Bug 160804
Summary: | selinux targeted files_contexts throws errors | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | G. Roderick Singleton <gerry> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | CC: | cajun, gedetil, marco, moneta.mace, redhat-bugzilla |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.17.30-3.16 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-09-27 19:41:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
G. Roderick Singleton
2005-06-17 12:56:19 UTC
[root@themule policy]# make reload mkdir -p /etc/selinux/targeted/policy /usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18 policy.conf /usr/bin/checkpolicy: loading policy configuration from policy.conf domains/unconfined.te:19:ERROR 'syntax error' at token '{' on line 3894: typeattribute tty_device_t { tty_device_t devpts_t }; typealias unconfined_t alias { kernel_t init_t initrc_t logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t }; /usr/bin/checkpolicy: error(s) encountered while parsing configuration make: *** [/etc/selinux/targeted/policy/policy.18] Error 1 It seems that the last update (1.17.30-3.9) broke a few things. A (locally installed) program is no longer able to run plugins (.so) from my home directory. Anyway I suspect something went wrong during the update, due to the errors the OP reported already. I've seen them happen during the update (with yum) so selinux RPMs. The syntax error in the make reload is due to the fact the old policy.conf is newer than the source files (I had trivially customized the policy). It seems some things have changed, and the old policy.conf is not valid now. Removing the old policy.conf solves the problem. I still get a warning: unknown boolean use_syslogng /usr/sbin/load_policy: Warning! Error while setting booleans: Invalid argument I'll try to track it down. During the update process I see other errors: /etc/selinux/targeted/contexts/files/file_contexts: line 936 has invalid context system_u:object_r:texrel_shlib_t (lots of them). Again, file_contexts is a customized one (a few lines added), I think something changed in a incompatible way. The new filecontexts has been installed as .rpmnew, I don't think there's a sensible way to handle this, tho. Both the old customized one and the new one are not suitable for the system... neither saving the old one as .rpmsave or creating the new one as .rpmnew is the "right" thing to do. But shouldn't the restorecon be avoided in the rpm, if the installed filecontexts in a custom (but old) one? I'm seeing the same errors on the make, after the latest update to selinux-policy-targeted-sources-1.17.30-3.9... # make -C /etc/selinux/targeted/src/policy load make: Entering directory `/etc/selinux/targeted/src/policy' mkdir -p /etc/selinux/targeted/policy /usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18 policy.conf /usr/bin/checkpolicy: loading policy configuration from policy.conf domains/unconfined.te:19:ERROR 'syntax error' at token '{' on line 3894: typeattribute tty_device_t { tty_device_t devpts_t }; typealias unconfined_t alias { kernel_t init_t initrc_t logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t }; /usr/bin/checkpolicy: error(s) encountered while parsing configuration make: *** [/etc/selinux/targeted/policy/policy.18] Error 1 make: Leaving directory `/etc/selinux/targeted/src/policy' I had not changed file_contexts myself, yet I had a file_contexts.pre and a file_contexts.rpmnew file in /etc/selinux/targeted/contexts/files/. I tried copying file_contexts.rpmnew to file_contexts (they were only trivially different in the order of certain lines), but it made no difference to the results of the make. I have not changed anything else in any of the files contained in the selinux-policy-targeted-sources package, and have only added a (fairly small) /etc/selinux/targeted/src/policy/domains/misc/local.te file, to allow some custom cgi-bin scripts to run. I had no trouble building/loading the custom policy before this latest update. Does the following clean it up? make -C /etc/selinux/targeted/src/policy clean make -C /etc/selinux/targeted/src/policy load Upon what do you needinfo? Whether make works in building the module or on how it affects the usefullness of operation with SELinux? Needmoreinfo. Running the "make clean" followed by the "make load" did indeed clear the problem. I did get a warning on the load_policy, but this is more minor... /usr/sbin/load_policy /etc/selinux/targeted/policy/policy.18 unknown boolean use_syslogng /usr/sbin/load_policy: Warning! Error while setting booleans: Invalid argument (The above was from the "make load" output.) However, a repeated attempt to run the load_policy command directly didn't produce any error messages. Also, rerunning the "make clean" and "make load" did not replicate the warning. So, I guess we're good now! :) I think the real problem is how to make an update when people are using slightly modified policy and file_contexts. So far, I've already encountered problems when upgrading both the policy and the policy source. What we need here is a "best practice" guide on how to customize (for trivial changes) the policy in a way that is friendly to the rpms. Maybe we should allow more than one policy to be installed, and switch via a symlink or a config option (in a way similar to kernels). The rpms will manage the default one, and leave the currently running one untouched. You asked if make -C /etc/selinux/targeted/src/policy clean make -C /etc/selinux/targeted/src/policy load made a difference. I cannot detect a difference. What is worse is that previously defined contexts are overwritten and cause problems with operating programs. This is https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160238 Fixed in selinux-policy-targeted-1.17.30-3.16 package update is public package selinux-policy-targeted-1.25.3-12 fails as previously reported. Re-opened. Here is what has to be added to file_contexts: --- file_contexts.orig 2005-08-19 09:10:26.000000000 -0400 +++ file_contexts 2005-08-18 18:35:44.000000000 -0400 @@ -374,6 +374,8 @@ /opt(/.*)?/sbin(/.*)? system_u:object_r:sbin_t /opt(/.*)?/man(/.*)? system_u:object_r:man_t /opt(/.*)?/var/lib(64)?(/.*)? system_u:object_r:var_lib_t +# for Openoffice.org +/opt/.*/lib(.*)?\.so(\.[^/]*)* -- system_u:object_r:shlib_t # # /etc # @@ -487,6 +489,8 @@ /usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /usr/(local/)?lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t /usr/(local/)?lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t+# for openoffice 1.1.x +/usr/local/OpenOffice(.*)?/lib(.*)?\.so(\.[^/]*)* -- system_u:object_r:shlib_t Ok Now I am confused. Is this still a bug on FC3? Comment #11 is for FC4? #12 is in FC4 file_context files already. Of course you are confused, this is generic problem that affects both FC3 and subsequently FC4. Surely, the security folk talk with one another, don't they? I cannot test FC3 at the moment as the machine is in a shipping crate waiting to be unpacked from moving. I recall that I still had to patch every time the SELinux distro was updated. Likewise for FC4. Latest policy in FC4 has /opt(/.*)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t and /usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t Doesn't that fix the problem for FC4? yes THe update came through and it took a bit to figure out that there was a new policy. Thanks. |