1 |
Jon Anderson wrote: |
2 |
|
3 |
> I'm pretty overwhelmed by selinux...It doesn't really make all that |
4 |
> much sense, but one thing that's been bothering me is what looks like |
5 |
> a policy version mismatch after a kernel upgrade: |
6 |
> |
7 |
> # cat /selinux/policyvers |
8 |
> 17 |
9 |
> |
10 |
> Yet, |
11 |
> |
12 |
> # make load |
13 |
> * Loading policy.15 |
14 |
> |
15 |
|
16 |
I'm a complete beginner, but if you look in the policy Makefile, near |
17 |
the top it asks you whether you want a compatible version. Presumably |
18 |
this is exactly what you got..? Comment out the line to get a v17 policy |
19 |
|
20 |
> And selinux does not function at all. (Entering enforcing mode just |
21 |
> renders the system unusable.) The system worked fine in enforcing mode |
22 |
> (with a few exceptions: djbdns/daemontools, and a few other minor |
23 |
> things) with kernel 2.6.3-mm2. With kernels 2.6.5-mm1, 2.6.5-mm6 I get |
24 |
> totally wonky, unpredictable behavior. (Like, I get asked for a login |
25 |
> context sometimes, but not all the time.) I also don't get avc denied |
26 |
> messages anymore, and a make relabel doesn't spit out errors, but a |
27 |
> dmesg (after a make relabel) contains thousands of: |
28 |
|
29 |
|
30 |
Interesting. I have 2.6.6-rc1 and having a whole heap of problems in |
31 |
the non enforcing mode... Currently being asked for a login context |
32 |
permanently... I wonder if an older kernel version might help at all...? |
33 |
|
34 |
-- |
35 |
gentoo-hardened@g.o mailing list |