1:35 a.m.
14-oct-05
Hello:
Problem Summary:
Two FC3 systems running permissive-targeted with identical error messages.
targeted source rpm: selinux-policy-targeted-sources-1.17.30-3.16
'seinfo' run on umodified policy.conf reports syntax error in policy.
'sestatus' shows policy version 19 but policy files are policy.18
'checkpolicy' errors out on failure to open policy.conf
Details:
I have just started to work with SELinux, on my two Fedora Core 3, i686 systems.
I am getting identical errors on both systems that I hope can be
easily explained:
During initial installation of FC3, I installed the targeted-binary policy and
have been running in the default permissive-targeted mode.
Recently I downloaded and installed the policy-targeted-source,
policy-strict-source,
and policy-strict rpm packages via yum so that I could begin to learn more about
SELinux policy configuration.
Here are the system identifications:
65 ellipse:~> uname -a
Linux ellipse 2.6.12-1.1378_FC3.stk16 #1 Thu Sep 22 13:41:41 EDT 2005 i686 i686
i386 GNU/Linux
41 torus:~> uname -a
Linux torus 2.6.13 #1 Mon Sep 5 16:37:24 ICT 2005 i686 i686 i386 GNU/Linux
Here is a listing of the installed selinux packages on both systems:
selinux-policy-targeted-sources-1.17.30-3.16
selinux-policy-strict-1.19.10-2
libselinux-1.19.1-8
selinux-policy-targeted-1.17.30-3.16
libselinux-devel-1.19.1-8
selinux-policy-strict-sources-1.19.10-2
selinux-doc-1.14.1-1
setools-1.4.1-5
setools-gui-1.4.1-5
checkpolicy-1.17.5-1.2
The following error/status conditions are identical on both systems:
When running a test of seinfo against the default installation on both systems
I get this error message:
'seinfo /etc/selinux/targeted/src/policy/policy.conf'
error in the statement ending on line 3675 (token 'typeattribute'):
syntax errorerror(s) encountered while parsing configuration (first
pass, line: 3675)
error reading policy
A partial listing of policy.conf showing the putative syntax error location:
3666
3667 type unconfined_t, domain, privuser, privhome, privrole, privowner, admi
3667 n, auth_write, fs_domain, privmem;
3668 role system_r types unconfined_t;
3669 role user_r types unconfined_t;
3669 role user_r types unconfined_t;
3671
3672 #line 11
3673
3674 #line 11
-->> 3675 typeattribute unconfined_t unrestricted;
3676 #line 11
3677
I find it hard to believe that the default, umodified policy.conf
would be released with syntax errors.
Running seinfo against the binary policy returns:
66 ellipse:~> seinfo /etc/selinux/targeted/policy/policy.18
Statistics for policy file: /etc/selinux/targeted/policy/policy.18
Policy Version: v.18
Policy Type: binary
Classes: 55 Permissions: 205
Types: 343 Attributes: 0
Users: 3 Roles: 4
Booleans: 30 Cond. Expr.: 32
Allow: 17620 Neverallow: 0
Auditallow: 3 Dontaudit: 1204
Type_trans: 201 Type_change: 0
Role allow: 5 Role trans: 0
Initial SIDs: 0
Note the policy version is 18.
Running sestatus, on both systems I get this:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 19
Policy from config file:targeted
...
Note the Policy Version is listed as 19.
However, checking the policy file extents I see they are policy.18:
ls /etc/selinux/targeted/policy/
policy.18
ls /etc/selinux/strict/policy/
policy.18
However, checking the contents of the /etc/selinux/targeted/src/policy/VERSION
and /etc/selinux/strict/src/policy/VERSION files
I get 1.17 & 1.19 respectively.
Additionally, a check of the contents of /selinux/policyvers returns '19'.
Running 'checkpolicy', 'checkpolicy -c 18', & 'checkpolicy -d -c
18' all
fail with this error message:
checkpolicy: loading policy configuration from policy.conf
checkpolicy: unable to open policy.conf
running checkpolicy with '-c 19' returns an 'out of range' error message
Uninstalling the 'selinux-policy-strict' and
'selinux-policy-strict-sources'
rpms on one of the systems removes the /etc/selinux/strict tree from
that system but does not change the policy version showed by sestatus,
nor the error messages from seinfo and checkpolicy.
Any help will be appreciated.
Brgds
Bob
--
rhp.lpt(a)gmail.com
1:05 p.m.
On Fri, 2005-10-14 at 13:35 +0700, rhp wrote:
Problem Summary:
Two FC3 systems running permissive-targeted with identical error messages.
targeted source rpm: selinux-policy-targeted-sources-1.17.30-3.16
'seinfo' run on umodified policy.conf reports syntax error in policy.
You understand that SELinux userspace doesn't get updated in older
Fedora releases except in response to bug reports, right? So you have
an old version of setools that doesn't know about changes in the policy
language that have occurred since FC3 was shipped, and you have a policy
update that uses some of those new language features.
