Invalid context with latest SELinux update

Daniel J Walsh dwalsh at redhat.com
Mon Jun 27 11:46:50 UTC 2005 

Paul Howarth wrote:

> Daniel J Walsh wrote:
>
>> Paul Howarth wrote:
>>
>>> Daniel J Walsh wrote:
>>>
>>>> Paul Howarth wrote:
>>>>
>>>>> On Mon, 2005-06-20 at 13:52 -0400, Paul Davis wrote:
>>>>>  
>>>>>
>>>>>> I have the exact same error, however when I check the System Tools -
>>>>>>  
>>>>>>
>>>>>>> Systems Logs SELinux appears to load without any problems.
>>>>>>>     
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I still can't believe that no-one else has this problem, it appeared
>>>>>> after the last SELinux update.
>>>>>>   
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> You aren't the only one. IIRC I edited out the offending clause 
>>>>> that had
>>>>> the syntax error, did a "make reload"
>>>>> in /etc/sysconfig/selinux/src/targeted/policy (which then worked) and
>>>>> then put back in the offending clause and did another "make 
>>>>> reload". It
>>>>> seemed to be happy then.
>>>>>
>>>>> Paul.
>>>>>  
>>>>>
>>>> What was the offending clause.  I have  not been able to reproduce 
>>>> this.
>>>
>>>
>>>
>>>
>>> Erik wrote:
>>>
>>>> Yes, and here is what make told me:
>>>>
>>>> [root at epo policy]# make reload
>>>> mkdir -p /etc/selinux/targeted/policy
>>>> /usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18
>>>> policy.conf
>>>> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
>>>> domains/unconfined.te:19:ERROR 'syntax error' at token '{' on line 
>>>> 3894:
>>>> typeattribute tty_device_t { tty_device_t devpts_t };
>>>> typealias unconfined_t alias { kernel_t init_t initrc_t logrotate_t
>>>> sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
>>>> /usr/bin/checkpolicy:  error(s) encountered while parsing 
>>>> configuration
>>>> make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
>>>> [root at epo policy]#
>>>
>>>
>>>
>>>
>>> This is the same thing I saw. It was a few days ago, I didn't write 
>>> down exactly what I did to fix it and unfortunately I'm unable to 
>>> reproduce this problem now.
>>>
>>> All I can think of right now is that the policy.conf above appears 
>>> to be built from a combination of the 1.17.30-3.2 and 1.17.30-3.9 
>>> sources.
>>>
>>> The 1.17.30-3.2 version of domains/unconfined.te has:
>>>
>>> define(`admin_tty_type', `{ tty_device_t devpts_t }')
>>>
>>> (this definition can also be found in types/apache.te)
>>>
>>> The 1.17.30-3.9 version of domains/unconfined.te has (at line 19):
>>>
>>> typeattribute tty_device_t admin_tty_type;
>>>
>>> If the "old" macro definition is still around somehow, this results 
>>> in expanded text of:
>>>
>>> typeattribute tty_device_t { tty_device_t devpts_t };
>>>
>>> and there's the syntax error that appears in the error message above.
>>>
>>> I haven't figured out how this happens yet, but someone with a 
>>> still-broken system might be able to provide sufficient data to 
>>> diagnose it.
>>>
>>> Paul.
>>>
>> Yes but the apache.te file should have been updated at the same time, 
>> that is the weird part.
>
>
> I think I've got it. The problem occurs when somebody makes local 
> policy changes in the time interval between the updated 
> selinux-policy-targeted-sources RPM being packaged and that package 
> being installed. The result of this is that policy.conf appears to be 
> "up to date" as far as the Makefile is concerned when the updated 
> policy  sources are installed, so it doesn't get regenerated from the 
> updated sources. Hence the effects of the old 
> "define(`admin_tty_type', `{ tty_device_t devpts_t }')" are still in 
> the policy.conf file and you get the syntax error.
>
> Simple fix for people affected by this:
> # cd /etc/selinux/targeted/src/policy
> # touch domains/misc/local.te
> # make reload
>
> Possible fix for the RPM: remove policy.conf before doing the make in 
> the postinstall script.
>
> Paul.
>
Good idea, I will try that in the next update.




--

More information about the users mailing list