Gentoo Archives: gentoo-hardened

From: "François Valenduc" <francois.valenduc@××××××××××.be>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] EXT4 and selinux
Date: Fri, 11 Sep 2009 16:56:11
Message-Id: 4AAA8127.3000003@tvcablenet.be
In Reply to: Re: [gentoo-hardened] EXT4 and selinux by "François Valenduc"
François Valenduc a écrit :
> Andrew John Hughes a écrit : > >> 2009/9/10 François Valenduc <francois.valenduc@××××××××××.be>: >> >> >>> Andrew John Hughes a écrit : >>> >>> >>>> 2009/9/5 François Valenduc <francois.valenduc@××××××××××.be>: >>>> >>>> >>>> >>>>> Magnus Granberg a écrit : >>>>> >>>>> >>>>> >>>>>> On Saturday 05 September 2009 12.17.00 François Valenduc wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Hello everybody, >>>>>>> >>>>>>> I have recently swicth my SElinux install from ext3 to ext4 and after >>>>>>> having changed the rlpkq script to also relabel ext4 filesystems, I get >>>>>>> the following errors: >>>>>>> /usr/sbin/setfiles set context >>>>>>> /usr/sbin/setfilecon->system_u:object_r:bin_t failed:'Operation not >>>>>>> supported' >>>>>>> However, I have enabled Ext4 Security labels in the kernel configuration. >>>>>>> >>>>>>> Does anybody know a solution to this problem ? >>>>>>> Thanks in advance for your help. >>>>>>> >>>>>>> François Valenduc >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> You need to update to policycoreutils-2.0.69 to get ext4 support. >>>>>> See bug #275369 http://bugs.gentoo.org/show_bug.cgi?id=275369 >>>>>> ------ >>>>>> Hardened-Development Overlay >>>>>> Magnus Granberg (Zorry) <zorry@×××.nu> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> I have tried to upgrade policycoreutils to this version but it fails to >>>>> compile with this error: >>>>> >>>>> cc -Wl,-O1 semodule.o -lsepol -lselinux -lsemanage -L/usr/lib -o >>>>> semodulesemodule.o: In function `main': >>>>> semodule.c:(.text+0x803): undefined reference to >>>>> `semanage_module_upgrade_file' >>>>> semodule.c:(.text+0x84a): undefined reference to >>>>> `semanage_module_install_file' >>>>> semodule.c:(.text+0x8ae): undefined reference to >>>>> `semanage_module_install_base_file' >>>>> collect2: ld a retourné 1 code d'état d'exécution >>>>> make[1]: *** [semodule] Erreur 1 >>>>> make[1]: quittant le répertoire « >>>>> /var/tmp/portage/sys-apps/policycoreutils-2.0.69/work/policycoreutils-2.0.69/semodule >>>>> » >>>>> make: *** [all] Erreur 1 >>>>> make: quittant le répertoire « >>>>> /var/tmp/portage/sys-apps/policycoreutils-2.0.69/work/policycoreutils-2.0.69 >>>>> » >>>>> >>>>> >>>>> I have looked in gentoo bugzilla and I didn't find anything which seems >>>>> similar to this error. >>>>> >>>>> François Valenduc >>>>> >>>>> >>>>> >>>>> >>>>> >>>> Have you checked there aren't corresponding updates to libselinux, >>>> libsepol and libsemanage? This error suggests one or more of those >>>> libraries are out of date. >>>> >>>> >>>> >>> Indeed, upgrading libsepol, libsemanage and libselinux allowed >>> policycoreutils 2.0.69 to be compiled without error. However, it's still >>> impossible to relabel the filesystem. Now I don't see plenty of lines >>> indicating "Operation not supported" when I use rlpkg. But the files >>> remains unlabeled. Is it really possible to use ext4 and selinux ? >>> >>> >>> >> There must be some way, as Fedora 11 ships with both. >> How recent is your kernel? ext4 is still in development. >> >> >> >>> Thanks for your help. >>> >>> >>> >>> >> >> >> > I am using the brand new 2.6.31 kernel and I have enabled the following > options: > CONFIG_EXT4_FS=m > CONFIG_EXT4_FS_XATTR=y > CONFIG_EXT4_FS_POSIX_ACL=y > CONFIG_EXT4_FS_SECURITY=y > The problem also occured with kernels 2.6.30.x. > > François Valenduc > > >
After having looked in dmesg, I find lines like this one when an ext4 partition is mounted: SELinux: initialized (dev dm-4, type ext4), not configured for labeling So, my question is how to configure an ext4 partition for labelling ? François Valenduc