[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml hb-using-troubleshoot.xml - gentoo-commits

From:	"Sven Vermeulen (swift)" <swift@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/selinux: hb-using-install.xml hb-using-troubleshoot.xml
Date:	Mon, 26 Dec 2011 12:24:16
Message-Id:	`20111226122404.7E0132004B@flycatcher.gentoo.org`

1

swift       11/12/26 12:24:04

2

3

  Modified:             hb-using-install.xml hb-using-troubleshoot.xml

4

  Log:

5

  Updating documents (merge frmo hardened-docs)

6

7

Revision  Changes    Path

8

1.11                 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml

9

10

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.11&view=markup

11

plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.11&content-type=text/plain

12

diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.10&r2=1.11

13

14

Index: hb-using-install.xml

15

===================================================================

16

RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v

17

retrieving revision 1.10

18

retrieving revision 1.11

19

diff -u -r1.10 -r1.11

20

--- hb-using-install.xml	10 Dec 2011 15:18:56 -0000	1.10

21

+++ hb-using-install.xml	26 Dec 2011 12:24:04 -0000	1.11

22

@@ -4,11 +4,11 @@

23

 <!-- The content of this document is licensed under the CC-BY-SA license -->

24

 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->

25

26

-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.10 2011/12/10 15:18:56 swift Exp $ -->

27

+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.11 2011/12/26 12:24:04 swift Exp $ -->

28

29

 <sections>

30

-<version>15</version>

31

-<date>2011-12-10</date>

32

+<version>16</version>

33

+<date>2011-12-17</date>

34

35

 <section>

36

 <title>Installing Gentoo (Hardened)</title>

37

@@ -473,7 +473,9 @@

38

 Next, rebuild those packages affected by the profile change we did previously

39

 through a standard world update, taking into account USE-flag changes (as the 

40

 new profile will change many default USE flags, including enabling the 

41

-<c>selinux</c> USE flag).

42

+<c>selinux</c> USE flag). Don't forget to use <c>etc-update</c> or

43

+<c>dispatch-conf</c> afterwards as some changes to configuration files need to

44

+be made.

45

 </p>

46

47

 <pre caption="Update your Gentoo Linux system">

48

@@ -606,7 +608,7 @@

49

 </body>

50

 </subsection>

51

 <subsection>

52

-<title>Label the File System</title>

53

+<title>Reboot, and Label the File System</title>

54

 <body>

55

56

 <impo>

57

@@ -617,7 +619,8 @@

58

 </impo>

59

60

<p>

61

-First relabel your devices and openrc related files. This will apply the

62

+First reboot your system so that the installed policies are loaded. Now we

63

+need to relabel your devices and openrc related files. This will apply the

64

 correct security contexts (labels) onto the necessary files.

65

 </p>

66

67

@@ -671,9 +674,10 @@

68

 <body>

69

70

<p>

71

-Reboot your system. Log on and, if you have indeed installed Gentoo using the

72

-hardened sources (as we recommended), enable the SSP SELinux boolean, allowing

73

-every domain read access to the <path>/dev/urandom</path> device:

74

+Reboot your system so that the newly applied file contexts are used. Log on

75

+and, if you have indeed installed Gentoo using the hardened sources (as we

76

+recommended), enable the SSP SELinux boolean, allowing every domain read

77

+access to the <path>/dev/urandom</path> device:

78

 </p>

79

80

 <pre caption="Enabling the global_ssp boolean">

1.2                  xml/htdocs/proj/en/hardened/selinux/hb-using-troubleshoot.xml

85

86

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-troubleshoot.xml?rev=1.2&view=markup

87

plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-troubleshoot.xml?rev=1.2&content-type=text/plain

88

diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-troubleshoot.xml?r1=1.1&r2=1.2

89

90

Index: hb-using-troubleshoot.xml

91

===================================================================

92

RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-troubleshoot.xml,v

93

retrieving revision 1.1

94

retrieving revision 1.2

95

diff -u -r1.1 -r1.2

96

--- hb-using-troubleshoot.xml	23 Oct 2011 13:00:13 -0000	1.1

97

+++ hb-using-troubleshoot.xml	26 Dec 2011 12:24:04 -0000	1.2

98

@@ -4,11 +4,11 @@

99

 <!-- The content of this document is licensed under the CC-BY-SA license -->

100

 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->

101

102

-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-troubleshoot.xml,v 1.1 2011/10/23 13:00:13 swift Exp $ -->

