Invalid context with latest SELinux update

Fri Jun 24 16:06:30 UTC 2005

Daniel J Walsh wrote:
> Paul Howarth wrote:
> 
>> Daniel J Walsh wrote:
>>
>>> Paul Howarth wrote:
>>>
>>>> On Mon, 2005-06-20 at 13:52 -0400, Paul Davis wrote:
>>>>  
>>>>
>>>>> I have the exact same error, however when I check the System Tools -
>>>>>  
>>>>>
>>>>>> Systems Logs SELinux appears to load without any problems.
>>>>>>     
>>>>>
>>>>>
>>>>>
>>>>> I still can't believe that no-one else has this problem, it appeared
>>>>> after the last SELinux update.
>>>>>   
>>>>
>>>>
>>>>
>>>>
>>>> You aren't the only one. IIRC I edited out the offending clause that 
>>>> had
>>>> the syntax error, did a "make reload"
>>>> in /etc/sysconfig/selinux/src/targeted/policy (which then worked) and
>>>> then put back in the offending clause and did another "make reload". It
>>>> seemed to be happy then.
>>>>
>>>> Paul.
>>>>  
>>>>
>>> What was the offending clause.  I have  not been able to reproduce this.
>>
>>
>>
>> Erik wrote:
>>
>>> Yes, and here is what make told me:
>>>
>>> [root at epo policy]# make reload
>>> mkdir -p /etc/selinux/targeted/policy
>>> /usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18
>>> policy.conf
>>> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
>>> domains/unconfined.te:19:ERROR 'syntax error' at token '{' on line 3894:
>>> typeattribute tty_device_t { tty_device_t devpts_t };
>>> typealias unconfined_t alias { kernel_t init_t initrc_t logrotate_t
>>> sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
>>> /usr/bin/checkpolicy:  error(s) encountered while parsing configuration
>>> make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
>>> [root at epo policy]#
>>
>>
>>
>> This is the same thing I saw. It was a few days ago, I didn't write 
>> down exactly what I did to fix it and unfortunately I'm unable to 
>> reproduce this problem now.
>>
>> All I can think of right now is that the policy.conf above appears to 
>> be built from a combination of the 1.17.30-3.2 and 1.17.30-3.9 sources.
>>
>> The 1.17.30-3.2 version of domains/unconfined.te has:
>>
>> define(`admin_tty_type', `{ tty_device_t devpts_t }')
>>
>> (this definition can also be found in types/apache.te)
>>
>> The 1.17.30-3.9 version of domains/unconfined.te has (at line 19):
>>
>> typeattribute tty_device_t admin_tty_type;
>>
>> If the "old" macro definition is still around somehow, this results in 
>> expanded text of:
>>
>> typeattribute tty_device_t { tty_device_t devpts_t };
>>
>> and there's the syntax error that appears in the error message above.
>>
>> I haven't figured out how this happens yet, but someone with a 
>> still-broken system might be able to provide sufficient data to 
>> diagnose it.
>>
>> Paul.
>>
> Yes but the apache.te file should have been updated at the same time, 
> that is the weird part.

I think I've got it. The problem occurs when somebody makes local policy 
changes in the time interval between the updated 
selinux-policy-targeted-sources RPM being packaged and that package 
being installed. The result of this is that policy.conf appears to be 
"up to date" as far as the Makefile is concerned when the updated policy 
  sources are installed, so it doesn't get regenerated from the updated 
sources. Hence the effects of the old "define(`admin_tty_type', `{ 
tty_device_t devpts_t }')" are still in the policy.conf file and you get 
the syntax error.

Simple fix for people affected by this:
# cd /etc/selinux/targeted/src/policy
# touch domains/misc/local.te
# make reload

Possible fix for the RPM: remove policy.conf before doing the make in 
the postinstall script.

Paul.