[gentoo-hardened] selinux-base-policy merge failure - gentoo-hardened

From:	Erik Mackdanz <erikmack@×××××.com>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] selinux-base-policy merge failure
Date:	Fri, 28 Feb 2014 03:03:19
Message-Id:	`CAJHWGGOu3A1GYMBEFnDTbLKPgqgd0jNV6aJP2s+pPUvP0AD=RA@mail.gmail.com`

1

Hello again,

2

3

I'm hitting symptoms as described in the "Policy Store is Corrupt" section

4

of the troubleshooting page (

5

http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=6

6

)

7

8

msi erik # semodule -n -B

9

libsemanage.semanage_link_sandbox: Could not access sandbox base file

10

/etc/selinux/strict/modules/tmp/base.pp. (No such file or directory).

11

semodule:  Failed!

12

13

As directed, I re-emerge my sec-policy packages:

14

...

15

FEATURES="-selinux" emerge -1av $(qlist -IC sec-policy)

16

...

17

18

however selinux-base-policy fails.  It gets through the sandbox install but

19

fails at the merge with:

20

21

Error opening /etc/selinux/strict/contexts/files/file_contexts.local: No

22

such file or directory

23

libsemanage.sefcontext_compile: sefcontext_compile returned error code 255.

24

Compiling /etc/selinux/strict/contexts/files/file_contexts.local

25

libsemanage.semanage_install_active: Could not copy

26

/etc/selinux/strict/modules/active/file_contexts.homedirs to

27

/etc/selinux/strict/contexts/files/file_contexts.homedirs. (No such file or

28

directory)

29

semodule: failed!

30

31

Any ideas?  I'm sure this package merged successfully a couple days ago.

32

33

My 'emerge --info' is below.  The build log isn't preserved (a cruel

34

portage lie).

35

36

Thanks in advance,

37

Erik

38

39

40

msi erik # emerge --info

41

'=sec-policy/selinux-base-policy-2.20130424-r4::gentoo'

42

Portage 2.2.8-r1 (hardened/linux/amd64/selinux, gcc-4.8.2, glibc-2.18-r1,

43

3.13.4-gentoo x86_64)

44

=================================================================

45

                        System Settings

46

=================================================================

47

System uname: Linux-3.13.4-gentoo-x86_64-Intel-R-_Core-TM-_i5_CPU_M_480_@

48

_2.67GHz-with-gentoo-2.2

49

KiB Mem:     5896244 total,   4990876 free

50

KiB Swap:          0 total,         0 free

51

Timestamp of tree: Wed, 26 Feb 2014 00:45:01 +0000

52

ld GNU ld (GNU Binutils) 2.24

53

app-shells/bash:          4.2_p45-r1

54

dev-java/java-config:     2.2.0

55

dev-lang/python:          2.7.6, 3.3.4

56

dev-util/cmake:           2.8.12.2

57

dev-util/pkgconfig:       0.28

58

sys-apps/baselayout:      2.2

59

sys-apps/openrc:          0.12.4

60

sys-apps/sandbox:         2.6-r1

61

sys-devel/autoconf:       2.13, 2.69

62

sys-devel/automake:       1.14.1

63

sys-devel/binutils:       2.24-r2

64

sys-devel/gcc:            4.8.2

65

sys-devel/gcc-config:     1.8

66

sys-devel/libtool:        2.4.2

67

sys-devel/make:           4.0-r1

68

sys-kernel/linux-headers: 3.13 (virtual/os-headers)

69

sys-libs/glibc:           2.18-r1

70

Repositories: gentoo

71

ACCEPT_KEYWORDS="amd64 ~amd64"

72

ACCEPT_LICENSE="* -@EULA google-chrome"

73

CBUILD="x86_64-pc-linux-gnu"

74

CFLAGS="-O2 -pipe"

75

CHOST="x86_64-pc-linux-gnu"

76

CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"

77

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d

78

/etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild

79

/etc/sandbox.d /etc/terminfo"

80

CXXFLAGS="-O2 -pipe"

81

DISTDIR="/usr/portage/distfiles"

82

FCFLAGS="-O2 -pipe"

