Gentoo Archives: gentoo-hardened

From: luc nac <lucnac@×××××.com>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] SELinux (targeted policy) and invalid context
Date: Mon, 15 Nov 2010 00:46:41
Message-Id: AANLkTinkgK6pH3LuuONS6hYeL92kga=iiGrGuAopCOe_@mail.gmail.com
1 Thanks to all of you who have been interested in my previous message.
2 I'm encountering much more problems than expected and I can't find a
3 forum where to discuss about SELinux in Gentoo. I didn't find much
4 help in this one http://forums.gentoo.org/viewforum-f-18.html . If
5 this is not the right place to ask help, please tell me!
6
7 Now I'm trying to install the targeted policy but I can't succeed.
8 Trying to relabel the filesystem I obtain an error:
9 localhost ~ # rlpkg -a -r
10 Relabeling filesystem types: ext2 ext3 jfs xfs
11 /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 21
12 has invalid context user_u:object_r:user_tmp_t
13 /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 32
14 has invalid context root:object_r:user_tmp_t
15 Scanning for shared libraries with text relocations...
16 0 libraries with text relocations, 0 not relabeled.
17 Scanning for PIE binaries with text relocations...
18 0 binaries with text relocations detected.
19
20 The same error appears trying to emerge any package.
21
22 Commenting this line:
23 /tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t
24 in /etc/selinux/targeted/contexts/files/homedir_template
25 and then launching the genhomedircon command, successive rlpk (and
26 emerge) succeed until next reboot.
27 I think that this is a bad solution!
28
29 In SELinux FAQ http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=3
30 (section 3.f. Setfiles error messages ) it's written that "If /selinux
31 is mounted, then most likely there is new policy that has not yet been
32 loaded; therefore, the contexts have not yet become valid."
33
34 I emerged a lot of modules, much more than needed considering that
35 this is a Gentoo stage 3 system.
36
37 localhost ~ # equery list selinux-
38 [ Searching for package 'selinux-' in all categories among: ]
39 * installed packages
40 [I--] [ ] sec-policy/selinux-apache-20070928 (0)
41 [I--] [ ] sec-policy/selinux-arpwatch-20070928 (0)
42 [I--] [ ] sec-policy/selinux-base-policy-20070928 (0)
43 [I--] [ ] sec-policy/selinux-bind-20070928 (0)
44 [I--] [ ] sec-policy/selinux-dbus-20070928 (0)
45 [I--] [ ] sec-policy/selinux-desktop-20070928 (0)
46 [I--] [ ] sec-policy/selinux-dhcp-20070928 (0)
47 [I--] [ ] sec-policy/selinux-dnsmasq-20070928 (0)
48 [I--] [ ] sec-policy/selinux-games-20070928 (0)
49 [I--] [ ] sec-policy/selinux-gnupg-20070928 (0)
50 [I--] [ ] sec-policy/selinux-gpm-20070928 (0)
51 [I--] [ ] sec-policy/selinux-logrotate-20070928 (0)
52 [I--] [ ] sec-policy/selinux-nfs-20070928 (0)
53 [I--] [ ] sec-policy/selinux-openldap-20070928 (0)
54 [I--] [ ] sec-policy/selinux-portmap-20070928 (0)
55 [I--] [ ] sec-policy/selinux-samba-20070928 (0)
56 [I--] [ ] sec-policy/selinux-sudo-20070928 (0)
57 [I--] [ ] sec-policy/selinux-tcpd-20070928 (0)
58 [I--] [ ] sec-policy/selinux-tftpd-20070928 (0)
59
60 localhost ~ # semodule -l
61 apache 1.8.0
62 arpwatch 1.4.0
63 bind 1.5.0
64 dbus 1.7.0
65 dhcp 1.4.0
66 dnsmasq 1.4.0
67 games 1.4.0
68 gpg 1.4.0
69 gpm 1.3.0
70 java 1.6.0
71 ldap 1.5.0
72 logrotate 1.6.0
73 mono 1.3.0
74 mozilla 1.4.0
75 mplayer 1.3.0
76 portmap 1.5.0
77 rpc 1.6.0
78 samba 1.6.0
79 sudo 1.2.0
80 tftp 1.5.0
81 wine 1.4.0
82 xfs 1.2.0
83 xserver 1.6.0
84
85 localhost ~ # cat /etc/selinux/targeted/contexts/files/homedir_template
86 HOME_DIR/.+ system_u:object_r:ROLE_home_t
87 HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t
88 HOME_ROOT/lost\+found/.* <<none>>
89 HOME_DIR -d system_u:object_r:ROLE_home_dir_t
90 HOME_ROOT -d system_u:object_r:home_root_t
91 /tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t
92 HOME_ROOT/\.journal <<none>>
93 HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t

Replies

Subject Author
Re: [gentoo-hardened] SELinux (targeted policy) and invalid context Chris Richards <gizmo@×××××××××.com>