Stephen,
Thanks.
This particular systems is running 'stock' selinux-policy-strict files
(i.e.,
selinux-policy-strict-sources is installed, but not modified).
From your response (and from my reading of the develops on
selinux(a)tycho.nsa.gov), I'm guessing that the best thing to do is just
wait for the other rpm's to 'catch up'.
It appears that the 'yum' process left me with my current policy.18
file (dated Aug-1) and a policy.18.rpmnew (dated Aug-8) (from
the selinux-policy-strict package, I believe), so I'm guessing
I have 'valid' policy files for the 'current' (i.e.,
selinux-policy-strict-1.15.11)
and the 'new' (i.e., selinux-policy-strict-1.15.13) environments.
I should have enough to 'keep running' until the new packages
come (Thanks Dan!).
thanks again,
tom
------------------------------------------------------------------------
* /From/: Stephen Smalley <sds epoch ncsc mil>
------------------------------------------------------------------------
On Mon, 2004-08-09 at 11:46, Tom London wrote:
> Seems to be an error in the latest selinux-policy-strict-sources from
> Rawhide:
> tom
>
> selinux-policy-strict-sources 100 % done 67/459
> make: Entering directory `/etc/selinux/strict/src/policy'
> mkdir -p /etc/selinux/strict/policy
> /usr/bin/checkpolicy -o /etc/selinux/strict/policy/policy.18 policy.conf
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> domains/user.te:70:ERROR 'syntax error' at token ')' on line 43573:
> #line 70
> if () {
> /usr/bin/checkpolicy: error(s) encountered while parsing configuration
> make: *** [/etc/selinux/strict/policy/policy.18] Error 1
> make: Leaving directory `/etc/selinux/strict/src/policy'
Side effect of converting many of the compile-time tunables to runtime
booleans - if you have a customized tunables.tun file, then it is left
intact by rpm, and m4 ends up defining away the boolean in the policy
sources. If you have customized your tunables, then move aside your
tunable.tun file and replace it with the .rpmnew file and then customize
it again. You'll also need a /etc/selinux/$SELINUXTYPE/booleans file to
customize the booleans (but I don't think Dan has built a
policycoreutils yet that includes the updated load_policy to pull
boolean settings from it).
--
Stephen Smalley <sds epoch ncsc mil>
National Security Agency