On 04/08/2014 04:21 PM, Stephen Smalley wrote: > On 04/08/2014 04:15 PM, Tai Nguyen (tainguye) wrote: >> I used apol 3.3.6 and when I load my sepolicy.conf, it crashes with >> messages >> >> external/sepolicy/genfs_contexts":9:ERROR 'invalid type trigger' at token >> 'genfscon' on line 11611: >> genfscon selinuxfs / u:object_r:selinuxfs:s0 >> # selinuxfs booleans can be individually labeled. >> >> [1]+ Segmentation fault apol > > Works for me on Fedora with apol 3.3.7, however, I'd recommend using the > latest upstream version (3.3.8, > http://oss.tresys.com/projects/setools/wiki/download) as I believe > Fedora carries a number of patches to 3.3.7. Also, is there a reason > you ran it on the source rather than the binary policy? > > I have historically had some issues with apol myself; I tend to use the > command line tools (e.g. sesearch) instead.
Historically, there definitely have been some weird apol bugs in the tcl/tk. But in this case, it looks more likely a source policy loading bug in SETools, so it would likely also be hit with sesearch. SETools 4 may be dropping support for loading source policies (source policy loading has been a SETools maintenance problem for a long time and it can't load semanage customizations on a regular SELinux system). -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com
