Gentoo Archives: gentoo-hardened

From: "François Valenduc" <francois.valenduc@××××××××××.be>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] EXT4 and selinux
Date: Fri, 11 Sep 2009 16:56:11
Message-Id: 4AAA8127.3000003@tvcablenet.be
In Reply to: Re: [gentoo-hardened] EXT4 and selinux by "François Valenduc"
1 François Valenduc a écrit :
2 > Andrew John Hughes a écrit :
3 >
4 >> 2009/9/10 François Valenduc <francois.valenduc@××××××××××.be>:
5 >>
6 >>
7 >>> Andrew John Hughes a écrit :
8 >>>
9 >>>
10 >>>> 2009/9/5 François Valenduc <francois.valenduc@××××××××××.be>:
11 >>>>
12 >>>>
13 >>>>
14 >>>>> Magnus Granberg a écrit :
15 >>>>>
16 >>>>>
17 >>>>>
18 >>>>>> On Saturday 05 September 2009 12.17.00 François Valenduc wrote:
19 >>>>>>
20 >>>>>>
21 >>>>>>
22 >>>>>>
23 >>>>>>> Hello everybody,
24 >>>>>>>
25 >>>>>>> I have recently swicth my SElinux install from ext3 to ext4 and after
26 >>>>>>> having changed the rlpkq script to also relabel ext4 filesystems, I get
27 >>>>>>> the following errors:
28 >>>>>>> /usr/sbin/setfiles set context
29 >>>>>>> /usr/sbin/setfilecon->system_u:object_r:bin_t failed:'Operation not
30 >>>>>>> supported'
31 >>>>>>> However, I have enabled Ext4 Security labels in the kernel configuration.
32 >>>>>>>
33 >>>>>>> Does anybody know a solution to this problem ?
34 >>>>>>> Thanks in advance for your help.
35 >>>>>>>
36 >>>>>>> François Valenduc
37 >>>>>>>
38 >>>>>>>
39 >>>>>>>
40 >>>>>>>
41 >>>>>> You need to update to policycoreutils-2.0.69 to get ext4 support.
42 >>>>>> See bug #275369 http://bugs.gentoo.org/show_bug.cgi?id=275369
43 >>>>>> ------
44 >>>>>> Hardened-Development Overlay
45 >>>>>> Magnus Granberg (Zorry) <zorry@×××.nu>
46 >>>>>>
47 >>>>>>
48 >>>>>>
49 >>>>>>
50 >>>>>>
51 >>>>>>
52 >>>>> I have tried to upgrade policycoreutils to this version but it fails to
53 >>>>> compile with this error:
54 >>>>>
55 >>>>> cc -Wl,-O1 semodule.o -lsepol -lselinux -lsemanage -L/usr/lib -o
56 >>>>> semodulesemodule.o: In function `main':
57 >>>>> semodule.c:(.text+0x803): undefined reference to
58 >>>>> `semanage_module_upgrade_file'
59 >>>>> semodule.c:(.text+0x84a): undefined reference to
60 >>>>> `semanage_module_install_file'
61 >>>>> semodule.c:(.text+0x8ae): undefined reference to
62 >>>>> `semanage_module_install_base_file'
63 >>>>> collect2: ld a retourné 1 code d'état d'exécution
64 >>>>> make[1]: *** [semodule] Erreur 1
65 >>>>> make[1]: quittant le répertoire «
66 >>>>> /var/tmp/portage/sys-apps/policycoreutils-2.0.69/work/policycoreutils-2.0.69/semodule
67 >>>>> »
68 >>>>> make: *** [all] Erreur 1
69 >>>>> make: quittant le répertoire «
70 >>>>> /var/tmp/portage/sys-apps/policycoreutils-2.0.69/work/policycoreutils-2.0.69
71 >>>>> »
72 >>>>>
73 >>>>>
74 >>>>> I have looked in gentoo bugzilla and I didn't find anything which seems
75 >>>>> similar to this error.
76 >>>>>
77 >>>>> François Valenduc
78 >>>>>
79 >>>>>
80 >>>>>
81 >>>>>
82 >>>>>
83 >>>> Have you checked there aren't corresponding updates to libselinux,
84 >>>> libsepol and libsemanage? This error suggests one or more of those
85 >>>> libraries are out of date.
86 >>>>
87 >>>>
88 >>>>
89 >>> Indeed, upgrading libsepol, libsemanage and libselinux allowed
90 >>> policycoreutils 2.0.69 to be compiled without error. However, it's still
91 >>> impossible to relabel the filesystem. Now I don't see plenty of lines
92 >>> indicating "Operation not supported" when I use rlpkg. But the files
93 >>> remains unlabeled. Is it really possible to use ext4 and selinux ?
94 >>>
95 >>>
96 >>>
97 >> There must be some way, as Fedora 11 ships with both.
98 >> How recent is your kernel? ext4 is still in development.
99 >>
100 >>
101 >>
102 >>> Thanks for your help.
103 >>>
104 >>>
105 >>>
106 >>>
107 >>
108 >>
109 >>
110 > I am using the brand new 2.6.31 kernel and I have enabled the following
111 > options:
112 > CONFIG_EXT4_FS=m
113 > CONFIG_EXT4_FS_XATTR=y
114 > CONFIG_EXT4_FS_POSIX_ACL=y
115 > CONFIG_EXT4_FS_SECURITY=y
116 > The problem also occured with kernels 2.6.30.x.
117 >
118 > François Valenduc
119 >
120 >
121 >
122 After having looked in dmesg, I find lines like this one when an ext4
123 partition is mounted:
124 SELinux: initialized (dev dm-4, type ext4), not configured for labeling
125 So, my question is how to configure an ext4 partition for labelling ?
126
127 François Valenduc