Description of problem: In /etc/selinux/targeted/src/policy/macros/program/apache_macros.te there is the following block: ifelse($1, sys, ` domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t) domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t) domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t) create_dir_file(httpd_t, httpdcontent) can_exec(httpd_t, httpdcontent ) ', ` can_exec(httpd_$1_script_t, httpdcontent ) domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t) ') create_dir_file(httpd_$1_script_t, httpdcontent) } Note that the domain_auto_trans near the end is $1_t, not httpd_$1_t. This causes an error when writing new policy that uses the apache_domain() macro. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.88 How reproducible: cd /etc/selinux/targeted/src/policy cat >> domains/foo.te <<EOF apache_domain(sys_writable) EOF make Actual results: /usr/bin/checkpolicy -o policy.18 policy.conf /usr/bin/checkpolicy: loading policy configuration from policy.conf types/x.te:6:ERROR 'unknown type sys_writable_t' at token ';' on line 4301: #line 6 allow sys_writable_t httpd_sys_writable_script_t:process transition; /usr/bin/checkpolicy: error(s) encountered while parsing configuration make: *** [policy.18] Error 1 Expected results: It should work :)
This is fixed in U2 policy. 1.17.30-2.110
Oh there's a U2 out? I haven't noticed that. Do I need to subscribe to a different channel? My problem was sorted anyway by changing the apache_macros.te file myself, so as far as I'm concerned this can be closed, but I don't know whether to say CURRENTRELEASE or NEXTRELEASE :). You can close it with the appropriate status if you prefer.