'sestatus' shows policy version 19 but policy files are
policy.18
Two different pieces of information:
- the first is the maximum binary policy format version supported by the
kernel you are running (FC3 shipped with a kernel that only supported
version 18, but you are running an update kernel that understands a
later version as well - but is fully compatible with the older version),
- the second is the binary policy format version generated by your
checkpolicy, which likely hasn't been updated since FC3 was shipped.
'checkpolicy' errors out on failure to open policy.conf
If you don't specify a path to a policy.conf file, it looks for it in
the current directory, so it will naturally fail if you aren't in the
policy source directory at that point.
Here is a listing of the installed selinux packages on both systems:
selinux-policy-targeted-sources-1.17.30-3.16
selinux-policy-strict-1.19.10-2
libselinux-1.19.1-8
selinux-policy-targeted-1.17.30-3.16
libselinux-devel-1.19.1-8
selinux-policy-strict-sources-1.19.10-2
selinux-doc-1.14.1-1
setools-1.4.1-5
setools-gui-1.4.1-5
checkpolicy-1.17.5-1.2
Yes, the userspace tools above are quite old.
When running a test of seinfo against the default installation on
both systems
I get this error message:
'seinfo /etc/selinux/targeted/src/policy/policy.conf'
error in the statement ending on line 3675 (token 'typeattribute'):
syntax errorerror(s) encountered while parsing configuration (first
pass, line: 3675)
error reading policy
New language statement introduced after FC3 shipped, so the FC3 tools
don't understand it. I'd hazard a guess that the update policy was
built using the latest toolchain rather than the actual ones on FC3.
Note the Policy Version is listed as 19.
That's the highest version supported by your kernel. It retains
backward compatibility with older versions though.
However, checking the policy file extents I see they are policy.18:
ls /etc/selinux/targeted/policy/
policy.18
ls /etc/selinux/strict/policy/
policy.18
That's the version generated by your checkpolicy.
However, checking the contents of the
/etc/selinux/targeted/src/policy/VERSION
and /etc/selinux/strict/src/policy/VERSION files
I get 1.17 & 1.19 respectively.
That's the release version of the upstream policy tarball from which the
policy package was built, not related to the binary policy format
version.
Additionally, a check of the contents of /selinux/policyvers returns
'19'.
Kernel version.
Running 'checkpolicy', 'checkpolicy -c 18', &
'checkpolicy -d -c 18' all
fail with this error message:
checkpolicy: loading policy configuration from policy.conf
checkpolicy: unable to open policy.conf
No policy.conf in your working directory? Specify a path to it
otherwise.
running checkpolicy with '-c 19' returns an 'out of
range' error message
Because you have an old checkpolicy that doesn't support that version.
Note: I'm just explaining - I don't maintain the SELinux packages for
Fedora in any way, just the upstream SELinux.
--
Stephen Smalley
National Security Agency
1:22 p.m.
On Fri, 2005-10-14 at 14:05 -0400, Stephen Smalley wrote:
You understand that SELinux userspace doesn't get updated in
older
Fedora releases except in response to bug reports, right? So you have
an old version of setools that doesn't know about changes in the policy
language that have occurred since FC3 was shipped, and you have a policy
update that uses some of those new language features.
FC3 is almost at its end of life anyway, right (end of the year, I
suppose, if it is supposed to track the FC5 test2 release)? FC4 was
released last June - might want to migrate to it.
--
Stephen Smalley
National Security Agency
2:14 a.m.
18-oct-05
Hello Stephen:
Thank's for the information, it certainly explained my problem.
I've upgraded setools and the other elements in the selinux tree as
far as I can go on my FC3 system w/o installing glibc-2.3.90.14, (e.g.
the latest version of setools, requires 'lib.so.6(GLIBC_2.4)' which it
seems first appears in that version of glibc).
I've currently got these installed:
checkpolicy-1.23.1-1
libselinux-1.23.10-2
libselinux-devel-1.23.10-2
libsepol-1.5.10-1.1
policycoreutils-1.23.10-2
selinux-doc-1.14.1-1
selinux-policy-targeted-sources-1.17.30-3.16
selinux-policy-targeted-1.17.30-3.16
setools-2.1.1-2
setools-gui-2.1.1-2
I'll deal with the glibc issue when I can upgrade to FC4 or FC5.
However, it will be awhile as I am not in the States and only have a
38.8k dialup line here.
'seinfo' is working so I hope the remainder or the tools are also and
that I can proceed with my persual of SELinux.
BTW: 'rpmfind.net' lists glibc-2.3.90.14 as being part of the FC5
tree, is that the tree you are presently working with for development
?
Again, many thanks for your help.
Brgds
Bob
On 10/15/05, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
On Fri, 2005-10-14 at 13:35 +0700, rhp wrote:
> Problem Summary:
>
> Two FC3 systems running permissive-targeted with identical error messages.
