Invalid context with latest SELinux update

Paul Howarth paul at city-fan.org
Tue Jun 21 15:30:39 UTC 2005 

Daniel J Walsh wrote:
> Paul Howarth wrote:
> 
>> On Mon, 2005-06-20 at 13:52 -0400, Paul Davis wrote:
>>  
>>
>>> I have the exact same error, however when I check the System Tools -
>>>   
>>>
>>>> Systems Logs SELinux appears to load without any problems.
>>>>     
>>>
>>> I still can't believe that no-one else has this problem, it appeared
>>> after the last SELinux update.
>>>   
>>
>>
>> You aren't the only one. IIRC I edited out the offending clause that had
>> the syntax error, did a "make reload"
>> in /etc/sysconfig/selinux/src/targeted/policy (which then worked) and
>> then put back in the offending clause and did another "make reload". It
>> seemed to be happy then.
>>
>> Paul.
>>  
>>
> What was the offending clause.  I have  not been able to reproduce this.

Erik wrote:
> Yes, and here is what make told me:
> 
> [root at epo policy]# make reload
> mkdir -p /etc/selinux/targeted/policy
> /usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18
> policy.conf
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> domains/unconfined.te:19:ERROR 'syntax error' at token '{' on line 3894:
> typeattribute tty_device_t { tty_device_t devpts_t };
> typealias unconfined_t alias { kernel_t init_t initrc_t logrotate_t
> sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
> /usr/bin/checkpolicy:  error(s) encountered while parsing configuration
> make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
> [root at epo policy]#

This is the same thing I saw. It was a few days ago, I didn't write down 
exactly what I did to fix it and unfortunately I'm unable to reproduce 
this problem now.

All I can think of right now is that the policy.conf above appears to be 
built from a combination of the 1.17.30-3.2 and 1.17.30-3.9 sources.

The 1.17.30-3.2 version of domains/unconfined.te has:

define(`admin_tty_type', `{ tty_device_t devpts_t }')

(this definition can also be found in types/apache.te)

The 1.17.30-3.9 version of domains/unconfined.te has (at line 19):

typeattribute tty_device_t admin_tty_type;

If the "old" macro definition is still around somehow, this results in 
expanded text of:

typeattribute tty_device_t { tty_device_t devpts_t };

and there's the syntax error that appears in the error message above.

I haven't figured out how this happens yet, but someone with a 
still-broken system might be able to provide sufficient data to diagnose it.

Paul.

More information about the fedora-list mailing list