error in 'make load'

Stephen Smalley sds at tycho.nsa.gov
Wed Mar 22 12:58:35 UTC 2006 

On Wed, 2006-03-22 at 11:52 +0000, Martin Ebourne wrote:
> Stephen Smalley wrote:
> > On Mon, 2006-02-20 at 07:44 -0700, gf wrote:
> > > Hi,
> > > I am trying to update the httpd policy in selinux to allow access to
> port 8443.
> > > I thought that I could add the line
> > >   portcon tcp 8443  system_u:object_r:http_port_t
> > > to the file
> > >   /etc/selinux/targeted/src/policy/net_contents
> > > and recompile.
> > > 
> > > My first step was to download the sources:
> > >   selinux-policy-targeted-sources-1.17.30-2.110.rpm
> > > and install.
> > > 
> > > To check whether or not everthing was working, I tried the following
> > > without altering any files:
> > > 
> > > [$ /etc/selinux/targeted/src/policy]:make load
> > > mkdir -p /etc/selinux/targeted/policy
> > > /usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18
> policy.conf
> > > /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> > > tmp/program_used_flags.te:2:ERROR 'syntax error' at token
> > > '/etc/selinux/targeted/src/policy/domains/program' on line 1164:
> > > /etc/selinux/targeted/src/policy/domains/program
> > > #line 1 "tmp/program_used_flags.te"
> > > /usr/bin/checkpolicy:  error(s) encountered while parsing
> configuration
> > > make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
> > 
> > Sounds like a bug in the policy Makefile in the generation of the
> > policy.conf file, as that string
> > ('/etc/selinux/targeted/src/policy/domains/program') shouldn't appear
> in
> > it.  Provide more context please, e.g. the lines around line 1164 of
> the
> > policy.conf file.
> 
> I've just come across this error myself. I've got two updated FC4
> machines here both doing the same thing.
> 
> Turns out it's a 'cd' in the Makefile that is echoing the new directory
> and getting caught up in the destination file. The odd thing is that my
> shell setup has never had cd echoing the destination (it would annoy me
> - if I've just cd'd, I know where to!), so this must be something from
> Fedora.
> 
> Anyhow, the attached patch fixes it for me. Any chance this can make it
> upstream?
> 
> [Stephen, thanks for the clue that let me to find this!]

Example policy is no longer maintained upstream (obsoleted by the
reference policy, which is the basis for policy in FC5).  But you could
file a bugzilla against the FC4 policy to get it fixed there.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list