| View previous topic :: View next topic |
| Author |
Message |
Lawless
l33t
Joined: 03 Nov 2003
Posts: 638
Location: Germany
|
 Posted: Sun Oct 29, 2006 1:23 pm Post subject: SELinux - where to 'make load'? |
 |
|
I'm trying to get SELinux working.
First I followed the Null Selinux Howto - now I'm trying to load the policies.
The Gentoo SELinux handbook tells me to go to /etc/security/selinux/src/policy and do a 'make load' but I do not have this directory.
After installing selinux-base-policy I do have an /etc/selinux - but I found nothing where I could do the make.
Did I forget something that prevented the creation of this directory?
_________________
Kernel panic: I have no root and I want to scream |
|
| Back to top |
|
 |
nixnut
Bodhisattva
Joined: 09 Apr 2004
Posts: 10974
Location: the dutch mountains
|
| Posted: Sun Oct 29, 2006 1:36 pm Post subject: |
|
|
You do that in the directory where the source are. Alternatively, just use the load_policy tool
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered
talk is cheap. supply exceeds demand |
|
| Back to top |
|
|
Lawless
l33t
Joined: 03 Nov 2003
Posts: 638
Location: Germany
|
| Posted: Sun Oct 29, 2006 1:48 pm Post subject: |
|
|
Ok load_policy is going into "/etc/selinux/strict/policy/" which is empty and therefore I get an
| Code: |
# load_policy
load_policy: Can't load policy: No such file or directory
|
That's all I have emerged
| Code: |
# emerge -pv checkpolicy policycoreutils selinux-base-policy python-selinux libselinux
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] sys-apps/checkpolicy-1.30.12 USE="-debug" 0 kB
[ebuild R ] sys-apps/policycoreutils-1.30.30 USE="nls pam" 0 kB
[ebuild R ] sec-policy/selinux-base-policy-20061015 0 kB
[ebuild R ] dev-python/python-selinux-2.16-r2 0 kB
[ebuild R ] sys-libs/libselinux-1.30.29 0 kB
|
I'm just too blind to see what step I forgot in the howto...
_________________
Kernel panic: I have no root and I want to scream |
|
| Back to top |
|
|
nixnut
Bodhisattva
Joined: 09 Apr 2004
Posts: 10974
Location: the dutch mountains
|
| Posted: Sun Oct 29, 2006 3:51 pm Post subject: |
|
|
less /var/db/pkg/sec-policy/selinux-base-policy-20061015/CONTENTS should tell you where the policy files got installed.
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered
talk is cheap. supply exceeds demand |
|
| Back to top |
|
|
Lawless
l33t
Joined: 03 Nov 2003
Posts: 638
Location: Germany
|
| Posted: Sun Oct 29, 2006 4:46 pm Post subject: |
|
|
Ok next try...
| Code: |
dir /usr
dir /usr/share
dir /usr/share/selinux
dir /usr/share/selinux/strict
obj /usr/share/selinux/strict/base.pp a8ef5b78287ca973f964a487afd75e4a 1162125130
dir /usr/share/selinux/strict/include
obj /usr/share/selinux/strict/include/global_tunables.xml b146f329a0e3956e5b8691fcd187c8bf 1162125130
obj /usr/share/selinux/strict/include/global_booleans.xml c1d676e283d437c5e644bbd65c1920ac 1162125130
obj /usr/share/selinux/strict/include/rolemap f53531b83c7def5e913ddbc2ef8e663e 1162125130
dir /usr/share/selinux/strict/include/support
obj /usr/share/selinux/strict/include/support/loadable_module.spt 1aa45bc236c4935eee3f029679abfab6 1162125130
obj /usr/share/selinux/strict/include/support/misc_macros.spt 50377b50ddcd4354530817351b0696cf 1162125130
(...)
dir /etc/selinux
dir /etc/selinux/strict
dir /etc/selinux/strict/contexts
obj /etc/selinux/strict/contexts/default_contexts 2e0357decc0d201dd2398e81e7790835 1162125130
obj /etc/selinux/strict/contexts/default_type f940e5556379e0c7f3d12b09a149dcc2 1162125130
obj /etc/selinux/strict/contexts/initrc_context 5a81f6953618a27c85d55ef287dc85e7 1162125130
(...)
obj /etc/selinux/targeted/contexts/run_init_type 8cbd6783e901b590f2f327d1aaf3c3d3 1162125130
dir /etc/selinux/targeted/policy
obj /etc/selinux/targeted/policy/.keep_sec-policy_selinux-base-policy-0 d41d8cd98f00b204e9800998ecf8427e 1162125130
obj /etc/selinux/config 0e845ce007e469b90bf7528beb3fec26 1162125130
|
/etc/selinux/strict/policy is emtpy and the only Makefile is in /usr/share/selinux/strict/include/
| Code: |
# make load
Loading strict modules:
At least one mode must be specified.
usage: /usr/sbin/semodule [options]... MODE [MODES]...
Manage SELinux policy modules.
