14-oct-05 Hello: Problem Summary: Two FC3 systems running permissive-targeted with identical error messages. targeted source rpm: selinux-policy-targeted-sources-1.17.30-3.16 'seinfo' run on umodified policy.conf reports syntax error in policy. 'sestatus' shows policy version 19 but policy files are policy.18 'checkpolicy' errors out on failure to open policy.conf Details: I have just started to work with SELinux, on my two Fedora Core 3, i686 systems. I am getting identical errors on both systems that I hope can be easily explained: During initial installation of FC3, I installed the targeted-binary policy and have been running in the default permissive-targeted mode. Recently I downloaded and installed the policy-targeted-source, policy-strict-source, and policy-strict rpm packages via yum so that I could begin to learn more about SELinux policy configuration. Here are the system identifications: 65 ellipse:~> uname -a Linux ellipse 2.6.12-1.1378_FC3.stk16 #1 Thu Sep 22 13:41:41 EDT 2005 i686 i686 i386 GNU/Linux 41 torus:~> uname -a Linux torus 2.6.13 #1 Mon Sep 5 16:37:24 ICT 2005 i686 i686 i386 GNU/Linux Here is a listing of the installed selinux packages on both systems: selinux-policy-targeted-sources-1.17.30-3.16 selinux-policy-strict-1.19.10-2 libselinux-1.19.1-8 selinux-policy-targeted-1.17.30-3.16 libselinux-devel-1.19.1-8 selinux-policy-strict-sources-1.19.10-2 selinux-doc-1.14.1-1 setools-1.4.1-5 setools-gui-1.4.1-5 checkpolicy-1.17.5-1.2 The following error/status conditions are identical on both systems: When running a test of seinfo against the default installation on both systems I get this error message: 'seinfo /etc/selinux/targeted/src/policy/policy.conf' error in the statement ending on line 3675 (token 'typeattribute'): syntax errorerror(s) encountered while parsing configuration (first pass, line: 3675) error reading policy A partial listing of policy.conf showing the putative syntax error location: 3666 3667 type unconfined_t, domain, privuser, privhome, privrole, privowner, admi 3667 n, auth_write, fs_domain, privmem; 3668 role system_r types unconfined_t; 3669 role user_r types unconfined_t; 3669 role user_r types unconfined_t; 3671 3672 #line 11 3673 3674 #line 11 -->> 3675 typeattribute unconfined_t unrestricted; 3676 #line 11 3677 I find it hard to believe that the default, umodified policy.conf would be released with syntax errors. Running seinfo against the binary policy returns: 66 ellipse:~> seinfo /etc/selinux/targeted/policy/policy.18 Statistics for policy file: /etc/selinux/targeted/policy/policy.18 Policy Version: v.18 Policy Type: binary Classes: 55 Permissions: 205 Types: 343 Attributes: 0 Users: 3 Roles: 4 Booleans: 30 Cond. Expr.: 32 Allow: 17620 Neverallow: 0 Auditallow: 3 Dontaudit: 1204 Type_trans: 201 Type_change: 0 Role allow: 5 Role trans: 0 Initial SIDs: 0 Note the policy version is 18. Running sestatus, on both systems I get this: SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 19 Policy from config file:targeted ... Note the Policy Version is listed as 19. However, checking the policy file extents I see they are policy.18: ls /etc/selinux/targeted/policy/ policy.18 ls /etc/selinux/strict/policy/ policy.18 However, checking the contents of the /etc/selinux/targeted/src/policy/VERSION and /etc/selinux/strict/src/policy/VERSION files I get 1.17 & 1.19 respectively. Additionally, a check of the contents of /selinux/policyvers returns '19'. Running 'checkpolicy', 'checkpolicy -c 18', & 'checkpolicy -d -c 18' all fail with this error message: checkpolicy: loading policy configuration from policy.conf checkpolicy: unable to open policy.conf running checkpolicy with '-c 19' returns an 'out of range' error message Uninstalling the 'selinux-policy-strict' and 'selinux-policy-strict-sources' rpms on one of the systems removes the /etc/selinux/strict tree from that system but does not change the policy version showed by sestatus, nor the error messages from seinfo and checkpolicy. Any help will be appreciated. Brgds Bob -- rhp.lpt@xxxxxxxxx -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
