14-oct-05
Hello:
Problem Summary:
Two FC3 systems running permissive-targeted with identical error messages.
targeted source rpm: selinux-policy-targeted-sources-1.17.30-3.16
'seinfo' run on umodified policy.conf reports syntax error in policy. 'sestatus' shows policy version 19 but policy files are policy.18 'checkpolicy' errors out on failure to open policy.conf
Details:
I have just started to work with SELinux, on my two Fedora Core 3, i686 systems.
I am getting identical errors on both systems that I hope can be easily explained:
During initial installation of FC3, I installed the targeted-binary policy and have been running in the default permissive-targeted mode.
Recently I downloaded and installed the policy-targeted-source, policy-strict-source, and policy-strict rpm packages via yum so that I could begin to learn more about SELinux policy configuration.
Here are the system identifications:
65 ellipse:~> uname -a Linux ellipse 2.6.12-1.1378_FC3.stk16 #1 Thu Sep 22 13:41:41 EDT 2005 i686 i686 i386 GNU/Linux
41 torus:~> uname -a Linux torus 2.6.13 #1 Mon Sep 5 16:37:24 ICT 2005 i686 i686 i386 GNU/Linux
Here is a listing of the installed selinux packages on both systems:
selinux-policy-targeted-sources-1.17.30-3.16 selinux-policy-strict-1.19.10-2 libselinux-1.19.1-8 selinux-policy-targeted-1.17.30-3.16 libselinux-devel-1.19.1-8 selinux-policy-strict-sources-1.19.10-2 selinux-doc-1.14.1-1 setools-1.4.1-5 setools-gui-1.4.1-5 checkpolicy-1.17.5-1.2
The following error/status conditions are identical on both systems:
When running a test of seinfo against the default installation on both systems I get this error message:
'seinfo /etc/selinux/targeted/src/policy/policy.conf'
error in the statement ending on line 3675 (token 'typeattribute'): syntax errorerror(s) encountered while parsing configuration (first pass, line: 3675) error reading policy
A partial listing of policy.conf showing the putative syntax error location:
3666 3667 type unconfined_t, domain, privuser, privhome, privrole, privowner, admi 3667 n, auth_write, fs_domain, privmem; 3668 role system_r types unconfined_t; 3669 role user_r types unconfined_t; 3669 role user_r types unconfined_t; 3671 3672 #line 11 3673 3674 #line 11 -->> 3675 typeattribute unconfined_t unrestricted; 3676 #line 11 3677
I find it hard to believe that the default, umodified policy.conf would be released with syntax errors.
Running seinfo against the binary policy returns:
66 ellipse:~> seinfo /etc/selinux/targeted/policy/policy.18
Statistics for policy file: /etc/selinux/targeted/policy/policy.18 Policy Version: v.18 Policy Type: binary
Classes: 55 Permissions: 205 Types: 343 Attributes: 0 Users: 3 Roles: 4 Booleans: 30 Cond. Expr.: 32 Allow: 17620 Neverallow: 0 Auditallow: 3 Dontaudit: 1204 Type_trans: 201 Type_change: 0 Role allow: 5 Role trans: 0 Initial SIDs: 0
Note the policy version is 18.
Running sestatus, on both systems I get this:
SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 19 Policy from config file:targeted ...
Note the Policy Version is listed as 19.
However, checking the policy file extents I see they are policy.18:
ls /etc/selinux/targeted/policy/ policy.18 ls /etc/selinux/strict/policy/ policy.18
However, checking the contents of the /etc/selinux/targeted/src/policy/VERSION and /etc/selinux/strict/src/policy/VERSION files I get 1.17 & 1.19 respectively.
Additionally, a check of the contents of /selinux/policyvers returns '19'.
Running 'checkpolicy', 'checkpolicy -c 18', & 'checkpolicy -d -c 18' all fail with this error message:
checkpolicy: loading policy configuration from policy.conf checkpolicy: unable to open policy.conf
running checkpolicy with '-c 19' returns an 'out of range' error message
Uninstalling the 'selinux-policy-strict' and 'selinux-policy-strict-sources' rpms on one of the systems removes the /etc/selinux/strict tree from that system but does not change the policy version showed by sestatus, nor the error messages from seinfo and checkpolicy.
Any help will be appreciated.
Brgds Bob -- rhp.lpt@gmail.com
On Fri, 2005-10-14 at 13:35 +0700, rhp wrote:
Problem Summary:
Two FC3 systems running permissive-targeted with identical error messages.
targeted source rpm: selinux-policy-targeted-sources-1.17.30-3.16
'seinfo' run on umodified policy.conf reports syntax error in policy.
