[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Invalid context with latest SELinux update

Paul Howarth wrote:

Daniel J Walsh wrote:

Paul Howarth wrote:

Daniel J Walsh wrote:

Paul Howarth wrote:

On Mon, 2005-06-20 at 13:52 -0400, Paul Davis wrote:

I have the exact same error, however when I check the System Tools -

Systems Logs SELinux appears to load without any problems.

I still can't believe that no-one else has this problem, it appeared
after the last SELinux update.

You aren't the only one. IIRC I edited out the offending clause that had
the syntax error, did a "make reload"
in /etc/sysconfig/selinux/src/targeted/policy (which then worked) and
then put back in the offending clause and did another "make reload". It
seemed to be happy then.


What was the offending clause. I have not been able to reproduce this.

Erik wrote:

Yes, and here is what make told me:

[root epo policy]# make reload
mkdir -p /etc/selinux/targeted/policy
/usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18
/usr/bin/checkpolicy: loading policy configuration from policy.conf
domains/unconfined.te:19:ERROR 'syntax error' at token '{' on line 3894:
typeattribute tty_device_t { tty_device_t devpts_t };
typealias unconfined_t alias { kernel_t init_t initrc_t logrotate_t
sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
/usr/bin/checkpolicy: error(s) encountered while parsing configuration
make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
[root epo policy]#

This is the same thing I saw. It was a few days ago, I didn't write down exactly what I did to fix it and unfortunately I'm unable to reproduce this problem now.

All I can think of right now is that the policy.conf above appears to be built from a combination of the 1.17.30-3.2 and 1.17.30-3.9 sources.

The 1.17.30-3.2 version of domains/unconfined.te has:

define(`admin_tty_type', `{ tty_device_t devpts_t }')

(this definition can also be found in types/apache.te)

The 1.17.30-3.9 version of domains/unconfined.te has (at line 19):

typeattribute tty_device_t admin_tty_type;

If the "old" macro definition is still around somehow, this results in expanded text of:

typeattribute tty_device_t { tty_device_t devpts_t };

and there's the syntax error that appears in the error message above.

I haven't figured out how this happens yet, but someone with a still-broken system might be able to provide sufficient data to diagnose it.


Yes but the apache.te file should have been updated at the same time, that is the weird part.

I think I've got it. The problem occurs when somebody makes local policy changes in the time interval between the updated selinux-policy-targeted-sources RPM being packaged and that package being installed. The result of this is that policy.conf appears to be "up to date" as far as the Makefile is concerned when the updated policy sources are installed, so it doesn't get regenerated from the updated sources. Hence the effects of the old "define(`admin_tty_type', `{ tty_device_t devpts_t }')" are still in the policy.conf file and you get the syntax error.

Simple fix for people affected by this:
# cd /etc/selinux/targeted/src/policy
# touch domains/misc/local.te
# make reload

Possible fix for the RPM: remove policy.conf before doing the make in the postinstall script.


Good idea, I will try that in the next update.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]