seinfo on default umodified policy.conf reports policy syntax error

[Stephen Smalley]

On Fri, 2005-10-14 at 13:35 +0700, rhp wrote:
> Problem Summary:
> 
> Two FC3 systems running permissive-targeted with identical error messages.
> 
> targeted source rpm: selinux-policy-targeted-sources-1.17.30-3.16
> 
> 'seinfo' run on umodified policy.conf reports syntax error in policy.

You understand that SELinux userspace doesn't get updated in older
Fedora releases except in response to bug reports, right?  So you have
an old version of setools that doesn't know about changes in the policy
language that have occurred since FC3 was shipped, and you have a policy
update that uses some of those new language features.

> 'sestatus' shows policy version 19 but policy files are policy.18

Two different pieces of information:
- the first is the maximum binary policy format version supported by the
kernel you are running (FC3 shipped with a kernel that only supported
version 18, but you are running an update kernel that understands a
later version as well - but is fully compatible with the older version),
- the second is the binary policy format version generated by your
checkpolicy, which likely hasn't been updated since FC3 was shipped.

> 'checkpolicy' errors out on failure to open policy.conf

If you don't specify a path to a policy.conf file, it looks for it in
the current directory, so it will naturally fail if you aren't in the
policy source directory at that point.

> Here is a listing of the installed selinux packages on both systems:
> 
> selinux-policy-targeted-sources-1.17.30-3.16
> selinux-policy-strict-1.19.10-2
> libselinux-1.19.1-8
> selinux-policy-targeted-1.17.30-3.16
> libselinux-devel-1.19.1-8
> selinux-policy-strict-sources-1.19.10-2
> selinux-doc-1.14.1-1
> setools-1.4.1-5
> setools-gui-1.4.1-5
> checkpolicy-1.17.5-1.2

Yes, the userspace tools above are quite old.

> When running a test of seinfo against the default installation on both systems
> I get this error message:
> 
> 'seinfo /etc/selinux/targeted/src/policy/policy.conf'
> 
> error in the statement ending on line 3675 (token 'typeattribute'):
> syntax errorerror(s) encountered while parsing configuration (first
> pass, line: 3675)
> error reading policy

New language statement introduced after FC3 shipped, so the FC3 tools
don't understand it.  I'd hazard a guess that the update policy was
built using the latest toolchain rather than the actual ones on FC3.

> Note the Policy Version is listed as 19.

That's the highest version supported by your kernel.  It retains
backward compatibility with older versions though.

> However, checking the policy file extents I see they are policy.18:
> 
> ls /etc/selinux/targeted/policy/
> policy.18
> ls /etc/selinux/strict/policy/
> policy.18

That's the version generated by your checkpolicy.

> However, checking the contents of the /etc/selinux/targeted/src/policy/VERSION
> and /etc/selinux/strict/src/policy/VERSION files
> I get 1.17 & 1.19 respectively.

That's the release version of the upstream policy tarball from which the
policy package was built, not related to the binary policy format
version.

> Additionally, a check of the contents of /selinux/policyvers returns '19'.

Kernel version.

> Running 'checkpolicy', 'checkpolicy -c 18', & 'checkpolicy -d -c 18' all
> fail with this error message:
> 
> checkpolicy:  loading policy configuration from policy.conf
> checkpolicy:  unable to open policy.conf

No policy.conf in your working directory?  Specify a path to it
otherwise.

> running checkpolicy with '-c 19' returns an 'out of range' error message

Because you have an old checkpolicy that doesn't support that version.

Note:  I'm just explaining - I don't maintain the SELinux packages for
Fedora in any way, just the upstream SELinux.

-- 
Stephen Smalley
National Security Agency