seinfo on default umodified policy.conf reports policy syntax error

rhp rhp.lpt at gmail.com
Fri Oct 14 06:35:49 UTC 2005 

14-oct-05

Hello:

Problem Summary:

Two FC3 systems running permissive-targeted with identical error messages.

targeted source rpm: selinux-policy-targeted-sources-1.17.30-3.16

'seinfo' run on umodified policy.conf reports syntax error in policy.
'sestatus' shows policy version 19 but policy files are policy.18
'checkpolicy' errors out on failure to open policy.conf

Details:

I have just started to work with SELinux, on my two Fedora Core 3, i686 systems.

I am getting identical errors on both systems that I hope can be
easily explained:

During initial installation of FC3, I installed the targeted-binary policy and
have been running in the default permissive-targeted mode.

Recently I downloaded and installed the policy-targeted-source,
policy-strict-source,
and policy-strict rpm packages via yum so that I could begin to learn more about
SELinux policy configuration.

Here are the system identifications:

65 ellipse:~> uname -a
Linux ellipse 2.6.12-1.1378_FC3.stk16 #1 Thu Sep 22 13:41:41 EDT 2005 i686 i686
i386 GNU/Linux

41 torus:~> uname -a
Linux torus 2.6.13 #1 Mon Sep 5 16:37:24 ICT 2005 i686 i686 i386 GNU/Linux

Here is a listing of the installed selinux packages on both systems:

selinux-policy-targeted-sources-1.17.30-3.16
selinux-policy-strict-1.19.10-2
libselinux-1.19.1-8
selinux-policy-targeted-1.17.30-3.16
libselinux-devel-1.19.1-8
selinux-policy-strict-sources-1.19.10-2
selinux-doc-1.14.1-1
setools-1.4.1-5
setools-gui-1.4.1-5
checkpolicy-1.17.5-1.2

The following error/status conditions are identical on both systems:

When running a test of seinfo against the default installation on both systems
I get this error message:

'seinfo /etc/selinux/targeted/src/policy/policy.conf'

error in the statement ending on line 3675 (token 'typeattribute'):
syntax errorerror(s) encountered while parsing configuration (first
pass, line: 3675)
error reading policy

A partial listing of policy.conf showing the putative syntax error location:

 3666
 3667 type unconfined_t, domain, privuser, privhome, privrole, privowner, admi
 3667 n, auth_write, fs_domain, privmem;
 3668 role system_r types unconfined_t;
 3669 role user_r types unconfined_t;
 3669 role user_r types unconfined_t;
 3671
 3672 #line 11
 3673
 3674 #line 11
 -->>  3675 typeattribute unconfined_t unrestricted;
 3676 #line 11
 3677

I find it hard to believe that the default, umodified policy.conf
would be released with syntax errors.

Running seinfo against the binary policy returns:

66 ellipse:~> seinfo /etc/selinux/targeted/policy/policy.18

Statistics for policy file: /etc/selinux/targeted/policy/policy.18
Policy Version: v.18
Policy Type: binary

   Classes:           55    Permissions:      205
   Types:            343    Attributes:         0
   Users:              3    Roles:              4
   Booleans:          30    Cond. Expr.:       32
   Allow:          17620    Neverallow:         0
   Auditallow:         3    Dontaudit:       1204
   Type_trans:       201    Type_change:        0
   Role allow:         5    Role trans:         0
   Initial SIDs:       0

Note the policy version is 18.

Running sestatus, on both systems I get this:

SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           permissive
Mode from config file:  permissive
Policy version:         19
Policy from config file:targeted
...

Note the Policy Version is listed as 19.

However, checking the policy file extents I see they are policy.18:

ls /etc/selinux/targeted/policy/
policy.18
ls /etc/selinux/strict/policy/
policy.18

However, checking the contents of the /etc/selinux/targeted/src/policy/VERSION
and /etc/selinux/strict/src/policy/VERSION files
I get 1.17 & 1.19 respectively.

Additionally, a check of the contents of /selinux/policyvers returns '19'.

Running 'checkpolicy', 'checkpolicy -c 18', & 'checkpolicy -d -c 18' all
fail with this error message:

checkpolicy:  loading policy configuration from policy.conf
checkpolicy:  unable to open policy.conf

running checkpolicy with '-c 19' returns an 'out of range' error message

Uninstalling the 'selinux-policy-strict' and 'selinux-policy-strict-sources'
rpms on one of the systems removes the /etc/selinux/strict tree from
that system but does not change the policy version showed by sestatus,
nor the error messages from seinfo and checkpolicy.

Any help will be appreciated.

Brgds
Bob
--
rhp.lpt at gmail.com

More information about the selinux mailing list