Paul Howarth wrote:
Daniel J Walsh wrote:
Paul Howarth wrote:
Daniel J Walsh wrote:
Paul Howarth wrote:
On Mon, 2005-06-20 at 13:52 -0400, Paul Davis wrote:
I have the exact same error, however when I check the System Tools -
Systems Logs SELinux appears to load without any problems.
I still can't believe that no-one else has this problem, it appeared
after the last SELinux update.
You aren't the only one. IIRC I edited out the offending clause
that had
the syntax error, did a "make reload"
in /etc/sysconfig/selinux/src/targeted/policy (which then worked) and
then put back in the offending clause and did another "make
reload". It
seemed to be happy then.
Paul.
What was the offending clause. I have not been able to reproduce
this.
Erik wrote:
Yes, and here is what make told me:
[root@epo policy]# make reload
mkdir -p /etc/selinux/targeted/policy
/usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18
policy.conf
/usr/bin/checkpolicy: loading policy configuration from policy.conf
domains/unconfined.te:19:ERROR 'syntax error' at token '{' on line
3894:
typeattribute tty_device_t { tty_device_t devpts_t };
typealias unconfined_t alias { kernel_t init_t initrc_t logrotate_t
sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
/usr/bin/checkpolicy: error(s) encountered while parsing
configuration
make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
[root@epo policy]#
This is the same thing I saw. It was a few days ago, I didn't write
down exactly what I did to fix it and unfortunately I'm unable to
reproduce this problem now.
All I can think of right now is that the policy.conf above appears
to be built from a combination of the 1.17.30-3.2 and 1.17.30-3.9
sources.
The 1.17.30-3.2 version of domains/unconfined.te has:
define(`admin_tty_type', `{ tty_device_t devpts_t }')
(this definition can also be found in types/apache.te)
The 1.17.30-3.9 version of domains/unconfined.te has (at line 19):
typeattribute tty_device_t admin_tty_type;
If the "old" macro definition is still around somehow, this results
in expanded text of:
typeattribute tty_device_t { tty_device_t devpts_t };
and there's the syntax error that appears in the error message above.
I haven't figured out how this happens yet, but someone with a
still-broken system might be able to provide sufficient data to
diagnose it.
Paul.
Yes but the apache.te file should have been updated at the same time,
that is the weird part.
I think I've got it. The problem occurs when somebody makes local
policy changes in the time interval between the updated
selinux-policy-targeted-sources RPM being packaged and that package
being installed. The result of this is that policy.conf appears to be
"up to date" as far as the Makefile is concerned when the updated
policy sources are installed, so it doesn't get regenerated from the
updated sources. Hence the effects of the old
"define(`admin_tty_type', `{ tty_device_t devpts_t }')" are still in
the policy.conf file and you get the syntax error.
Simple fix for people affected by this:
# cd /etc/selinux/targeted/src/policy
# touch domains/misc/local.te
# make reload
Possible fix for the RPM: remove policy.conf before doing the make in
the postinstall script.
Paul.
Good idea, I will try that in the next update.
--
