/devices.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 19cd97247..84219a87e 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -185,7 +185,7 @@ ifdef(`distro_suse', `
 
 ifdef(`distro_debian',`
 # this is a static /dev dir "backup mount"
-# if you want to disable udev, you'll have to boot permissive and relabel!
+# if you want to disable udev, you will have to boot permissive and relabel!
 /dev/\.static		-d	gen_context(system_u:object_r:device_t,s0)
 /dev/\.static/dev	-d	gen_context(system_u:object_r:device_t,s0)
 /dev/\.static/dev/(.*)?		<<none>>