| 1 |
Now I am trying to use SELinux (targeted policy) in a brand new Gentoo |
| 2 |
stage3 (Kernel 2.6.32-hardened-r9), I tried all versions of |
| 3 |
selinux-base-policy available, but relabeling the file system always |
| 4 |
fails with the same error: "filespec_add: Conflicting specifications |
| 5 |
for ...". |
| 6 |
Am I still doing something wrong? The only thing that I can do to run |
| 7 |
SELinux in Gentoo is try to make my own ebuild? |
| 8 |
|
| 9 |
# rlpkg -a -r |
| 10 |
Relabeling filesystem types: ext2 ext3 jfs xfs |
| 11 |
filespec_add: conflicting specifications for /usr/bin/getconf and |
| 12 |
/usr/lib/misc/glibc/getconf/POSIX_V6_ILP32_OFFBIG, using |
| 13 |
system_u:object_r:lib_t. |
| 14 |
filespec_eval: hash table stats: 251923 elements, 63077/65536 buckets |
| 15 |
used, longest chain length 8 |
| 16 |
Scanning for shared libraries with text relocations... |
| 17 |
0 libraries with text relocations, 0 not relabeled. |
| 18 |
Scanning for PIE binaries with text relocations... |
| 19 |
0 binaries with text relocations detected. |
| 20 |
|
| 21 |
# sestatus -v |
| 22 |
SELinux status: enabled |
| 23 |
SELinuxfs mount: /selinux |
| 24 |
Current mode: permissive |
| 25 |
Mode from config file: enforcing |
| 26 |
Policy version: 24 |
| 27 |
Policy from config file: targeted |
| 28 |
|
| 29 |
Process contexts: |
| 30 |
Current context: unconfined_u:unconfined_r:unconfined_t |
| 31 |
Init context: system_u:system_r:init_t |
| 32 |
/sbin/agetty system_u:system_r:getty_t |
| 33 |
/usr/sbin/sshd system_u:system_r:sshd_t |
| 34 |
|
| 35 |
File contexts: |
| 36 |
Controlling term: unconfined_u:object_r:user_devpts_t |
| 37 |
/sbin/init system_u:object_r:init_exec_t |
| 38 |
/sbin/agetty system_u:object_r:getty_exec_t |
| 39 |
/bin/login system_u:object_r:login_exec_t |
| 40 |
/sbin/rc system_u:object_r:initrc_exec_t |
| 41 |
/sbin/runscript.sh system_u:object_r:initrc_exec_t |
| 42 |
/usr/sbin/sshd system_u:object_r:sshd_exec_t |
| 43 |
/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t |
| 44 |
/etc/passwd system_u:object_r:etc_t |
| 45 |
/etc/shadow system_u:object_r:shadow_t |
| 46 |
/bin/sh system_u:object_r:bin_t -> |
| 47 |
system_u:object_r:shell_exec_t |
| 48 |
/bin/bash system_u:object_r:shell_exec_t |
| 49 |
/usr/bin/newrole system_u:object_r:newrole_exec_t |
| 50 |
/lib/libc.so.6 system_u:object_r:lib_t -> |
| 51 |
system_u:object_r:lib_t |
| 52 |
/lib/ld-linux.so.2 system_u:object_r:lib_t -> |
| 53 |
system_u:object_r:ld_so_t |
| 54 |
|
| 55 |
# eselect profile list |
| 56 |
Available profile symlink targets: |
| 57 |
[1] default/linux/x86/10.0 |
| 58 |
[2] default/linux/x86/10.0/desktop |
| 59 |
[3] default/linux/x86/10.0/desktop/gnome |
| 60 |
[4] default/linux/x86/10.0/desktop/kde |
| 61 |
[5] default/linux/x86/10.0/developer |
| 62 |
[6] default/linux/x86/10.0/server |
| 63 |
[7] hardened/linux/x86/10.0 |
| 64 |
[8] selinux/2007.0/x86 |
| 65 |
[9] selinux/2007.0/x86/hardened |
| 66 |
[10] selinux/v2refpolicy/x86 |
| 67 |
[11] selinux/v2refpolicy/x86/desktop |
| 68 |
[12] selinux/v2refpolicy/x86/developer |
| 69 |
[13] selinux/v2refpolicy/x86/hardened * |
| 70 |
[14] selinux/v2refpolicy/x86/server |
| 71 |
|
| 72 |
# equery list -p selinux-base-policy |
| 73 |
[ Searching for package 'selinux-base-policy' in all categories among: ] |
| 74 |
* installed packages |
| 75 |
[I--] [ ~] sec-policy/selinux-base-policy-2.20091215 (0) |
| 76 |
* Portage tree (/usr/portage) |
| 77 |
[-P-] [ ~] sec-policy/selinux-base-policy-2.20090730 (0) |
| 78 |
[-P-] [ ~] sec-policy/selinux-base-policy-2.20090814 (0) |
| 79 |
[-P-] [M ] sec-policy/selinux-base-policy-20080525 (0) |
| 80 |
[-P-] [ ~] sec-policy/selinux-base-policy-20080525-r1 (0) |
| 81 |
|
| 82 |
# semodule -l |
| 83 |
apache 2.1.0 |
| 84 |
bind 1.10.0 |
| 85 |
gpg 2.2.1 |
| 86 |
java 2.2.0 |
| 87 |
local 1.0 |
| 88 |
mono 1.6.0 |
| 89 |
mozilla 2.1.1 |
| 90 |
mplayer 2.1.0 |
| 91 |
wine 1.6.0 |
| 92 |
xfs 1.6.0 |
| 93 |
xserver 3.3.1 |
| 94 |
|
| 95 |
|
| 96 |
On Mon, Nov 15, 2010 at 02:14, Chris Richards <gizmo@×××××××××.com> wrote: |
| 97 |
> Ok, first and foremost, I haven't tested targeted policy (I'm still sorting |
| 98 |
> strict policy). |
| 99 |
> Second, the handbook states that you should use v2refpolicy. You are |
| 100 |
> running the 20070928 policy, which is v1 policy and is very very old. I'm |
| 101 |
> guessing you are working with an old system that hasn't been converted to |
| 102 |
> v2refpolicy. |
| 103 |
> Third, even with v2refpolicy, the current version in the tree is now almost |
| 104 |
> a year old and has issues (which is part of what I'm working to sort out). |
| 105 |
> TBH, I'm not entirely certain it will boot in enforcing mode, although |
| 106 |
> targeted policy will stand a better chance of working than strict policy. |
| 107 |
> |
| 108 |
> I'm working as fast as I can. Unfortunately, my spare time is pretty, well, |
| 109 |
> 'spare' and has been for some time. If you want to make your own ebuild, |
| 110 |
> you can find where to pull the latest release policy from |
| 111 |
> http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get the |
| 112 |
> current development policy from the git repository at |
| 113 |
> http://oss.tresys.com/git/refpolicy.git. |
| 114 |
> |
| 115 |
> Later, |
| 116 |
> Gizmo |
| 117 |
> |
| 118 |
> |
Archives