| 1 |
Jon Anderson wrote: |
| 2 |
|
| 3 |
> I'm pretty overwhelmed by selinux...It doesn't really make all that |
| 4 |
> much sense, but one thing that's been bothering me is what looks like |
| 5 |
> a policy version mismatch after a kernel upgrade: |
| 6 |
> |
| 7 |
> # cat /selinux/policyvers |
| 8 |
> 17 |
| 9 |
> |
| 10 |
> Yet, |
| 11 |
> |
| 12 |
> # make load |
| 13 |
> * Loading policy.15 |
| 14 |
> |
| 15 |
|
| 16 |
I'm a complete beginner, but if you look in the policy Makefile, near |
| 17 |
the top it asks you whether you want a compatible version. Presumably |
| 18 |
this is exactly what you got..? Comment out the line to get a v17 policy |
| 19 |
|
| 20 |
> And selinux does not function at all. (Entering enforcing mode just |
| 21 |
> renders the system unusable.) The system worked fine in enforcing mode |
| 22 |
> (with a few exceptions: djbdns/daemontools, and a few other minor |
| 23 |
> things) with kernel 2.6.3-mm2. With kernels 2.6.5-mm1, 2.6.5-mm6 I get |
| 24 |
> totally wonky, unpredictable behavior. (Like, I get asked for a login |
| 25 |
> context sometimes, but not all the time.) I also don't get avc denied |
| 26 |
> messages anymore, and a make relabel doesn't spit out errors, but a |
| 27 |
> dmesg (after a make relabel) contains thousands of: |
| 28 |
|
| 29 |
|
| 30 |
Interesting. I have 2.6.6-rc1 and having a whole heap of problems in |
| 31 |
the non enforcing mode... Currently being asked for a login context |
| 32 |
permanently... I wonder if an older kernel version might help at all...? |
| 33 |
|
| 34 |
-- |
| 35 |
gentoo-hardened@g.o mailing list |
Archives