103

+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-troubleshoot.xml,v 1.2 2011/12/26 12:24:04 swift Exp $ -->

104

105

 <sections>

106

-<version>0</version>

107

-<date>2011-02-24</date>

108

+<version>1</version>

109

+<date>2011-12-11</date>

110

111

 <section>

112

 <title>Unable To Load SELinux Policy</title>

113

@@ -225,4 +225,95 @@

114

 </body>

115

 </subsection>

116

 </section>

117

+

118

+<section>

119

+<title>Unable to Emerge Anything (OSError: [Errno 22] Invalid argument)</title>

120

+<subsection>

121

+<title>Problem Description</title>

122

+<body>

123

+

124

+<p>

125

+When trying to install software with Portage, you get a huge python stacktrace

126

+and finally the error message <e>OSError: [Errno 22] Invalid argument</e>:

127

+</p>

128

+

129

+<pre caption="Stacktrace dump when portage fails to install software">

130

+Traceback (most recent call last):

131

+  File "/usr/bin/emerge", line 43, in &lt;module&gt;

132

+    retval = emerge_main()

133

+  File "/usr/lib64/portage/pym/_emerge/main.py", line 1906, in emerge_main

134

+    myopts, myaction, myfiles, spinner)

135

+  File "/usr/lib64/portage/pym/_emerge/actions.py", line 437, in action_build

136

+    retval = mergetask.merge()

137

+...

138

+  File "/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 104, in _doebuild_spawn

139

+    return spawn(cmd, settings, **kwargs)

140

+  File "/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 1255, in spawn

141

+    return spawn_func(mystring, env=mysettings.environ(), **keywords)

142

+  File "/usr/lib64/portage/pym/portage/_selinux.py", line 105, in wrapper_func

143

+    setexec(con)

144

+  File "/usr/lib64/portage/pym/portage/_selinux.py", line 79, in setexec

145

+    if selinux.setexeccon(ctx) &lt; 0: 

146

+OSError: [Errno 22] Invalid argument

147

+</pre>

148

+

149

+</body>

150

+</subsection>

151

+<subsection>

152

+<title>Wrong Context</title>

153

+<body>

154

+

155

+<p>

156

+The above error comes when you launch portage (through <c>emerge</c>) while you

157

+are not in <c>sysadm_t</c> context. You can verify this with <c>id -Z</c>:

158

+</p>

159

+

160

+<pre caption="Checking current context">

161

+~# <i>id -Z</i>

162

+system_u:system_r:local_login_t

163

+</pre>

164

+

165

+<p>

166

+As long as the context isn't <c>sysadm_t</c>, then Portage will break. This is

167

+because Portage wants to switch its execution context from <c>portage_t</c> to

168

+<c>portage_sandbox_t</c> but fails (it isn't in <c>portage_t</c> to begin with

169

+because the user who launched Portage isn't in <c>sysadm_t</c>).

170

+</p>

171

+

172

+<p>

173

+Please check <uri link="#doc_chap2">Unable to Log On</uri> above first. Also

174

+make sure that you can <c>dispatch-conf</c> or <c>etc-update</c> after

175

+installing SELinux so that <path>/etc/pam.d/system-login</path> is updated with

176

+the right <path>pam_selinux.so</path> calls.

177

+</p>

178

+

179

+</body>

180

+</subsection>

181

+<subsection>

182

+<title>Forcing Installation</title>

183

+<body>

184

+

185

+<p>

186

+If you need to force Portage to continue regardless (for instance, you were in

187

+the middle of a SELinux installation so cannot properly resolve such issues

188

+now), run the <c>emerge</c> command but with <c>FEATURES="-selinux"</c>. This

189

+will effectively disable Portage' SELinux integration, but allows you to

190

+continue installing software.

191

+</p>

192

+

193

+<pre caption="Running emerge without selinux support">

194

+~# <i>FEATURES="-selinux" emerge -u world</i>

195

+</pre>

196

+

197

+<p>

198

+Make sure that you relabel the entire file system after using this approach!

199

+Portage will not label the files installed on the system correctly if you

200

+disable its SELinux support. To relabel the entire file system, use <c>rlpkg -a

201

+-r</c>.

