On Wed, Nov 23, 2016 at 03:16:44PM +0000, Robert Sharp wrote: > > On 23/11/16 14:37, Jason Zaman wrote: > > Are you on ~arch or stable? did you just upgrade to the 2.6 userland? > > What versions do you have installed of these: > > sys-libs/libsepol > > sys-libs/libselinux > > sys-libs/libsemanage > > sys-apps/checkpolicy > > sys-apps/policycoreutils > > dev-python/sepolgen > > app-admin/setools > Looks like I am stable - 2.5 for all of the above. > > > > what does this return? > > ls -al/etc/selinux/*/policy/policy.* > -rw-r--r--. 1 root root 433338 Apr 6 2016 > /etc/selinux/strict/policy/policy.29 > -rw-r--r--. 1 root root 445097 Nov 23 11:43 > /etc/selinux/strict/policy/policy.30 > -rw-r--r--. 1 root root 450378 Apr 6 2016 > /etc/selinux/targeted/policy/policy.29 > -rw-r--r--. 1 root root 462377 Nov 23 11:43 > /etc/selinux/targeted/policy/policy.30 > > and in /etc/selinux/semanage.conf, do you have policy-version = set to > > anything? > module-store = direct > save-linked=false > expand-check=1 > bzip-blocksize=0 > bzip-small=true > > so no for the last one! > > Should I move to ~arch then, and is there a guide for that or is it > fairly simple? > > Thanks, > Robert
Okay so the problem is the two different policy versions. Some versions ago the kernel added policy version 30. By default the userspace will load in the highest version that exists (ie /etc/selinux/strict/policy/policy.30). setools4 supports that version just fine, the old setools3 only supported up to policy version 29. your sesearch line is probably searching the old .29 one or something so its weird. Two ways to proceed: 1) downgrade to policy.29: - Add policy-version = 29 to semanage.conf - rm /etc/selinux/*/policy/policy.30 - semodule -B If that is not enough, you can completely rebuild all the policy packages with: emerge @selinux-rebuild 2) stick with policy.30 and upgrade the tools so it works properly. - Add this to package.keywords: sys-libs/libsepol ~amd64 sys-libs/libselinux ~amd64 sys-libs/libsemanage ~amd64 sys-apps/checkpolicy ~amd64 sys-apps/policycoreutils ~amd64 dev-python/sepolgen ~amd64 app-admin/setools ~amd64 - emerge -avDu @world - rm /etc/selinux/*/policy/policy.29 - semodule -B (You can again do emerge @selinux-rebuild if you want) Either is fine, but im probably just gonna stabilize the 2.6 userspace in a couple weeks so that one is likely easier. and setools4 is waaay better than 3. The important point is that you dont want to have both policy.29 and policy.30 around. Then you get weirdness like if you downgrade a kernel or something random it'll load in the old policy which probably doesnt work properly, so whichever you pick, make sure you nuke the other one. and semodule -B will rebuild the whole policy again and load it. -- Jason
