On Wed, 2006-03-22 at 11:52 +0000, Martin Ebourne wrote:
Stephen Smalley wrote:
On Mon, 2006-02-20 at 07:44 -0700, gf wrote:
Hi, I am trying to update the httpd policy in selinux to allow access to
port 8443.
I thought that I could add the line portcon tcp 8443 system_u:object_r:http_port_t to the file /etc/selinux/targeted/src/policy/net_contents and recompile.
My first step was to download the sources: selinux-policy-targeted-sources-1.17.30-2.110.rpm and install.
To check whether or not everthing was working, I tried the following without altering any files:
[$ /etc/selinux/targeted/src/policy]:make load mkdir -p /etc/selinux/targeted/policy /usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18
policy.conf
/usr/bin/checkpolicy: loading policy configuration from policy.conf tmp/program_used_flags.te:2:ERROR 'syntax error' at token '/etc/selinux/targeted/src/policy/domains/program' on line 1164: /etc/selinux/targeted/src/policy/domains/program #line 1 "tmp/program_used_flags.te" /usr/bin/checkpolicy: error(s) encountered while parsing
configuration
make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
Sounds like a bug in the policy Makefile in the generation of the policy.conf file, as that string ('/etc/selinux/targeted/src/policy/domains/program') shouldn't appear
in
it. Provide more context please, e.g. the lines around line 1164 of
the
policy.conf file.
I've just come across this error myself. I've got two updated FC4 machines here both doing the same thing.
Turns out it's a 'cd' in the Makefile that is echoing the new directory and getting caught up in the destination file. The odd thing is that my shell setup has never had cd echoing the destination (it would annoy me
- if I've just cd'd, I know where to!), so this must be something from
Fedora.
Anyhow, the attached patch fixes it for me. Any chance this can make it upstream?
[Stephen, thanks for the clue that let me to find this!]
Example policy is no longer maintained upstream (obsoleted by the reference policy, which is the basis for policy in FC5). But you could file a bugzilla against the FC4 policy to get it fixed there.