You understand that SELinux userspace doesn't get updated in older Fedora releases except in response to bug reports, right? So you have an old version of setools that doesn't know about changes in the policy language that have occurred since FC3 was shipped, and you have a policy update that uses some of those new language features.
'sestatus' shows policy version 19 but policy files are policy.18
Two different pieces of information: - the first is the maximum binary policy format version supported by the kernel you are running (FC3 shipped with a kernel that only supported version 18, but you are running an update kernel that understands a later version as well - but is fully compatible with the older version), - the second is the binary policy format version generated by your checkpolicy, which likely hasn't been updated since FC3 was shipped.
'checkpolicy' errors out on failure to open policy.conf
If you don't specify a path to a policy.conf file, it looks for it in the current directory, so it will naturally fail if you aren't in the policy source directory at that point.
Here is a listing of the installed selinux packages on both systems:
selinux-policy-targeted-sources-1.17.30-3.16 selinux-policy-strict-1.19.10-2 libselinux-1.19.1-8 selinux-policy-targeted-1.17.30-3.16 libselinux-devel-1.19.1-8 selinux-policy-strict-sources-1.19.10-2 selinux-doc-1.14.1-1 setools-1.4.1-5 setools-gui-1.4.1-5 checkpolicy-1.17.5-1.2
Yes, the userspace tools above are quite old.
When running a test of seinfo against the default installation on both systems I get this error message:
'seinfo /etc/selinux/targeted/src/policy/policy.conf'
error in the statement ending on line 3675 (token 'typeattribute'): syntax errorerror(s) encountered while parsing configuration (first pass, line: 3675) error reading policy
New language statement introduced after FC3 shipped, so the FC3 tools don't understand it. I'd hazard a guess that the update policy was built using the latest toolchain rather than the actual ones on FC3.
Note the Policy Version is listed as 19.
That's the highest version supported by your kernel. It retains backward compatibility with older versions though.
However, checking the policy file extents I see they are policy.18:
ls /etc/selinux/targeted/policy/ policy.18 ls /etc/selinux/strict/policy/ policy.18
That's the version generated by your checkpolicy.
However, checking the contents of the /etc/selinux/targeted/src/policy/VERSION and /etc/selinux/strict/src/policy/VERSION files I get 1.17 & 1.19 respectively.
That's the release version of the upstream policy tarball from which the policy package was built, not related to the binary policy format version.
Additionally, a check of the contents of /selinux/policyvers returns '19'.
Kernel version.
Running 'checkpolicy', 'checkpolicy -c 18', & 'checkpolicy -d -c 18' all fail with this error message:
checkpolicy: loading policy configuration from policy.conf checkpolicy: unable to open policy.conf
No policy.conf in your working directory? Specify a path to it otherwise.
running checkpolicy with '-c 19' returns an 'out of range' error message
Because you have an old checkpolicy that doesn't support that version.
Note: I'm just explaining - I don't maintain the SELinux packages for Fedora in any way, just the upstream SELinux.
On Fri, 2005-10-14 at 14:05 -0400, Stephen Smalley wrote:
You understand that SELinux userspace doesn't get updated in older Fedora releases except in response to bug reports, right? So you have an old version of setools that doesn't know about changes in the policy language that have occurred since FC3 was shipped, and you have a policy update that uses some of those new language features.
FC3 is almost at its end of life anyway, right (end of the year, I suppose, if it is supposed to track the FC5 test2 release)? FC4 was released last June - might want to migrate to it.
18-oct-05
Hello Stephen:
Thank's for the information, it certainly explained my problem.
I've upgraded setools and the other elements in the selinux tree as far as I can go on my FC3 system w/o installing glibc-2.3.90.14, (e.g. the latest version of setools, requires 'lib.so.6(GLIBC_2.4)' which it seems first appears in that version of glibc).
I've currently got these installed:
checkpolicy-1.23.1-1 libselinux-1.23.10-2 libselinux-devel-1.23.10-2 libsepol-1.5.10-1.1 policycoreutils-1.23.10-2 selinux-doc-1.14.1-1 selinux-policy-targeted-sources-1.17.30-3.16 selinux-policy-targeted-1.17.30-3.16 setools-2.1.1-2 setools-gui-2.1.1-2
I'll deal with the glibc issue when I can upgrade to FC4 or FC5.
However, it will be awhile as I am not in the States and only have a 38.8k dialup line here.
'seinfo' is working so I hope the remainder or the tools are also and that I can proceed with my persual of SELinux.
BTW: 'rpmfind.net' lists glibc-2.3.90.14 as being part of the FC5 tree, is that the tree you are presently working with for development ?