>
> targeted source rpm: selinux-policy-targeted-sources-1.17.30-3.16
>
> 'seinfo' run on umodified policy.conf reports syntax error in policy.
You understand that SELinux userspace doesn't get updated in older
Fedora releases except in response to bug reports, right? So you have
an old version of setools that doesn't know about changes in the policy
language that have occurred since FC3 was shipped, and you have a policy
update that uses some of those new language features.
> 'sestatus' shows policy version 19 but policy files are policy.18
Two different pieces of information:
- the first is the maximum binary policy format version supported by the
kernel you are running (FC3 shipped with a kernel that only supported
version 18, but you are running an update kernel that understands a
later version as well - but is fully compatible with the older version),
- the second is the binary policy format version generated by your
checkpolicy, which likely hasn't been updated since FC3 was shipped.
> 'checkpolicy' errors out on failure to open policy.conf
If you don't specify a path to a policy.conf file, it looks for it in
the current directory, so it will naturally fail if you aren't in the
policy source directory at that point.
> Here is a listing of the installed selinux packages on both systems:
>
> selinux-policy-targeted-sources-1.17.30-3.16
> selinux-policy-strict-1.19.10-2
> libselinux-1.19.1-8
> selinux-policy-targeted-1.17.30-3.16
> libselinux-devel-1.19.1-8
> selinux-policy-strict-sources-1.19.10-2
> selinux-doc-1.14.1-1
> setools-1.4.1-5
> setools-gui-1.4.1-5
> checkpolicy-1.17.5-1.2
Yes, the userspace tools above are quite old.
> When running a test of seinfo against the default installation on both systems
> I get this error message:
>
> 'seinfo /etc/selinux/targeted/src/policy/policy.conf'
>
> error in the statement ending on line 3675 (token 'typeattribute'):
> syntax errorerror(s) encountered while parsing configuration (first
> pass, line: 3675)
> error reading policy
New language statement introduced after FC3 shipped, so the FC3 tools
don't understand it. I'd hazard a guess that the update policy was
built using the latest toolchain rather than the actual ones on FC3.
> Note the Policy Version is listed as 19.
That's the highest version supported by your kernel. It retains
backward compatibility with older versions though.
> However, checking the policy file extents I see they are policy.18:
>
> ls /etc/selinux/targeted/policy/
> policy.18
> ls /etc/selinux/strict/policy/
> policy.18
That's the version generated by your checkpolicy.
> However, checking the contents of the /etc/selinux/targeted/src/policy/VERSION
> and /etc/selinux/strict/src/policy/VERSION files
> I get 1.17 & 1.19 respectively.
That's the release version of the upstream policy tarball from which the
policy package was built, not related to the binary policy format
version.
> Additionally, a check of the contents of /selinux/policyvers returns '19'.
Kernel version.
> Running 'checkpolicy', 'checkpolicy -c 18', & 'checkpolicy
-d -c 18' all
> fail with this error message:
>
> checkpolicy: loading policy configuration from policy.conf
> checkpolicy: unable to open policy.conf
No policy.conf in your working directory? Specify a path to it
otherwise.
> running checkpolicy with '-c 19' returns an 'out of range' error
message
Because you have an old checkpolicy that doesn't support that version.
Note: I'm just explaining - I don't maintain the SELinux packages for
Fedora in any way, just the upstream SELinux.
--
Stephen Smalley
National Security Agency
--
rhp.lpt(a)gmail.com
7:19 a.m.
On Tue, 2005-10-18 at 14:14 +0700, rhp wrote:
18-oct-05
Hello Stephen:
Thank's for the information, it certainly explained my problem.
I've upgraded setools and the other elements in the selinux tree as
far as I can go on my FC3 system w/o installing glibc-2.3.90.14, (e.g.
the latest version of setools, requires 'lib.so.6(GLIBC_2.4)' which it
seems first appears in that version of glibc).
You could alternatively just build the latest from source on your own
system so that they don't pick up a dependency on the newer glibc,
either grabbing the rawhide SRPMS or the upstream source tarballs
(setools from tresys.com, the core SELinux userland from the sourceforge
CVS tree). But if what you have is working, then you may not want to
risk moving to the bleeding edge ;)
'seinfo' is working so I hope the remainder or the tools are
also and
that I can proceed with my persual of SELinux.
BTW: 'rpmfind.net' lists glibc-2.3.90.14 as being part of the FC5
tree, is that the tree you are presently working with for development
?
Yes, we are working off the development tree aka rawhide which will
become FC5. The rough schedule is over at
http://fedora.redhat.com/participate/schedule/
--
Stephen Smalley
National Security Agency
6774
days inactive
6778
days old
selinux@lists.fedoraproject.org
4 comments
2 participants
participants (2)
-
rhp -
Stephen Smalley