MODES:
-R, --reload reload policy
-B, --build build and reload policy
-i,--install=MODULE_PKG install a new module
-u,--upgrade=MODULE_PKG upgrade existing module
-b,--base=MODULE_PKG install new base module
-r,--remove=MODULE_NAME remove existing module
-l,--list-modules display list of installed modules
Other options:
-s,--store name of the store to operate on
-n,--noreload do not reload policy after commit
-h,--help print this message and quit
-v,--verbose be verbose
make: *** [load] Error 1
|
| Code: |
# semodule -l
semodule: SELinux policy is not managed or store cannot be accessed.
|
_________________
Kernel panic: I have no root and I want to scream |
|
| Back to top |
|
|
Lawless
l33t
Joined: 03 Nov 2003
Posts: 638
Location: Germany
|
| Posted: Mon Oct 30, 2006 6:23 am Post subject: |
|
|
And now I cannot emerge other packages
| Code: |
>>> Merging dev-libs/libassuan-0.9.3 to /
>>> Setting SELinux security labels
/etc/selinux/strict/contexts/files/file_contexts: No such file or directory
!!! ERROR: dev-libs/libassuan-0.9.3 failed.
Call stack:
misc-functions.sh, line 439: Called preinst_selinux_labels
misc-functions.sh, line 361: Called die
|
(With FEATURES="selinux" turned off...)
And according to this thread
https://forums.gentoo.org/viewtopic-t-190744-highlight-filecontexts.html
(which is old I know) I should have somewhere a directory with .fc or .te files but I only have lots on .if... so as for me it seems I do not have the policy sources...?
_________________
Kernel panic: I have no root and I want to scream |
|
| Back to top |
|
|
Lawless
l33t
Joined: 03 Nov 2003
Posts: 638
Location: Germany
|
| Posted: Mon Oct 30, 2006 4:28 pm Post subject: |
|
|
Ok, now I got the refpolicy sources which are getting downloaded with the selinux-base-policy but don't get installed to /etc/selinux...
I did this myself, compiled the policy and loaded it successfully
| Code: |
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 20
Policy from config file: refpolicy
|
So are these the sources I was looking for? Why aren't they installed by the ebuild...
_________________
Kernel panic: I have no root and I want to scream |
|
| Back to top |
|
|
b_koepke
n00b
Joined: 02 Jun 2006
Posts: 53
|
|
| Back to top |
|
|
Lawless
l33t
Joined: 03 Nov 2003
Posts: 638
Location: Germany
|
| Posted: Tue Oct 31, 2006 5:14 pm Post subject: |
|
|
I did try it but with the semodule tool I only get
| Code: |
# semodule -B
semodule: SELinux policy is not managed or store cannot be accessed
|
_________________
Kernel panic: I have no root and I want to scream |
|
| Back to top |
|
|
b_koepke
n00b
Joined: 02 Jun 2006
Posts: 53
|
| Posted: Wed Nov 01, 2006 12:45 am Post subject: |
|
|
make sure the file '/etc/selinux/semanage.conf' is set to direct and not to source. (module-store = direct)
also you need to use the standard ebuilds. |
|
| Back to top |
|
|
Lawless
l33t
Joined: 03 Nov 2003
Posts: 638
Location: Germany
|
| Posted: Wed Nov 01, 2006 6:17 am Post subject: |
|
|
| Code: |
module-store = direct
|
Standard ebuild... I used the selinux-base-policy ebuild as mentioned above - that thing with copying the source was done after nothing else worked.
The handbook says to be able to use semodule you have to be in sysadm_r role. I did that as root on console (direct login, no su) and I tried it with 'newrole' and according to the ps output I was in sysadm role.
Still the same message...
_________________
Kernel panic: I have no root and I want to scream |
|
| Back to top |
|
|
b_koepke
n00b
Joined: 02 Jun 2006
Posts: 53
|
| Posted: Wed Nov 01, 2006 10:23 pm Post subject: |
|
|
hmm... this sounds like a pretty complicated error.
I had one similar; however, I cannot remember what I did to fix it.
It may have to do with the fact that you are currently using sources to load your policies. (you ran 'make load' in the /etc/selinux/policy/src directory, so now the semodule tool sees that you have already loaded the policy from different sources)
Your sestatus output displays that the config is from refpolicy. I don't know how to reset this. (maybe it is in the options in /etc/selinux/policy/src?, you could try running 'make clean' or something similar to unload the selinux policy)
I don't know what to suggest other than to remove the selinux use flag, emerge -uDN world, reboot and add the selinux use flag again, and run emerge -uDN world. (Hoping that you did some small thing wrong during the previous installation).
Then instead of running make load, just try semodule -B, this problem may also be because your files have not been labeled yet. rlpkg -a. (I will try to figure something better out later if this doesn't work) |
|
| Back to top |
|
|
Lawless
l33t
Joined: 03 Nov 2003
Posts: 638
Location: Germany
|
| Posted: Thu Nov 02, 2006 6:22 am Post subject: |
|
|
This semodule error comes also when I have no policy loaded (sestatus: disabled)...
I set up a UML where I currently try it again with a plain system. I'll tell you what happens.
_________________
Kernel panic: I have no root and I want to scream |
|
| Back to top |
|
|
flipper203
n00b
Joined: 07 Aug 2005
Posts: 32
Location: Paris
|
|
| Back to top |
|
|
Lawless
l33t
Joined: 03 Nov 2003
Posts: 638
Location: Germany
|
| Posted: Sat Nov 04, 2006 7:09 pm Post subject: |
|
|
Got it working in the UML
I had to:
| Code: |
# cd /usr/share/selinux/strict/
# semodule -b base.pp
# semodule -R
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 20
Policy from config file: strict
|
_________________
Kernel panic: I have no root and I want to scream |
|
| Back to top |
|
|
|
Networking & Security