Again, many thanks for your help. Brgds Bob
On 10/15/05, Stephen Smalley sds@tycho.nsa.gov wrote:
On Fri, 2005-10-14 at 13:35 +0700, rhp wrote:
Problem Summary:
Two FC3 systems running permissive-targeted with identical error messages.
targeted source rpm: selinux-policy-targeted-sources-1.17.30-3.16
'seinfo' run on umodified policy.conf reports syntax error in policy.
You understand that SELinux userspace doesn't get updated in older Fedora releases except in response to bug reports, right? So you have an old version of setools that doesn't know about changes in the policy language that have occurred since FC3 was shipped, and you have a policy update that uses some of those new language features.
'sestatus' shows policy version 19 but policy files are policy.18
Two different pieces of information:
- the first is the maximum binary policy format version supported by the
kernel you are running (FC3 shipped with a kernel that only supported version 18, but you are running an update kernel that understands a later version as well - but is fully compatible with the older version),
- the second is the binary policy format version generated by your
checkpolicy, which likely hasn't been updated since FC3 was shipped.
'checkpolicy' errors out on failure to open policy.conf
If you don't specify a path to a policy.conf file, it looks for it in the current directory, so it will naturally fail if you aren't in the policy source directory at that point.
Here is a listing of the installed selinux packages on both systems:
selinux-policy-targeted-sources-1.17.30-3.16 selinux-policy-strict-1.19.10-2 libselinux-1.19.1-8 selinux-policy-targeted-1.17.30-3.16 libselinux-devel-1.19.1-8 selinux-policy-strict-sources-1.19.10-2 selinux-doc-1.14.1-1 setools-1.4.1-5 setools-gui-1.4.1-5 checkpolicy-1.17.5-1.2
Yes, the userspace tools above are quite old.
When running a test of seinfo against the default installation on both systems I get this error message:
'seinfo /etc/selinux/targeted/src/policy/policy.conf'
error in the statement ending on line 3675 (token 'typeattribute'): syntax errorerror(s) encountered while parsing configuration (first pass, line: 3675) error reading policy
New language statement introduced after FC3 shipped, so the FC3 tools don't understand it. I'd hazard a guess that the update policy was built using the latest toolchain rather than the actual ones on FC3.
Note the Policy Version is listed as 19.
That's the highest version supported by your kernel. It retains backward compatibility with older versions though.
However, checking the policy file extents I see they are policy.18:
ls /etc/selinux/targeted/policy/ policy.18 ls /etc/selinux/strict/policy/ policy.18
That's the version generated by your checkpolicy.
However, checking the contents of the /etc/selinux/targeted/src/policy/VERSION and /etc/selinux/strict/src/policy/VERSION files I get 1.17 & 1.19 respectively.
That's the release version of the upstream policy tarball from which the policy package was built, not related to the binary policy format version.
Additionally, a check of the contents of /selinux/policyvers returns '19'.
Kernel version.
Running 'checkpolicy', 'checkpolicy -c 18', & 'checkpolicy -d -c 18' all fail with this error message:
checkpolicy: loading policy configuration from policy.conf checkpolicy: unable to open policy.conf
No policy.conf in your working directory? Specify a path to it otherwise.
running checkpolicy with '-c 19' returns an 'out of range' error message
Because you have an old checkpolicy that doesn't support that version.
Note: I'm just explaining - I don't maintain the SELinux packages for Fedora in any way, just the upstream SELinux.
-- Stephen Smalley National Security Agency
-- rhp.lpt@gmail.com
On Tue, 2005-10-18 at 14:14 +0700, rhp wrote:
18-oct-05
Hello Stephen:
Thank's for the information, it certainly explained my problem.
I've upgraded setools and the other elements in the selinux tree as far as I can go on my FC3 system w/o installing glibc-2.3.90.14, (e.g. the latest version of setools, requires 'lib.so.6(GLIBC_2.4)' which it seems first appears in that version of glibc).
You could alternatively just build the latest from source on your own system so that they don't pick up a dependency on the newer glibc, either grabbing the rawhide SRPMS or the upstream source tarballs (setools from tresys.com, the core SELinux userland from the sourceforge CVS tree). But if what you have is working, then you may not want to risk moving to the bleeding edge ;)
'seinfo' is working so I hope the remainder or the tools are also and that I can proceed with my persual of SELinux.
BTW: 'rpmfind.net' lists glibc-2.3.90.14 as being part of the FC5 tree, is that the tree you are presently working with for development ?
Yes, we are working off the development tree aka rawhide which will become FC5. The rough schedule is over at http://fedora.redhat.com/participate/schedule/
selinux@lists.fedoraproject.org
-
rhp -
Stephen Smalley