202

+</p>

203

+

204

+</body>

205

+</subsection>

206

+</section>

207

+

208

 </sections>

1	swift 11/12/26 12:24:04
2
3	Modified: hb-using-install.xml hb-using-troubleshoot.xml
4	Log:
5	Updating documents (merge frmo hardened-docs)
6
7	Revision Changes Path
8	1.11 xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml
9
10	file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.11&view=markup
11	plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?rev=1.11&content-type=text/plain
12	diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml?r1=1.10&r2=1.11
13
14	Index: hb-using-install.xml
15	===================================================================
16	RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v
17	retrieving revision 1.10
18	retrieving revision 1.11
19	diff -u -r1.10 -r1.11
20	--- hb-using-install.xml 10 Dec 2011 15:18:56 -0000 1.10
21	+++ hb-using-install.xml 26 Dec 2011 12:24:04 -0000 1.11
22	@@ -4,11 +4,11 @@
23	<!-- The content of this document is licensed under the CC-BY-SA license -->
24	<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
25
26	-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.10 2011/12/10 15:18:56 swift Exp $ -->
27	+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-install.xml,v 1.11 2011/12/26 12:24:04 swift Exp $ -->
28
29	<sections>
30	-<version>15</version>
31	-<date>2011-12-10</date>
32	+<version>16</version>
33	+<date>2011-12-17</date>
34
35	<section>
36	<title>Installing Gentoo (Hardened)</title>
37	@@ -473,7 +473,9 @@
38	Next, rebuild those packages affected by the profile change we did previously
39	through a standard world update, taking into account USE-flag changes (as the
40	new profile will change many default USE flags, including enabling the
41	-<c>selinux</c> USE flag).
42	+<c>selinux</c> USE flag). Don't forget to use <c>etc-update</c> or
43	+<c>dispatch-conf</c> afterwards as some changes to configuration files need to
44	+be made.
45	</p>
46
47	<pre caption="Update your Gentoo Linux system">
48	@@ -606,7 +608,7 @@
49	</body>
50	</subsection>
51	<subsection>
52	-<title>Label the File System</title>
53	+<title>Reboot, and Label the File System</title>
54	<body>
55
56	<impo>
57	@@ -617,7 +619,8 @@
58	</impo>
59
60	<p>
61	-First relabel your devices and openrc related files. This will apply the
62	+First reboot your system so that the installed policies are loaded. Now we
63	+need to relabel your devices and openrc related files. This will apply the
64	correct security contexts (labels) onto the necessary files.
65	</p>
66
67	@@ -671,9 +674,10 @@
68	<body>
69
70	<p>
71	-Reboot your system. Log on and, if you have indeed installed Gentoo using the
72	-hardened sources (as we recommended), enable the SSP SELinux boolean, allowing
73	-every domain read access to the <path>/dev/urandom</path> device:
74	+Reboot your system so that the newly applied file contexts are used. Log on
75	+and, if you have indeed installed Gentoo using the hardened sources (as we
76	+recommended), enable the SSP SELinux boolean, allowing every domain read
77	+access to the <path>/dev/urandom</path> device:
78	</p>
79
80	<pre caption="Enabling the global_ssp boolean">
81
82
83
84	1.2 xml/htdocs/proj/en/hardened/selinux/hb-using-troubleshoot.xml
85
86	file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-troubleshoot.xml?rev=1.2&view=markup
87	plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-troubleshoot.xml?rev=1.2&content-type=text/plain
88	diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-troubleshoot.xml?r1=1.1&r2=1.2
89
90	Index: hb-using-troubleshoot.xml
91	===================================================================
92	RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-troubleshoot.xml,v
93	retrieving revision 1.1
94	retrieving revision 1.2
95	diff -u -r1.1 -r1.2
96	--- hb-using-troubleshoot.xml 23 Oct 2011 13:00:13 -0000 1.1
97	+++ hb-using-troubleshoot.xml 26 Dec 2011 12:24:04 -0000 1.2
98	@@ -4,11 +4,11 @@
99	<!-- The content of this document is licensed under the CC-BY-SA license -->
