Bug 160804 - selinux targeted files_contexts throws errors
selinux targeted files_contexts throws errors
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-17 08:56 EDT by G. Roderick Singleton
Modified: 2007-11-30 17:11 EST (History)
5 users (show)

See Also:
Fixed In Version: 1.17.30-3.16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-27 15:41:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description G. Roderick Singleton 2005-06-17 08:56:19 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
Errors on boot are:

invalid context system_u:object_r:crypt_device_t on line number 287
invalid context system_u:object_r:system_dbusd_var_run_t on line number 888

setfiles also produces the same errors:

# setfiles -l -vv -F /etc/selinux/targeted/contexts/files/file_contexts /var/run
setfiles:  read 674 specifications
setfiles:  invalid context system_u:object_r:crypt_device_t on line number 287
setfiles:  invalid context system_u:object_r:system_dbusd_var_run_t on line number 888
#

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-3.9

How reproducible:
Always

Steps to Reproduce:
1. boot system
2. watch logging

or
run setfiles as shown
  

Actual Results:  Errors reported.

Expected Results:  No errors

Additional info:

This affects issue https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160238
Comment 1 Marco Colombo 2005-06-18 07:15:34 EDT
[root@themule policy]# make reload
mkdir -p /etc/selinux/targeted/policy
/usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
domains/unconfined.te:19:ERROR 'syntax error' at token '{' on line 3894:
typeattribute tty_device_t { tty_device_t devpts_t };
typealias unconfined_t alias { kernel_t init_t initrc_t logrotate_t sendmail_t
sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration
make: *** [/etc/selinux/targeted/policy/policy.18] Error 1

It seems that the last update (1.17.30-3.9) broke a few things.
A (locally installed) program is no longer able to run plugins (.so) from my
home directory. Anyway I suspect something went wrong during the update, due to
the errors the OP reported already. I've seen them happen during the update
(with yum) so selinux RPMs.
Comment 2 Marco Colombo 2005-06-23 09:10:40 EDT
The syntax error in the make reload is due to the fact the old policy.conf is
newer than the source files (I had trivially customized the policy). It seems
some things have changed, and the old policy.conf is not valid now.

Removing the old policy.conf solves the problem. I still get a warning:
unknown boolean use_syslogng
/usr/sbin/load_policy:  Warning!  Error while setting booleans:  Invalid argument

I'll try to track it down.

During the update process I see other errors:
/etc/selinux/targeted/contexts/files/file_contexts:  line 936 has invalid
context system_u:object_r:texrel_shlib_t
(lots of them).

Again, file_contexts is a customized one (a few lines added), I think something
changed in a incompatible way. The new filecontexts has been installed as
.rpmnew, I don't think there's a sensible way to handle this, tho. Both the old
customized one and the new one are not suitable for the system... neither saving
the old one as .rpmsave or creating the new one as .rpmnew is the "right" thing
to do. But shouldn't the restorecon be avoided in the rpm, if the installed
filecontexts in a custom (but old) one?
Comment 3 Gilbert E. Detillieux 2005-06-24 12:06:13 EDT
I'm seeing the same errors on the make, after the latest update to
selinux-policy-targeted-sources-1.17.30-3.9...

# make -C /etc/selinux/targeted/src/policy load
make: Entering directory `/etc/selinux/targeted/src/policy'
mkdir -p /etc/selinux/targeted/policy
/usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
domains/unconfined.te:19:ERROR 'syntax error' at token '{' on line 3894:
typeattribute tty_device_t { tty_device_t devpts_t };
typealias unconfined_t alias { kernel_t init_t initrc_t logrotate_t sendmail_t
sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration
make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
make: Leaving directory `/etc/selinux/targeted/src/policy'

I had not changed file_contexts myself, yet I had a file_contexts.pre and a
file_contexts.rpmnew file in /etc/selinux/targeted/contexts/files/.  I tried
copying file_contexts.rpmnew to file_contexts (they were only trivially
different in the order of certain lines), but it made no difference to the
results of the make.

I have not changed anything else in any of the files contained in the
selinux-policy-targeted-sources package, and have only added a (fairly small)
/etc/selinux/targeted/src/policy/domains/misc/local.te file, to allow some
custom cgi-bin scripts to run. I had no trouble building/loading the custom
policy before this latest update.
Comment 4 Daniel Walsh 2005-06-25 07:18:34 EDT
Does the following clean it up?
make -C /etc/selinux/targeted/src/policy clean
make -C /etc/selinux/targeted/src/policy load
Comment 5 G. Roderick Singleton 2005-06-26 08:05:05 EDT
Upon what do you needinfo? Whether make works in building the module or on how
it affects the usefullness of operation with SELinux?

