1 |
On 11/14/2010 06:44 PM, luc nac wrote: |
2 |
> Thanks to all of you who have been interested in my previous message. |
3 |
> I'm encountering much more problems than expected and I can't find a |
4 |
> forum where to discuss about SELinux in Gentoo. I didn't find much |
5 |
> help in this one http://forums.gentoo.org/viewforum-f-18.html . If |
6 |
> this is not the right place to ask help, please tell me! |
7 |
> |
8 |
> Now I'm trying to install the targeted policy but I can't succeed. |
9 |
> Trying to relabel the filesystem I obtain an error: |
10 |
> localhost ~ # rlpkg -a -r |
11 |
> Relabeling filesystem types: ext2 ext3 jfs xfs |
12 |
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 21 |
13 |
> has invalid context user_u:object_r:user_tmp_t |
14 |
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 32 |
15 |
> has invalid context root:object_r:user_tmp_t |
16 |
> Scanning for shared libraries with text relocations... |
17 |
> 0 libraries with text relocations, 0 not relabeled. |
18 |
> Scanning for PIE binaries with text relocations... |
19 |
> 0 binaries with text relocations detected. |
20 |
> |
21 |
> The same error appears trying to emerge any package. |
22 |
> |
23 |
> Commenting this line: |
24 |
> /tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t |
25 |
> in /etc/selinux/targeted/contexts/files/homedir_template |
26 |
> and then launching the genhomedircon command, successive rlpk (and |
27 |
> emerge) succeed until next reboot. |
28 |
> I think that this is a bad solution! |
29 |
> |
30 |
> In SELinux FAQ http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=3 |
31 |
> (section 3.f. Setfiles error messages ) it's written that "If /selinux |
32 |
> is mounted, then most likely there is new policy that has not yet been |
33 |
> loaded; therefore, the contexts have not yet become valid." |
34 |
> |
35 |
> I emerged a lot of modules, much more than needed considering that |
36 |
> this is a Gentoo stage 3 system. |
37 |
> |
38 |
> localhost ~ # equery list selinux- |
39 |
> [ Searching for package 'selinux-' in all categories among: ] |
40 |
> * installed packages |
41 |
> [I--] [ ] sec-policy/selinux-apache-20070928 (0) |
42 |
> [I--] [ ] sec-policy/selinux-arpwatch-20070928 (0) |
43 |
> [I--] [ ] sec-policy/selinux-base-policy-20070928 (0) |
44 |
> [I--] [ ] sec-policy/selinux-bind-20070928 (0) |
45 |
> [I--] [ ] sec-policy/selinux-dbus-20070928 (0) |
46 |
> [I--] [ ] sec-policy/selinux-desktop-20070928 (0) |
47 |
> [I--] [ ] sec-policy/selinux-dhcp-20070928 (0) |
48 |
> [I--] [ ] sec-policy/selinux-dnsmasq-20070928 (0) |
49 |
> [I--] [ ] sec-policy/selinux-games-20070928 (0) |
50 |
> [I--] [ ] sec-policy/selinux-gnupg-20070928 (0) |
51 |
> [I--] [ ] sec-policy/selinux-gpm-20070928 (0) |
52 |
> [I--] [ ] sec-policy/selinux-logrotate-20070928 (0) |
53 |
> [I--] [ ] sec-policy/selinux-nfs-20070928 (0) |
54 |
> [I--] [ ] sec-policy/selinux-openldap-20070928 (0) |
55 |
> [I--] [ ] sec-policy/selinux-portmap-20070928 (0) |
56 |
> [I--] [ ] sec-policy/selinux-samba-20070928 (0) |
57 |
> [I--] [ ] sec-policy/selinux-sudo-20070928 (0) |
58 |
> [I--] [ ] sec-policy/selinux-tcpd-20070928 (0) |
59 |
> [I--] [ ] sec-policy/selinux-tftpd-20070928 (0) |
60 |
> |
61 |
> localhost ~ # semodule -l |
62 |
> apache 1.8.0 |
63 |
> arpwatch 1.4.0 |
64 |
> bind 1.5.0 |
65 |
> dbus 1.7.0 |
66 |
> dhcp 1.4.0 |
67 |
> dnsmasq 1.4.0 |
68 |
> games 1.4.0 |
69 |
> gpg 1.4.0 |
70 |
> gpm 1.3.0 |
71 |
> java 1.6.0 |
72 |
> ldap 1.5.0 |
73 |
> logrotate 1.6.0 |
74 |
> mono 1.3.0 |
75 |
> mozilla 1.4.0 |
76 |
> mplayer 1.3.0 |
77 |
> portmap 1.5.0 |
78 |
> rpc 1.6.0 |
79 |
> samba 1.6.0 |
80 |
> sudo 1.2.0 |
81 |
> tftp 1.5.0 |
82 |
> wine 1.4.0 |
83 |
> xfs 1.2.0 |
84 |
> xserver 1.6.0 |
85 |
> |
86 |
> localhost ~ # cat /etc/selinux/targeted/contexts/files/homedir_template |
87 |
> HOME_DIR/.+ system_u:object_r:ROLE_home_t |
88 |
> HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t |
89 |
> HOME_ROOT/lost\+found/.* <<none>> |
90 |
> HOME_DIR -d system_u:object_r:ROLE_home_dir_t |
91 |
> HOME_ROOT -d system_u:object_r:home_root_t |
92 |
> /tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t |
93 |
> HOME_ROOT/\.journal <<none>> |
94 |
> HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t |
95 |
Ok, first and foremost, I haven't tested targeted policy (I'm still |
96 |
sorting strict policy). |
97 |
Second, the handbook states that you should use v2refpolicy. You are |
98 |
running the 20070928 policy, which is v1 policy and is very very old. |
99 |
I'm guessing you are working with an old system that hasn't been |
100 |
converted to v2refpolicy. |
101 |
Third, even with v2refpolicy, the current version in the tree is now |
102 |
almost a year old and has issues (which is part of what I'm working to |
103 |
sort out). TBH, I'm not entirely certain it will boot in enforcing |
104 |
mode, although targeted policy will stand a better chance of working |
105 |
than strict policy. |
106 |
|
107 |
I'm working as fast as I can. Unfortunately, my spare time is pretty, |
108 |
well, 'spare' and has been for some time. If you want to make your own |
109 |
ebuild, you can find where to pull the latest release policy from |
110 |
http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get |
111 |
the current development policy from the git repository at |
112 |
http://oss.tresys.com/git/refpolicy.git. |
113 |
|
114 |
Later, |
115 |
Gizmo |