18-oct-05 Hello Stephen: Thank's for the information, it certainly explained my problem. I've upgraded setools and the other elements in the selinux tree as far as I can go on my FC3 system w/o installing glibc-2.3.90.14, (e.g. the latest version of setools, requires 'lib.so.6(GLIBC_2.4)' which it seems first appears in that version of glibc). I've currently got these installed: checkpolicy-1.23.1-1 libselinux-1.23.10-2 libselinux-devel-1.23.10-2 libsepol-1.5.10-1.1 policycoreutils-1.23.10-2 selinux-doc-1.14.1-1 selinux-policy-targeted-sources-1.17.30-3.16 selinux-policy-targeted-1.17.30-3.16 setools-2.1.1-2 setools-gui-2.1.1-2 I'll deal with the glibc issue when I can upgrade to FC4 or FC5. However, it will be awhile as I am not in the States and only have a 38.8k dialup line here. 'seinfo' is working so I hope the remainder or the tools are also and that I can proceed with my persual of SELinux. BTW: 'rpmfind.net' lists glibc-2.3.90.14 as being part of the FC5 tree, is that the tree you are presently working with for development ? Again, many thanks for your help. Brgds Bob On 10/15/05, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On Fri, 2005-10-14 at 13:35 +0700, rhp wrote: > > Problem Summary: > > > > Two FC3 systems running permissive-targeted with identical error messages. > > > > targeted source rpm: selinux-policy-targeted-sources-1.17.30-3.16 > > > > 'seinfo' run on umodified policy.conf reports syntax error in policy. > > You understand that SELinux userspace doesn't get updated in older > Fedora releases except in response to bug reports, right? So you have > an old version of setools that doesn't know about changes in the policy > language that have occurred since FC3 was shipped, and you have a policy > update that uses some of those new language features. > > > 'sestatus' shows policy version 19 but policy files are policy.18 > > Two different pieces of information: > - the first is the maximum binary policy format version supported by the > kernel you are running (FC3 shipped with a kernel that only supported > version 18, but you are running an update kernel that understands a > later version as well - but is fully compatible with the older version), > - the second is the binary policy format version generated by your > checkpolicy, which likely hasn't been updated since FC3 was shipped. > > > 'checkpolicy' errors out on failure to open policy.conf > > If you don't specify a path to a policy.conf file, it looks for it in > the current directory, so it will naturally fail if you aren't in the > policy source directory at that point. > > > Here is a listing of the installed selinux packages on both systems: > > > > selinux-policy-targeted-sources-1.17.30-3.16 > > selinux-policy-strict-1.19.10-2 > > libselinux-1.19.1-8 > > selinux-policy-targeted-1.17.30-3.16 > > libselinux-devel-1.19.1-8 > > selinux-policy-strict-sources-1.19.10-2 > > selinux-doc-1.14.1-1 > > setools-1.4.1-5 > > setools-gui-1.4.1-5 > > checkpolicy-1.17.5-1.2 > > Yes, the userspace tools above are quite old. > > > When running a test of seinfo against the default installation on both systems > > I get this error message: > > > > 'seinfo /etc/selinux/targeted/src/policy/policy.conf' > > > > error in the statement ending on line 3675 (token 'typeattribute'): > > syntax errorerror(s) encountered while parsing configuration (first > > pass, line: 3675) > > error reading policy > > New language statement introduced after FC3 shipped, so the FC3 tools > don't understand it. I'd hazard a guess that the update policy was > built using the latest toolchain rather than the actual ones on FC3. > > > Note the Policy Version is listed as 19. > > That's the highest version supported by your kernel. It retains > backward compatibility with older versions though. > > > However, checking the policy file extents I see they are policy.18: > > > > ls /etc/selinux/targeted/policy/ > > policy.18 > > ls /etc/selinux/strict/policy/ > > policy.18 > > That's the version generated by your checkpolicy. > > > However, checking the contents of the /etc/selinux/targeted/src/policy/VERSION > > and /etc/selinux/strict/src/policy/VERSION files > > I get 1.17 & 1.19 respectively. > > That's the release version of the upstream policy tarball from which the > policy package was built, not related to the binary policy format > version. > > > Additionally, a check of the contents of /selinux/policyvers returns '19'. > > Kernel version. > > > Running 'checkpolicy', 'checkpolicy -c 18', & 'checkpolicy -d -c 18' all > > fail with this error message: > > > > checkpolicy: loading policy configuration from policy.conf > > checkpolicy: unable to open policy.conf > > No policy.conf in your working directory? Specify a path to it > otherwise. > > > running checkpolicy with '-c 19' returns an 'out of range' error message > > Because you have an old checkpolicy that doesn't support that version. > > Note: I'm just explaining - I don't maintain the SELinux packages for > Fedora in any way, just the upstream SELinux. > > -- > Stephen Smalley > National Security Agency > > -- rhp.lpt@xxxxxxxxx -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