Needmoreinfo.
Comment 6 Gilbert E. Detillieux 2005-06-26 15:59:44 EDT
Running the "make clean" followed by the "make load" did indeed clear the problem.
I did get a warning on the load_policy, but this is more minor...

/usr/sbin/load_policy /etc/selinux/targeted/policy/policy.18
unknown boolean use_syslogng
/usr/sbin/load_policy:  Warning!  Error while setting booleans:  Invalid argument

(The above was from the "make load" output.)  However, a repeated attempt to run
the load_policy command directly didn't produce any error messages. Also,
rerunning the "make clean" and "make load" did not replicate the warning.

So, I guess we're good now!  :)
Comment 7 Marco Colombo 2005-06-27 07:00:25 EDT
I think the real problem is how to make an update when people are using slightly
modified policy and file_contexts. So far, I've already encountered problems
when upgrading both the policy and the policy source. What we need here is a
"best practice" guide on how to customize (for trivial changes) the policy in a
way that is friendly to the rpms.
Maybe we should allow more than one policy to be installed, and switch via a
symlink or a config option (in a way similar to kernels). The rpms will manage
the default one, and leave the currently running one untouched.
Comment 8 G. Roderick Singleton 2005-06-28 14:21:19 EDT
You asked if 
make -C /etc/selinux/targeted/src/policy clean
make -C /etc/selinux/targeted/src/policy load
made a difference. I cannot detect a difference.

What is worse is that previously defined contexts are overwritten and cause
problems with operating programs. This is
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160238
Comment 9 Daniel Walsh 2005-07-03 11:20:52 EDT
Fixed in selinux-policy-targeted-1.17.30-3.16
Comment 10 Walter Justen 2005-08-19 05:44:39 EDT
package update is public
Comment 11 G. Roderick Singleton 2005-08-19 08:02:59 EDT
package selinux-policy-targeted-1.25.3-12 fails as previously reported. Re-opened.
Comment 12 G. Roderick Singleton 2005-08-19 09:11:10 EDT
Here is what has to be added to file_contexts:

--- file_contexts.orig  2005-08-19 09:10:26.000000000 -0400
+++ file_contexts       2005-08-18 18:35:44.000000000 -0400
@@ -374,6 +374,8 @@
 /opt(/.*)?/sbin(/.*)?          system_u:object_r:sbin_t
 /opt(/.*)?/man(/.*)?           system_u:object_r:man_t
 /opt(/.*)?/var/lib(64)?(/.*)?          system_u:object_r:var_lib_t
+# for Openoffice.org
+/opt/.*/lib(.*)?\.so(\.[^/]*)*       --      system_u:object_r:shlib_t
 #
 # /etc
 #
@@ -487,6 +489,8 @@
 /usr/local/.*\.so(\.[^/]*)*    --      system_u:object_r:shlib_t
 /usr/(local/)?lib/wine/.*\.so   --     system_u:object_r:texrel_shlib_t
 /usr/(local/)?lib/libfame-.*\.so.*    --      
system_u:object_r:texrel_shlib_t+# for openoffice 1.1.x
+/usr/local/OpenOffice(.*)?/lib(.*)?\.so(\.[^/]*)*       --
system_u:object_r:shlib_t
Comment 13 Daniel Walsh 2005-08-22 09:11:46 EDT
Ok Now I am confused.  Is this still a bug on FC3?  Comment #11 is for FC4?  #12
is in FC4 file_context files already.
Comment 14 G. Roderick Singleton 2005-08-22 09:21:57 EDT
Of course you are confused, this is generic problem that affects both FC3 and
subsequently FC4. Surely, the security folk talk with one another, don't they?

I cannot test FC3 at the moment as the machine is in a shipping crate waiting to
be unpacked from moving. I recall that I still had to patch every time the
SELinux distro was updated. Likewise for FC4.
Comment 15 Daniel Walsh 2005-09-19 16:34:18 EDT
Latest policy in FC4 has

/opt(/.*)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t

and

/usr/local/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t

Doesn't that fix the problem for FC4?
Comment 16 G. Roderick Singleton 2005-09-19 16:50:10 EDT
yes THe update came through and it took a bit to figure out that there was a new
policy. Thanks.

Note You need to log in before you can comment on or make changes to this bug.