| 1 |
On 11/14/2010 06:44 PM, luc nac wrote: |
| 2 |
> Thanks to all of you who have been interested in my previous message. |
| 3 |
> I'm encountering much more problems than expected and I can't find a |
| 4 |
> forum where to discuss about SELinux in Gentoo. I didn't find much |
| 5 |
> help in this one http://forums.gentoo.org/viewforum-f-18.html . If |
| 6 |
> this is not the right place to ask help, please tell me! |
| 7 |
> |
| 8 |
> Now I'm trying to install the targeted policy but I can't succeed. |
| 9 |
> Trying to relabel the filesystem I obtain an error: |
| 10 |
> localhost ~ # rlpkg -a -r |
| 11 |
> Relabeling filesystem types: ext2 ext3 jfs xfs |
| 12 |
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 21 |
| 13 |
> has invalid context user_u:object_r:user_tmp_t |
| 14 |
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 32 |
| 15 |
> has invalid context root:object_r:user_tmp_t |
| 16 |
> Scanning for shared libraries with text relocations... |
| 17 |
> 0 libraries with text relocations, 0 not relabeled. |
| 18 |
> Scanning for PIE binaries with text relocations... |
| 19 |
> 0 binaries with text relocations detected. |
| 20 |
> |
| 21 |
> The same error appears trying to emerge any package. |
| 22 |
> |
| 23 |
> Commenting this line: |
| 24 |
> /tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t |
| 25 |
> in /etc/selinux/targeted/contexts/files/homedir_template |
| 26 |
> and then launching the genhomedircon command, successive rlpk (and |
| 27 |
> emerge) succeed until next reboot. |
| 28 |
> I think that this is a bad solution! |
| 29 |
> |
| 30 |
> In SELinux FAQ http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=3 |
| 31 |
> (section 3.f. Setfiles error messages ) it's written that "If /selinux |
| 32 |
> is mounted, then most likely there is new policy that has not yet been |
| 33 |
> loaded; therefore, the contexts have not yet become valid." |
| 34 |
> |
| 35 |
> I emerged a lot of modules, much more than needed considering that |
| 36 |
> this is a Gentoo stage 3 system. |
| 37 |
> |
| 38 |
> localhost ~ # equery list selinux- |
| 39 |
> [ Searching for package 'selinux-' in all categories among: ] |
| 40 |
> * installed packages |
| 41 |
> [I--] [ ] sec-policy/selinux-apache-20070928 (0) |
| 42 |
> [I--] [ ] sec-policy/selinux-arpwatch-20070928 (0) |
| 43 |
> [I--] [ ] sec-policy/selinux-base-policy-20070928 (0) |
| 44 |
> [I--] [ ] sec-policy/selinux-bind-20070928 (0) |
| 45 |
> [I--] [ ] sec-policy/selinux-dbus-20070928 (0) |
| 46 |
> [I--] [ ] sec-policy/selinux-desktop-20070928 (0) |
| 47 |
> [I--] [ ] sec-policy/selinux-dhcp-20070928 (0) |
| 48 |
> [I--] [ ] sec-policy/selinux-dnsmasq-20070928 (0) |
| 49 |
> [I--] [ ] sec-policy/selinux-games-20070928 (0) |
| 50 |
> [I--] [ ] sec-policy/selinux-gnupg-20070928 (0) |
| 51 |
> [I--] [ ] sec-policy/selinux-gpm-20070928 (0) |
| 52 |
> [I--] [ ] sec-policy/selinux-logrotate-20070928 (0) |
| 53 |
> [I--] [ ] sec-policy/selinux-nfs-20070928 (0) |
| 54 |
> [I--] [ ] sec-policy/selinux-openldap-20070928 (0) |
| 55 |
> [I--] [ ] sec-policy/selinux-portmap-20070928 (0) |
| 56 |
> [I--] [ ] sec-policy/selinux-samba-20070928 (0) |
| 57 |
> [I--] [ ] sec-policy/selinux-sudo-20070928 (0) |
| 58 |
> [I--] [ ] sec-policy/selinux-tcpd-20070928 (0) |
| 59 |
> [I--] [ ] sec-policy/selinux-tftpd-20070928 (0) |
| 60 |
> |
| 61 |
> localhost ~ # semodule -l |
| 62 |
> apache 1.8.0 |
| 63 |
> arpwatch 1.4.0 |
| 64 |
> bind 1.5.0 |
| 65 |
> dbus 1.7.0 |
| 66 |
> dhcp 1.4.0 |
| 67 |
> dnsmasq 1.4.0 |
| 68 |
> games 1.4.0 |
| 69 |
> gpg 1.4.0 |
| 70 |
> gpm 1.3.0 |
| 71 |
> java 1.6.0 |
| 72 |
> ldap 1.5.0 |
| 73 |
> logrotate 1.6.0 |
| 74 |
> mono 1.3.0 |
| 75 |
> mozilla 1.4.0 |
| 76 |
> mplayer 1.3.0 |
| 77 |
> portmap 1.5.0 |
| 78 |
> rpc 1.6.0 |
| 79 |
> samba 1.6.0 |
| 80 |
> sudo 1.2.0 |
| 81 |
> tftp 1.5.0 |
| 82 |
> wine 1.4.0 |
| 83 |
> xfs 1.2.0 |
| 84 |
> xserver 1.6.0 |
| 85 |
> |
| 86 |
> localhost ~ # cat /etc/selinux/targeted/contexts/files/homedir_template |
| 87 |
> HOME_DIR/.+ system_u:object_r:ROLE_home_t |
| 88 |
> HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t |
| 89 |
> HOME_ROOT/lost\+found/.* <<none>> |
| 90 |
> HOME_DIR -d system_u:object_r:ROLE_home_dir_t |
| 91 |
> HOME_ROOT -d system_u:object_r:home_root_t |
| 92 |
> /tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t |
| 93 |
> HOME_ROOT/\.journal <<none>> |
| 94 |
> HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t |
| 95 |
Ok, first and foremost, I haven't tested targeted policy (I'm still |
| 96 |
sorting strict policy). |
| 97 |
Second, the handbook states that you should use v2refpolicy. You are |
| 98 |
running the 20070928 policy, which is v1 policy and is very very old. |
| 99 |
I'm guessing you are working with an old system that hasn't been |
| 100 |
converted to v2refpolicy. |
| 101 |
Third, even with v2refpolicy, the current version in the tree is now |
| 102 |
almost a year old and has issues (which is part of what I'm working to |
| 103 |
sort out). TBH, I'm not entirely certain it will boot in enforcing |
| 104 |
mode, although targeted policy will stand a better chance of working |
| 105 |
than strict policy. |
| 106 |
|
| 107 |
I'm working as fast as I can. Unfortunately, my spare time is pretty, |
| 108 |
well, 'spare' and has been for some time. If you want to make your own |
| 109 |
ebuild, you can find where to pull the latest release policy from |
| 110 |
http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get |
| 111 |
the current development policy from the git repository at |
| 112 |
http://oss.tresys.com/git/refpolicy.git. |
| 113 |
|
| 114 |
Later, |
| 115 |
Gizmo |
Archives