| 1 |
On Wed, Nov 23, 2016 at 03:16:44PM +0000, Robert Sharp wrote: |
| 2 |
> |
| 3 |
> On 23/11/16 14:37, Jason Zaman wrote: |
| 4 |
> > Are you on ~arch or stable? did you just upgrade to the 2.6 userland? |
| 5 |
> > What versions do you have installed of these: |
| 6 |
> > sys-libs/libsepol |
| 7 |
> > sys-libs/libselinux |
| 8 |
> > sys-libs/libsemanage |
| 9 |
> > sys-apps/checkpolicy |
| 10 |
> > sys-apps/policycoreutils |
| 11 |
> > dev-python/sepolgen |
| 12 |
> > app-admin/setools |
| 13 |
> Looks like I am stable - 2.5 for all of the above. |
| 14 |
> > |
| 15 |
> > what does this return? |
| 16 |
> > ls -al/etc/selinux/*/policy/policy.* |
| 17 |
> -rw-r--r--. 1 root root 433338 Apr 6 2016 |
| 18 |
> /etc/selinux/strict/policy/policy.29 |
| 19 |
> -rw-r--r--. 1 root root 445097 Nov 23 11:43 |
| 20 |
> /etc/selinux/strict/policy/policy.30 |
| 21 |
> -rw-r--r--. 1 root root 450378 Apr 6 2016 |
| 22 |
> /etc/selinux/targeted/policy/policy.29 |
| 23 |
> -rw-r--r--. 1 root root 462377 Nov 23 11:43 |
| 24 |
> /etc/selinux/targeted/policy/policy.30 |
| 25 |
> > and in /etc/selinux/semanage.conf, do you have policy-version = set to anything? |
| 26 |
> module-store = direct |
| 27 |
> save-linked=false |
| 28 |
> expand-check=1 |
| 29 |
> bzip-blocksize=0 |
| 30 |
> bzip-small=true |
| 31 |
> |
| 32 |
> so no for the last one! |
| 33 |
> |
| 34 |
> Should I move to ~arch then, and is there a guide for that or is it |
| 35 |
> fairly simple? |
| 36 |
> |
| 37 |
> Thanks, |
| 38 |
> Robert |
| 39 |
|
| 40 |
Okay so the problem is the two different policy versions. Some versions |
| 41 |
ago the kernel added policy version 30. By default the userspace will |
| 42 |
load in the highest version that exists (ie |
| 43 |
/etc/selinux/strict/policy/policy.30). setools4 supports that version |
| 44 |
just fine, the old setools3 only supported up to policy version 29. |
| 45 |
your sesearch line is probably searching the old .29 one or something so |
| 46 |
its weird. |
| 47 |
|
| 48 |
Two ways to proceed: |
| 49 |
1) downgrade to policy.29: |
| 50 |
- Add policy-version = 29 to semanage.conf |
| 51 |
- rm /etc/selinux/*/policy/policy.30 |
| 52 |
- semodule -B |
| 53 |
|
| 54 |
If that is not enough, you can completely rebuild all the policy |
| 55 |
packages with: emerge @selinux-rebuild |
| 56 |
|
| 57 |
2) stick with policy.30 and upgrade the tools so it works properly. |
| 58 |
- Add this to package.keywords: |
| 59 |
sys-libs/libsepol ~amd64 |
| 60 |
sys-libs/libselinux ~amd64 |
| 61 |
sys-libs/libsemanage ~amd64 |
| 62 |
sys-apps/checkpolicy ~amd64 |
| 63 |
sys-apps/policycoreutils ~amd64 |
| 64 |
dev-python/sepolgen ~amd64 |
| 65 |
app-admin/setools ~amd64 |
| 66 |
|
| 67 |
- emerge -avDu @world |
| 68 |
- rm /etc/selinux/*/policy/policy.29 |
| 69 |
- semodule -B |
| 70 |
|
| 71 |
(You can again do emerge @selinux-rebuild if you want) |
| 72 |
|
| 73 |
Either is fine, but im probably just gonna stabilize the 2.6 userspace |
| 74 |
in a couple weeks so that one is likely easier. and setools4 is waaay |
| 75 |
better than 3. The important point is that you dont want to have both |
| 76 |
policy.29 and policy.30 around. Then you get weirdness like if you |
| 77 |
downgrade a kernel or something random it'll load in the old policy |
| 78 |
which probably doesnt work properly, so whichever you pick, make sure |
| 79 |
you nuke the other one. and semodule -B will rebuild the whole policy |
| 80 |
again and load it. |
| 81 |
|
| 82 |
-- Jason |
Archives