14-oct-05
Hello:
Problem Summary:
Two FC3 systems running permissive-targeted with identical error messages.
targeted source rpm: selinux-policy-targeted-sources-1.17.30-3.16
'seinfo' run on umodified policy.conf reports syntax error in policy.
'sestatus' shows policy version 19 but policy files are policy.18
'checkpolicy' errors out on failure to open policy.conf
Details:
I have just started to work with SELinux, on my two Fedora Core 3, i686 systems.
I am getting identical errors on both systems that I hope can be
easily explained:
During initial installation of FC3, I installed the targeted-binary policy and
have been running in the default permissive-targeted mode.
Recently I downloaded and installed the policy-targeted-source,
policy-strict-source,
and policy-strict rpm packages via yum so that I could begin to learn more about
SELinux policy configuration.
Here are the system identifications:
65 ellipse:~> uname -a
Linux ellipse 2.6.12-1.1378_FC3.stk16 #1 Thu Sep 22 13:41:41 EDT 2005 i686 i686
i386 GNU/Linux
41 torus:~> uname -a
Linux torus 2.6.13 #1 Mon Sep 5 16:37:24 ICT 2005 i686 i686 i386 GNU/Linux
Here is a listing of the installed selinux packages on both systems:
selinux-policy-targeted-sources-1.17.30-3.16
selinux-policy-strict-1.19.10-2
libselinux-1.19.1-8
selinux-policy-targeted-1.17.30-3.16
libselinux-devel-1.19.1-8
selinux-policy-strict-sources-1.19.10-2
selinux-doc-1.14.1-1
setools-1.4.1-5
setools-gui-1.4.1-5
checkpolicy-1.17.5-1.2
The following error/status conditions are identical on both systems:
When running a test of seinfo against the default installation on both systems
I get this error message:
'seinfo /etc/selinux/targeted/src/policy/policy.conf'
error in the statement ending on line 3675 (token 'typeattribute'):
syntax errorerror(s) encountered while parsing configuration (first
pass, line: 3675)
error reading policy
A partial listing of policy.conf showing the putative syntax error location:
3666
3667 type unconfined_t, domain, privuser, privhome, privrole, privowner, admi
3667 n, auth_write, fs_domain, privmem;
3668 role system_r types unconfined_t;
3669 role user_r types unconfined_t;
3669 role user_r types unconfined_t;
3671
3672 #line 11
3673
3674 #line 11
-->> 3675 typeattribute unconfined_t unrestricted;
3676 #line 11
3677
I find it hard to believe that the default, umodified policy.conf
would be released with syntax errors.
Running seinfo against the binary policy returns:
66 ellipse:~> seinfo /etc/selinux/targeted/policy/policy.18
Statistics for policy file: /etc/selinux/targeted/policy/policy.18
Policy Version: v.18
Policy Type: binary
Classes: 55 Permissions: 205
Types: 343 Attributes: 0
Users: 3 Roles: 4
Booleans: 30 Cond. Expr.: 32
Allow: 17620 Neverallow: 0
Auditallow: 3 Dontaudit: 1204
Type_trans: 201 Type_change: 0
Role allow: 5 Role trans: 0
Initial SIDs: 0
Note the policy version is 18.
Running sestatus, on both systems I get this:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 19
Policy from config file:targeted
...
Note the Policy Version is listed as 19.
However, checking the policy file extents I see they are policy.18:
ls /etc/selinux/targeted/policy/
policy.18
ls /etc/selinux/strict/policy/
policy.18
However, checking the contents of the /etc/selinux/targeted/src/policy/VERSION
and /etc/selinux/strict/src/policy/VERSION files
I get 1.17 & 1.19 respectively.
Additionally, a check of the contents of /selinux/policyvers returns '19'.
Running 'checkpolicy', 'checkpolicy -c 18', & 'checkpolicy -d -c 18' all
fail with this error message:
checkpolicy: loading policy configuration from policy.conf
checkpolicy: unable to open policy.conf
running checkpolicy with '-c 19' returns an 'out of range' error message
Uninstalling the 'selinux-policy-strict' and 'selinux-policy-strict-sources'
rpms on one of the systems removes the /etc/selinux/strict tree from
that system but does not change the policy version showed by sestatus,
nor the error messages from seinfo and checkpolicy.
Any help will be appreciated.
Brgds
Bob
--
rhp.lpt(a)gmail.com