100	<!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
101
102	-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-troubleshoot.xml,v 1.1 2011/10/23 13:00:13 swift Exp $ -->
103	+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux/hb-using-troubleshoot.xml,v 1.2 2011/12/26 12:24:04 swift Exp $ -->
104
105	<sections>
106	-<version>0</version>
107	-<date>2011-02-24</date>
108	+<version>1</version>
109	+<date>2011-12-11</date>
110
111	<section>
112	<title>Unable To Load SELinux Policy</title>
113	@@ -225,4 +225,95 @@
114	</body>
115	</subsection>
116	</section>
117	+
118	+<section>
119	+<title>Unable to Emerge Anything (OSError: [Errno 22] Invalid argument)</title>
120	+<subsection>
121	+<title>Problem Description</title>
122	+<body>
123	+
124	+<p>
125	+When trying to install software with Portage, you get a huge python stacktrace
126	+and finally the error message <e>OSError: [Errno 22] Invalid argument</e>:
127	+</p>
128	+
129	+<pre caption="Stacktrace dump when portage fails to install software">
130	+Traceback (most recent call last):
131	+ File "/usr/bin/emerge", line 43, in <module>
132	+ retval = emerge_main()
133	+ File "/usr/lib64/portage/pym/_emerge/main.py", line 1906, in emerge_main
134	+ myopts, myaction, myfiles, spinner)
135	+ File "/usr/lib64/portage/pym/_emerge/actions.py", line 437, in action_build
136	+ retval = mergetask.merge()
137	+...
138	+ File "/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 104, in _doebuild_spawn
139	+ return spawn(cmd, settings, **kwargs)
140	+ File "/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 1255, in spawn
141	+ return spawn_func(mystring, env=mysettings.environ(), **keywords)
142	+ File "/usr/lib64/portage/pym/portage/_selinux.py", line 105, in wrapper_func
143	+ setexec(con)
144	+ File "/usr/lib64/portage/pym/portage/_selinux.py", line 79, in setexec
145	+ if selinux.setexeccon(ctx) < 0:
146	+OSError: [Errno 22] Invalid argument
147	+</pre>
148	+
149	+</body>
150	+</subsection>
151	+<subsection>
152	+<title>Wrong Context</title>
153	+<body>
154	+
155	+<p>
156	+The above error comes when you launch portage (through <c>emerge</c>) while you
157	+are not in <c>sysadm_t</c> context. You can verify this with <c>id -Z</c>:
158	+</p>
159	+
160	+<pre caption="Checking current context">
161	+~# <i>id -Z</i>
162	+system_u:system_r:local_login_t
163	+</pre>
164	+
165	+<p>
166	+As long as the context isn't <c>sysadm_t</c>, then Portage will break. This is
167	+because Portage wants to switch its execution context from <c>portage_t</c> to
168	+<c>portage_sandbox_t</c> but fails (it isn't in <c>portage_t</c> to begin with
169	+because the user who launched Portage isn't in <c>sysadm_t</c>).
170	+</p>
171	+
172	+<p>
173	+Please check <uri link="#doc_chap2">Unable to Log On</uri> above first. Also
174	+make sure that you can <c>dispatch-conf</c> or <c>etc-update</c> after
175	+installing SELinux so that <path>/etc/pam.d/system-login</path> is updated with
176	+the right <path>pam_selinux.so</path> calls.
177	+</p>
178	+
179	+</body>
180	+</subsection>
181	+<subsection>
182	+<title>Forcing Installation</title>
183	+<body>
184	+
185	+<p>
186	+If you need to force Portage to continue regardless (for instance, you were in
187	+the middle of a SELinux installation so cannot properly resolve such issues
188	+now), run the <c>emerge</c> command but with <c>FEATURES="-selinux"</c>. This
189	+will effectively disable Portage' SELinux integration, but allows you to
190	+continue installing software.
191	+</p>
192	+
193	+<pre caption="Running emerge without selinux support">
194	+~# <i>FEATURES="-selinux" emerge -u world</i>
195	+</pre>
196	+
197	+<p>
198	+Make sure that you relabel the entire file system after using this approach!
199	+Portage will not label the files installed on the system correctly if you
200	+disable its SELinux support. To relabel the entire file system, use <c>rlpkg -a
201	+-r</c>.
202	+</p>
203	+
204	+</body>
205	+</subsection>
206	+</section>
207	+
208	</sections>

Gentoo Archives: gentoo-commits