Invalid context with latest SELinux update

Thu Jun 23 15:05:43 UTC 2005

Paul Howarth wrote:

> Daniel J Walsh wrote:
>
>> Paul Howarth wrote:
>>
>>> On Mon, 2005-06-20 at 13:52 -0400, Paul Davis wrote:
>>>  
>>>
>>>> I have the exact same error, however when I check the System Tools -
>>>>  
>>>>
>>>>> Systems Logs SELinux appears to load without any problems.
>>>>>     
>>>>
>>>>
>>>> I still can't believe that no-one else has this problem, it appeared
>>>> after the last SELinux update.
>>>>   
>>>
>>>
>>>
>>> You aren't the only one. IIRC I edited out the offending clause that 
>>> had
>>> the syntax error, did a "make reload"
>>> in /etc/sysconfig/selinux/src/targeted/policy (which then worked) and
>>> then put back in the offending clause and did another "make reload". It
>>> seemed to be happy then.
>>>
>>> Paul.
>>>  
>>>
>> What was the offending clause.  I have  not been able to reproduce this.
>
>
> Erik wrote:
>
>> Yes, and here is what make told me:
>>
>> [root at epo policy]# make reload
>> mkdir -p /etc/selinux/targeted/policy
>> /usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18
>> policy.conf
>> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
>> domains/unconfined.te:19:ERROR 'syntax error' at token '{' on line 3894:
>> typeattribute tty_device_t { tty_device_t devpts_t };
>> typealias unconfined_t alias { kernel_t init_t initrc_t logrotate_t
>> sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
>> /usr/bin/checkpolicy:  error(s) encountered while parsing configuration
>> make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
>> [root at epo policy]#
>
>
> This is the same thing I saw. It was a few days ago, I didn't write 
> down exactly what I did to fix it and unfortunately I'm unable to 
> reproduce this problem now.
>
> All I can think of right now is that the policy.conf above appears to 
> be built from a combination of the 1.17.30-3.2 and 1.17.30-3.9 sources.
>
> The 1.17.30-3.2 version of domains/unconfined.te has:
>
> define(`admin_tty_type', `{ tty_device_t devpts_t }')
>
> (this definition can also be found in types/apache.te)
>
> The 1.17.30-3.9 version of domains/unconfined.te has (at line 19):
>
> typeattribute tty_device_t admin_tty_type;
>
> If the "old" macro definition is still around somehow, this results in 
> expanded text of:
>
> typeattribute tty_device_t { tty_device_t devpts_t };
>
> and there's the syntax error that appears in the error message above.
>
> I haven't figured out how this happens yet, but someone with a 
> still-broken system might be able to provide sufficient data to 
> diagnose it.
>
> Paul.
>
Yes but the apache.te file should have been updated at the same time, 
that is the weird part.

-- 