On 11/14/2010 06:44 PM, luc nac wrote:
Thanks to all of you who have been interested in my previous message.
I'm encountering much more problems than expected and I can't find a
forum where to discuss about SELinux in Gentoo. I didn't find much
help in this one http://forums.gentoo.org/viewforum-f-18.html . If
this is not the right place to ask help, please tell me!
Now I'm trying to install the targeted policy but I can't succeed.
Trying to relabel the filesystem I obtain an error:
localhost ~ # rlpkg -a -r
Relabeling filesystem types: ext2 ext3 jfs xfs
/etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 21
has invalid context user_u:object_r:user_tmp_t
/etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 32
has invalid context root:object_r:user_tmp_t
Scanning for shared libraries with text relocations...
0 libraries with text relocations, 0 not relabeled.
Scanning for PIE binaries with text relocations...
0 binaries with text relocations detected.
The same error appears trying to emerge any package.
Commenting this line:
/tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t
in /etc/selinux/targeted/contexts/files/homedir_template
and then launching the genhomedircon command, successive rlpk (and
emerge) succeed until next reboot.
I think that this is a bad solution!
In SELinux FAQ
http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=3
(section 3.f. Setfiles error messages ) it's written that "If /selinux
is mounted, then most likely there is new policy that has not yet been
loaded; therefore, the contexts have not yet become valid."
I emerged a lot of modules, much more than needed considering that
this is a Gentoo stage 3 system.
localhost ~ # equery list selinux-
[ Searching for package 'selinux-' in all categories among: ]
* installed packages
[I--] [ ] sec-policy/selinux-apache-20070928 (0)
[I--] [ ] sec-policy/selinux-arpwatch-20070928 (0)
[I--] [ ] sec-policy/selinux-base-policy-20070928 (0)
[I--] [ ] sec-policy/selinux-bind-20070928 (0)
[I--] [ ] sec-policy/selinux-dbus-20070928 (0)
[I--] [ ] sec-policy/selinux-desktop-20070928 (0)
[I--] [ ] sec-policy/selinux-dhcp-20070928 (0)
[I--] [ ] sec-policy/selinux-dnsmasq-20070928 (0)
[I--] [ ] sec-policy/selinux-games-20070928 (0)
[I--] [ ] sec-policy/selinux-gnupg-20070928 (0)
[I--] [ ] sec-policy/selinux-gpm-20070928 (0)
[I--] [ ] sec-policy/selinux-logrotate-20070928 (0)
[I--] [ ] sec-policy/selinux-nfs-20070928 (0)
[I--] [ ] sec-policy/selinux-openldap-20070928 (0)
[I--] [ ] sec-policy/selinux-portmap-20070928 (0)
[I--] [ ] sec-policy/selinux-samba-20070928 (0)
[I--] [ ] sec-policy/selinux-sudo-20070928 (0)
[I--] [ ] sec-policy/selinux-tcpd-20070928 (0)
[I--] [ ] sec-policy/selinux-tftpd-20070928 (0)
localhost ~ # semodule -l
apache 1.8.0
arpwatch 1.4.0
bind 1.5.0
dbus 1.7.0
dhcp 1.4.0
dnsmasq 1.4.0
games 1.4.0
gpg 1.4.0
gpm 1.3.0
java 1.6.0
ldap 1.5.0
logrotate 1.6.0
mono 1.3.0
mozilla 1.4.0
mplayer 1.3.0
portmap 1.5.0
rpc 1.6.0
samba 1.6.0
sudo 1.2.0
tftp 1.5.0
wine 1.4.0
xfs 1.2.0
xserver 1.6.0
localhost ~ # cat /etc/selinux/targeted/contexts/files/homedir_template
HOME_DIR/.+ system_u:object_r:ROLE_home_t
HOME_DIR/((www)|(web)|(public_html))(/.+)?
system_u:object_r:httpd_user_content_t
HOME_ROOT/lost\+found/.* <<none>>
HOME_DIR -d system_u:object_r:ROLE_home_dir_t
HOME_ROOT -d system_u:object_r:home_root_t
/tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t
Ok, first and foremost, I haven't tested targeted policy (I'm still
sorting strict policy).
Second, the handbook states that you should use v2refpolicy. You are
running the 20070928 policy, which is v1 policy and is very very old.
I'm guessing you are working with an old system that hasn't been
converted to v2refpolicy.
Third, even with v2refpolicy, the current version in the tree is now
almost a year old and has issues (which is part of what I'm working to
sort out). TBH, I'm not entirely certain it will boot in enforcing
mode, although targeted policy will stand a better chance of working
than strict policy.
I'm working as fast as I can. Unfortunately, my spare time is pretty,
well, 'spare' and has been for some time. If you want to make your own
ebuild, you can find where to pull the latest release policy from
http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get
the current development policy from the git repository at
http://oss.tresys.com/git/refpolicy.git.
Later,
Gizmo