83

FEATURES="assume-digests binpkg-logs candy config-protect-if-modified

84

distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch

85

preserve-libs protect-owned sandbox selinux sesandbox sfperms strict

86

unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv

87

usersandbox usersync webrsync-gpg xattr"

88

FFLAGS="-O2 -pipe"

89

GENTOO_MIRRORS="http://distfiles.gentoo.org"

90

LANG="en_US.utf8"

91

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

92

MAKEOPTS="-j5"

93

PKGDIR="/usr/portage/packages"

94

PORTAGE_CONFIGROOT="/"

95

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times

96

--omit-dir-times --compress --force --whole-file --delete --stats

97

--human-readable --timeout=180 --exclude=/distfiles --exclude=/local

98

--exclude=/packages"

99

PORTAGE_TMPDIR="/var/tmp"

100

PORTDIR="/usr/portage"

101

PORTDIR_OVERLAY=""

102

USE="amd64 berkdb bindist bzip2 cleartype cli corefonts cracklib crypt cxx

103

dri gdbm hardened iconv ipv6 justify mmx modules multilib ncurses nls nptl

104

open_perms openmp pam pcre readline selinux session sse sse2 ssl tcpd

105

truetype type1 unicode urandom xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451

106

als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371

107

es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio

108

via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core

109

socache_shmcb unixd actions alias auth_basic authn_alias authn_anon

110

authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile

111

authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs

112

dav_lock deflate dir disk_cache env expires ext_filter file_cache filter

113

headers include info log_config logio mem_cache mime mime_magic negotiation

114

rewrite setenvif speling status unique_id userdir usertrack vhost_alias"

115

CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon

116

braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load

117

memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm

118

earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip

119

navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2

120

timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev"

121

KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216

122

lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console

123

presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice"

124

PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7"

125

PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby18"

126

USERLAND="GNU" VIDEO_CARDS="intel nouveau i965" XTABLES_ADDONS="quota2 psd

127

pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition

128

tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

129

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL,

130

PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,

131

PORTAGE_RSYNC_EXTRA_OPTS, SYNC, USE_PYTHON

132

133

=================================================================

134

                        Package Settings

135

=================================================================

136

137

sec-policy/selinux-base-policy-2.20130424-r4 was built with the following:

138

USE="(multilib) (selinux) unconfined" ABI_X86="64"

