Now I am trying to use SELinux (targeted policy) in a brand new Gentoo stage3 (Kernel 2.6.32-hardened-r9), I tried all versions of selinux-base-policy available, but relabeling the file system always fails with the same error: "filespec_add: Conflicting specifications for ...". Am I still doing something wrong? The only thing that I can do to run SELinux in Gentoo is try to make my own ebuild?
# rlpkg -a -r Relabeling filesystem types: ext2 ext3 jfs xfs filespec_add: conflicting specifications for /usr/bin/getconf and /usr/lib/misc/glibc/getconf/POSIX_V6_ILP32_OFFBIG, using system_u:object_r:lib_t. filespec_eval: hash table stats: 251923 elements, 63077/65536 buckets used, longest chain length 8 Scanning for shared libraries with text relocations... 0 libraries with text relocations, 0 not relabeled. Scanning for PIE binaries with text relocations... 0 binaries with text relocations detected. # sestatus -v SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted Process contexts: Current context: unconfined_u:unconfined_r:unconfined_t Init context: system_u:system_r:init_t /sbin/agetty system_u:system_r:getty_t /usr/sbin/sshd system_u:system_r:sshd_t File contexts: Controlling term: unconfined_u:object_r:user_devpts_t /sbin/init system_u:object_r:init_exec_t /sbin/agetty system_u:object_r:getty_exec_t /bin/login system_u:object_r:login_exec_t /sbin/rc system_u:object_r:initrc_exec_t /sbin/runscript.sh system_u:object_r:initrc_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /bin/bash system_u:object_r:shell_exec_t /usr/bin/newrole system_u:object_r:newrole_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t # eselect profile list Available profile symlink targets: [1] default/linux/x86/10.0 [2] default/linux/x86/10.0/desktop [3] default/linux/x86/10.0/desktop/gnome [4] default/linux/x86/10.0/desktop/kde [5] default/linux/x86/10.0/developer [6] default/linux/x86/10.0/server [7] hardened/linux/x86/10.0 [8] selinux/2007.0/x86 [9] selinux/2007.0/x86/hardened [10] selinux/v2refpolicy/x86 [11] selinux/v2refpolicy/x86/desktop [12] selinux/v2refpolicy/x86/developer [13] selinux/v2refpolicy/x86/hardened * [14] selinux/v2refpolicy/x86/server # equery list -p selinux-base-policy [ Searching for package 'selinux-base-policy' in all categories among: ] * installed packages [I--] [ ~] sec-policy/selinux-base-policy-2.20091215 (0) * Portage tree (/usr/portage) [-P-] [ ~] sec-policy/selinux-base-policy-2.20090730 (0) [-P-] [ ~] sec-policy/selinux-base-policy-2.20090814 (0) [-P-] [M ] sec-policy/selinux-base-policy-20080525 (0) [-P-] [ ~] sec-policy/selinux-base-policy-20080525-r1 (0) # semodule -l apache 2.1.0 bind 1.10.0 gpg 2.2.1 java 2.2.0 local 1.0 mono 1.6.0 mozilla 2.1.1 mplayer 2.1.0 wine 1.6.0 xfs 1.6.0 xserver 3.3.1 On Mon, Nov 15, 2010 at 02:14, Chris Richards <gi...@giz-works.com> wrote: > Ok, first and foremost, I haven't tested targeted policy (I'm still sorting > strict policy). > Second, the handbook states that you should use v2refpolicy. You are > running the 20070928 policy, which is v1 policy and is very very old. I'm > guessing you are working with an old system that hasn't been converted to > v2refpolicy. > Third, even with v2refpolicy, the current version in the tree is now almost > a year old and has issues (which is part of what I'm working to sort out). > TBH, I'm not entirely certain it will boot in enforcing mode, although > targeted policy will stand a better chance of working than strict policy. > > I'm working as fast as I can. Unfortunately, my spare time is pretty, well, > 'spare' and has been for some time. If you want to make your own ebuild, > you can find where to pull the latest release policy from > http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get the > current development policy from the git repository at > http://oss.tresys.com/git/refpolicy.git. > > Later, > Gizmo > >
