1 |
On Wed, Nov 23, 2016 at 03:16:44PM +0000, Robert Sharp wrote: |
2 |
> |
3 |
> On 23/11/16 14:37, Jason Zaman wrote: |
4 |
> > Are you on ~arch or stable? did you just upgrade to the 2.6 userland? |
5 |
> > What versions do you have installed of these: |
6 |
> > sys-libs/libsepol |
7 |
> > sys-libs/libselinux |
8 |
> > sys-libs/libsemanage |
9 |
> > sys-apps/checkpolicy |
10 |
> > sys-apps/policycoreutils |
11 |
> > dev-python/sepolgen |
12 |
> > app-admin/setools |
13 |
> Looks like I am stable - 2.5 for all of the above. |
14 |
> > |
15 |
> > what does this return? |
16 |
> > ls -al/etc/selinux/*/policy/policy.* |
17 |
> -rw-r--r--. 1 root root 433338 Apr 6 2016 |
18 |
> /etc/selinux/strict/policy/policy.29 |
19 |
> -rw-r--r--. 1 root root 445097 Nov 23 11:43 |
20 |
> /etc/selinux/strict/policy/policy.30 |
21 |
> -rw-r--r--. 1 root root 450378 Apr 6 2016 |
22 |
> /etc/selinux/targeted/policy/policy.29 |
23 |
> -rw-r--r--. 1 root root 462377 Nov 23 11:43 |
24 |
> /etc/selinux/targeted/policy/policy.30 |
25 |
> > and in /etc/selinux/semanage.conf, do you have policy-version = set to anything? |
26 |
> module-store = direct |
27 |
> save-linked=false |
28 |
> expand-check=1 |
29 |
> bzip-blocksize=0 |
30 |
> bzip-small=true |
31 |
> |
32 |
> so no for the last one! |
33 |
> |
34 |
> Should I move to ~arch then, and is there a guide for that or is it |
35 |
> fairly simple? |
36 |
> |
37 |
> Thanks, |
38 |
> Robert |
39 |
|
40 |
Okay so the problem is the two different policy versions. Some versions |
41 |
ago the kernel added policy version 30. By default the userspace will |
42 |
load in the highest version that exists (ie |
43 |
/etc/selinux/strict/policy/policy.30). setools4 supports that version |
44 |
just fine, the old setools3 only supported up to policy version 29. |
45 |
your sesearch line is probably searching the old .29 one or something so |
46 |
its weird. |
47 |
|
48 |
Two ways to proceed: |
49 |
1) downgrade to policy.29: |
50 |
- Add policy-version = 29 to semanage.conf |
51 |
- rm /etc/selinux/*/policy/policy.30 |
52 |
- semodule -B |
53 |
|
54 |
If that is not enough, you can completely rebuild all the policy |
55 |
packages with: emerge @selinux-rebuild |
56 |
|
57 |
2) stick with policy.30 and upgrade the tools so it works properly. |
58 |
- Add this to package.keywords: |
59 |
sys-libs/libsepol ~amd64 |
60 |
sys-libs/libselinux ~amd64 |
61 |
sys-libs/libsemanage ~amd64 |
62 |
sys-apps/checkpolicy ~amd64 |
63 |
sys-apps/policycoreutils ~amd64 |
64 |
dev-python/sepolgen ~amd64 |
65 |
app-admin/setools ~amd64 |
66 |
|
67 |
- emerge -avDu @world |
68 |
- rm /etc/selinux/*/policy/policy.29 |
69 |
- semodule -B |
70 |
|
71 |
(You can again do emerge @selinux-rebuild if you want) |
72 |
|
73 |
Either is fine, but im probably just gonna stabilize the 2.6 userspace |
74 |
in a couple weeks so that one is likely easier. and setools4 is waaay |
75 |
better than 3. The important point is that you dont want to have both |
76 |
policy.29 and policy.30 around. Then you get weirdness like if you |
77 |
downgrade a kernel or something random it'll load in the old policy |
78 |
which probably doesnt work properly, so whichever you pick, make sure |
79 |
you nuke the other one. and semodule -B will rebuild the whole policy |
80 |
again and load it. |
81 |
|
82 |
-- Jason |