seinfo on default umodified policy.conf reports policy syntax error

rhp rhp.lpt at gmail.com
Tue Oct 18 07:14:50 UTC 2005


18-oct-05

Hello Stephen:

Thank's for the information, it certainly explained my problem.

I've upgraded setools and the other elements in the selinux tree as
far as I can go on my FC3 system w/o installing glibc-2.3.90.14, (e.g.
the latest version of setools, requires 'lib.so.6(GLIBC_2.4)' which it
seems first appears in that version of glibc).

I've currently got these installed:

checkpolicy-1.23.1-1
libselinux-1.23.10-2
libselinux-devel-1.23.10-2
libsepol-1.5.10-1.1
policycoreutils-1.23.10-2
selinux-doc-1.14.1-1
selinux-policy-targeted-sources-1.17.30-3.16
selinux-policy-targeted-1.17.30-3.16
setools-2.1.1-2
setools-gui-2.1.1-2

I'll deal with the glibc issue when I can upgrade to FC4 or FC5.

However, it will be awhile as I am not in the States and only have a
38.8k dialup line here.

'seinfo' is working so I hope the remainder or the tools are also and
that I can proceed with my persual of SELinux.

BTW: 'rpmfind.net' lists glibc-2.3.90.14 as being part of the FC5
tree, is that the tree you are presently working with for development
?

Again, many thanks for your help.
Brgds
Bob


On 10/15/05, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Fri, 2005-10-14 at 13:35 +0700, rhp wrote:
> > Problem Summary:
> >
> > Two FC3 systems running permissive-targeted with identical error messages.
> >
> > targeted source rpm: selinux-policy-targeted-sources-1.17.30-3.16
> >
> > 'seinfo' run on umodified policy.conf reports syntax error in policy.
>
> You understand that SELinux userspace doesn't get updated in older
> Fedora releases except in response to bug reports, right?  So you have
> an old version of setools that doesn't know about changes in the policy
> language that have occurred since FC3 was shipped, and you have a policy
> update that uses some of those new language features.
>
> > 'sestatus' shows policy version 19 but policy files are policy.18
>
> Two different pieces of information:
> - the first is the maximum binary policy format version supported by the
> kernel you are running (FC3 shipped with a kernel that only supported
> version 18, but you are running an update kernel that understands a
> later version as well - but is fully compatible with the older version),
> - the second is the binary policy format version generated by your
> checkpolicy, which likely hasn't been updated since FC3 was shipped.
>
> > 'checkpolicy' errors out on failure to open policy.conf
>
> If you don't specify a path to a policy.conf file, it looks for it in
> the current directory, so it will naturally fail if you aren't in the
> policy source directory at that point.
>
> > Here is a listing of the installed selinux packages on both systems:
> >
> > selinux-policy-targeted-sources-1.17.30-3.16
> > selinux-policy-strict-1.19.10-2
> > libselinux-1.19.1-8
> > selinux-policy-targeted-1.17.30-3.16
> > libselinux-devel-1.19.1-8
> > selinux-policy-strict-sources-1.19.10-2
> > selinux-doc-1.14.1-1
> > setools-1.4.1-5
> > setools-gui-1.4.1-5
> > checkpolicy-1.17.5-1.2
>
> Yes, the userspace tools above are quite old.
>
> > When running a test of seinfo against the default installation on both systems
> > I get this error message:
> >
> > 'seinfo /etc/selinux/targeted/src/policy/policy.conf'
> >
> > error in the statement ending on line 3675 (token 'typeattribute'):
> > syntax errorerror(s) encountered while parsing configuration (first
> > pass, line: 3675)
> > error reading policy
>
> New language statement introduced after FC3 shipped, so the FC3 tools
> don't understand it.  I'd hazard a guess that the update policy was
> built using the latest toolchain rather than the actual ones on FC3.
>
> > Note the Policy Version is listed as 19.
>
> That's the highest version supported by your kernel.  It retains
> backward compatibility with older versions though.
>
> > However, checking the policy file extents I see they are policy.18:
> >
> > ls /etc/selinux/targeted/policy/
> > policy.18
> > ls /etc/selinux/strict/policy/
> > policy.18
>
> That's the version generated by your checkpolicy.
>
> > However, checking the contents of the /etc/selinux/targeted/src/policy/VERSION
> > and /etc/selinux/strict/src/policy/VERSION files
> > I get 1.17 & 1.19 respectively.
>
> That's the release version of the upstream policy tarball from which the
> policy package was built, not related to the binary policy format
> version.
>
> > Additionally, a check of the contents of /selinux/policyvers returns '19'.
>
> Kernel version.
>
> > Running 'checkpolicy', 'checkpolicy -c 18', & 'checkpolicy -d -c 18' all
> > fail with this error message:
> >
> > checkpolicy:  loading policy configuration from policy.conf
> > checkpolicy:  unable to open policy.conf
>
> No policy.conf in your working directory?  Specify a path to it
> otherwise.
>
> > running checkpolicy with '-c 19' returns an 'out of range' error message
>
> Because you have an old checkpolicy that doesn't support that version.
>
> Note:  I'm just explaining - I don't maintain the SELinux packages for
> Fedora in any way, just the upstream SELinux.
>
> --
> Stephen Smalley
> National Security Agency
>
>


--
rhp.lpt at gmail.com




More information about the fedora-selinux-list mailing list