Gentoo Archives: gentoo-hardened

Replies

1	Hello again,
2
3	I'm hitting symptoms as described in the "Policy Store is Corrupt" section
4	of the troubleshooting page (
5	http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=6
6	)
7
8	msi erik # semodule -n -B
9	libsemanage.semanage_link_sandbox: Could not access sandbox base file
10	/etc/selinux/strict/modules/tmp/base.pp. (No such file or directory).
11	semodule: Failed!
12
13	As directed, I re-emerge my sec-policy packages:
14	...
15	FEATURES="-selinux" emerge -1av $(qlist -IC sec-policy)
16	...
17
18	however selinux-base-policy fails. It gets through the sandbox install but
19	fails at the merge with:
20
21	Error opening /etc/selinux/strict/contexts/files/file_contexts.local: No
22	such file or directory
23	libsemanage.sefcontext_compile: sefcontext_compile returned error code 255.
24	Compiling /etc/selinux/strict/contexts/files/file_contexts.local
25	libsemanage.semanage_install_active: Could not copy
26	/etc/selinux/strict/modules/active/file_contexts.homedirs to
27	/etc/selinux/strict/contexts/files/file_contexts.homedirs. (No such file or
28	directory)
29	semodule: failed!
30
31	Any ideas? I'm sure this package merged successfully a couple days ago.
32
33	My 'emerge --info' is below. The build log isn't preserved (a cruel
34	portage lie).
35
36	Thanks in advance,
37	Erik
38
39
40	msi erik # emerge --info
41	'=sec-policy/selinux-base-policy-2.20130424-r4::gentoo'
42	Portage 2.2.8-r1 (hardened/linux/amd64/selinux, gcc-4.8.2, glibc-2.18-r1,
43	3.13.4-gentoo x86_64)
44	=================================================================
45	System Settings
46	=================================================================
47	System uname: Linux-3.13.4-gentoo-x86_64-Intel-R-_Core-TM-_i5_CPU_M_480_@
48	_2.67GHz-with-gentoo-2.2
49	KiB Mem: 5896244 total, 4990876 free
50	KiB Swap: 0 total, 0 free
51	Timestamp of tree: Wed, 26 Feb 2014 00:45:01 +0000
52	ld GNU ld (GNU Binutils) 2.24
53	app-shells/bash: 4.2_p45-r1
54	dev-java/java-config: 2.2.0
55	dev-lang/python: 2.7.6, 3.3.4
56	dev-util/cmake: 2.8.12.2
57	dev-util/pkgconfig: 0.28
58	sys-apps/baselayout: 2.2
59	sys-apps/openrc: 0.12.4
60	sys-apps/sandbox: 2.6-r1
61	sys-devel/autoconf: 2.13, 2.69
62	sys-devel/automake: 1.14.1
63	sys-devel/binutils: 2.24-r2
64	sys-devel/gcc: 4.8.2
65	sys-devel/gcc-config: 1.8
66	sys-devel/libtool: 2.4.2
67	sys-devel/make: 4.0-r1
68	sys-kernel/linux-headers: 3.13 (virtual/os-headers)
69	sys-libs/glibc: 2.18-r1
70	Repositories: gentoo
71	ACCEPT_KEYWORDS="amd64 ~amd64"
72	ACCEPT_LICENSE="* -@EULA google-chrome"
73	CBUILD="x86_64-pc-linux-gnu"
74	CFLAGS="-O2 -pipe"
75	CHOST="x86_64-pc-linux-gnu"
76	CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
77	CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d
78	/etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild
79	/etc/sandbox.d /etc/terminfo"
80	CXXFLAGS="-O2 -pipe"
81	DISTDIR="/usr/portage/distfiles"
82	FCFLAGS="-O2 -pipe"
83	FEATURES="assume-digests binpkg-logs candy config-protect-if-modified
84	distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch
85	preserve-libs protect-owned sandbox selinux sesandbox sfperms strict
86	unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv
87	usersandbox usersync webrsync-gpg xattr"
88	FFLAGS="-O2 -pipe"
89	GENTOO_MIRRORS="http://distfiles.gentoo.org"
90	LANG="en_US.utf8"
91	LDFLAGS="-Wl,-O1 -Wl,--as-needed"
92	MAKEOPTS="-j5"
93	PKGDIR="/usr/portage/packages"
94	PORTAGE_CONFIGROOT="/"
95	PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times
96	--omit-dir-times --compress --force --whole-file --delete --stats
97	--human-readable --timeout=180 --exclude=/distfiles --exclude=/local
98	--exclude=/packages"
99	PORTAGE_TMPDIR="/var/tmp"
100	PORTDIR="/usr/portage"
101	PORTDIR_OVERLAY=""
102	USE="amd64 berkdb bindist bzip2 cleartype cli corefonts cracklib crypt cxx
103	dri gdbm hardened iconv ipv6 justify mmx modules multilib ncurses nls nptl
104	open_perms openmp pam pcre readline selinux session sse sse2 ssl tcpd
105	truetype type1 unicode urandom xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451
106	als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371
107	es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio
108	via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core
109	socache_shmcb unixd actions alias auth_basic authn_alias authn_anon
110	authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile
111	authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs
112	dav_lock deflate dir disk_cache env expires ext_filter file_cache filter
113	headers include info log_config logio mem_cache mime mime_magic negotiation
114	rewrite setenvif speling status unique_id userdir usertrack vhost_alias"
115	CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon
116	braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load
117	memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm
118	earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip
119	navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2
120	timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev"
121	KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216
122	lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console
123	presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice"
124	PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7"
125	PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby18"
126	USERLAND="GNU" VIDEO_CARDS="intel nouveau i965" XTABLES_ADDONS="quota2 psd
127	pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition
128	tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
129	Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL,
130	PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
131	PORTAGE_RSYNC_EXTRA_OPTS, SYNC, USE_PYTHON
132
133	=================================================================
134	Package Settings
135	=================================================================
136
137	sec-policy/selinux-base-policy-2.20130424-r4 was built with the following:
138	USE="(multilib) (selinux) unconfined" ABI_X86="64"