| View previous topic :: View next topic |
| Author |
Message |
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1990
Location: Poland
|
 Posted: Sun Apr 03, 2011 7:14 am Post subject: SELinux is disabled -- am I missing something obvious? |
 |
|
Hi all!
Yesterday I finished installing new, clean Gentoo with SELinux, using SELinux Handbook. I started with regular amd64 stage3 and afterwards I "switched" it to SELinux, just as it is described in Gentoo docs. Right now I'm after emerge -e world and have not progressed to xorg install. All of that I did under KVM, but it should not matter, right?
But still SELinux is not enabled.
Is there any on/off switch I'm not aware of?
| Code: | gen2-selinux ~ # emerge --info
Portage 2.1.9.45 (selinux/v2refpolicy/amd64/hardened, gcc-4.5.2, glibc-2.13-r2, 2.6.38-hardened x86_64)
=================================================================
System uname: Linux-2.6.38-hardened-x86_64-QEMU_Virtual_CPU_version_0.13.0-with-gentoo-2.0.2
Timestamp of tree: Sun, 03 Apr 2011 04:00:01 +0000
app-shells/bash: 4.2_p8
dev-lang/python: 2.7.1-r1, 3.1.3-r1
dev-util/cmake: 2.8.4
sys-apps/baselayout: 2.0.2
sys-apps/openrc: 0.8.0
sys-apps/sandbox: 2.5
sys-devel/autoconf: 2.13, 2.68
sys-devel/automake: 1.10.3, 1.11.1
sys-devel/binutils: 2.21
sys-devel/gcc: 4.5.2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool: 2.4-r1
sys-devel/make: 3.82
virtual/os-headers: 2.6.38 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* @EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=core2"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=core2"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="pl_PL.utf8"
LC_ALL="pl_PL.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="pl en"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/hardened-development /var/lib/layman/lcd-filtering"
SYNC="rsync://10.0.0.1/gentoo-portage"
USE="X X509 acl acpi alsa amd64 aspell bazaar bzip2 cairo caps cli consolekit cracklib crypt cups cxx dbus dri expat fam fontforge gif git glade gles gmp gnutls gpm graphite gtk hardened iconv icu ipc ithreads jpeg jpeg2k justify lcdfilter libedit libnotify libproxy libssh2 lzo mem-scramble mercurial mktemp modules motif mudflap natspec ncurses nls open_perms opengl openmp optimization pam pam_ssh pango passwdqc pcre perl pic png policykit postproc pppd python readline secure-delete selinux session slang spell sqlite sqlite3 ssl startup-notification subversion svg symlink system-sqlite tcpd threads tiff tk truetype unicode unlock-notify webkit wifi xattr xcb xft xorg xulrunner zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="pl en" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
|
| Code: | gen2-selinux ~ # uname -r
2.6.38-hardened |
| Code: | gen2-selinux ~ # ls -la /selinux/
razem 2
drwxr-xr-x 7 root root 0 2011-04-03 .
drwxr-xr-x 20 root root 2048 04-03 08:11 ..
-rw-rw-rw- 1 root root 0 2011-04-03 access
dr-xr-xr-x 2 root root 0 2011-04-03 avc
dr-xr-xr-x 2 root root 0 2011-04-03 booleans
-rw-r--r-- 1 root root 0 2011-04-03 checkreqprot
dr-xr-xr-x 2 root root 0 2011-04-03 class
--w------- 1 root root 0 2011-04-03 commit_pending_bools
-rw-rw-rw- 1 root root 0 2011-04-03 context
-rw-rw-rw- 1 root root 0 2011-04-03 create
-r--r--r-- 1 root root 0 2011-04-03 deny_unknown
--w------- 1 root root 0 2011-04-03 disable
-rw-r--r-- 1 root root 0 2011-04-03 enforce
dr-xr-xr-x 2 root root 0 2011-04-03 initial_contexts
-rw------- 1 root root 0 2011-04-03 load
-rw-rw-rw- 1 root root 0 2011-04-03 member
-r--r--r-- 1 root root 0 2011-04-03 mls
crw-rw-rw-. 1 root root 1, 3 2011-04-03 null
-r-------- 1 root root 0 2011-04-03 policy
dr-xr-xr-x 2 root root 0 2011-04-03 policy_capabilities
-r--r--r-- 1 root root 0 2011-04-03 policyvers
-r--r--r-- 1 root root 0 2011-04-03 reject_unknown
-rw-rw-rw- 1 root root 0 2011-04-03 relabel
-r--r--r-- 1 root root 0 2011-04-03 status
-rw-rw-rw- 1 root root 0 2011-04-03 user |
This was the stopper for me:
| Code: | gen2-selinux ~ # setsebool -P global_ssp on
setsebool: SELinux is disabled.
|
| Code: | gen2-selinux ~ # sestatus
SELinux status: disabled |
| Code: | gen2-selinux ~ # eselect profile list
Available profile symlink targets:
[1] default/linux/amd64/10.0
[2] default/linux/amd64/10.0/desktop
[3] default/linux/amd64/10.0/desktop/gnome
[4] default/linux/amd64/10.0/desktop/kde
[5] default/linux/amd64/10.0/developer
[6] default/linux/amd64/10.0/no-multilib
[7] default/linux/amd64/10.0/server
[8] hardened/linux/amd64
[9] hardened/linux/amd64/no-multilib
[10] selinux/2007.0/amd64
[11] selinux/2007.0/amd64/hardened
[12] selinux/v2refpolicy/amd64
[13] selinux/v2refpolicy/amd64/desktop
[14] selinux/v2refpolicy/amd64/developer
[15] selinux/v2refpolicy/amd64/hardened *
[16] selinux/v2refpolicy/amd64/server |
| Code: | gen2-selinux ~ # cat /boot/grub/grub.conf
# This is a sample grub.conf for use with Genkernel, per the Gentoo handbook
# http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=10#doc_chap2
# If you are not using Genkernel and you need help creating this file, you
# should consult the handbook. Alternatively, consult the grub.conf.sample that
# is included with the Grub documentation.
default 0
timeout 10
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
title=Gentoo Linux 2.6.38-hardened
root (hd0,0)
kernel /boot/kernel-2.6.38-hardened root=/dev/sda1 rootfstype=ext4 quiet
|
| Code: | gen2-selinux ~ # seinfo
Statistics for policy file: /etc/selinux/strict/policy/policy.24
Policy Version & Type: v.24 (binary, non-mls)
Classes: 77 Permissions: 229
Sensitivities: 0 Categories: 0
Types: 1101 Attributes: 179
Users: 6 Roles: 6
Booleans: 43 Cond. Expr.: 38
Allow: 24433 Neverallow: 0
Auditallow: 1 Dontaudit: 3570
Type_trans: 796 Type_change: 6
Type_member: 6 Role allow: 7
Role_trans: 0 Range_trans: 0
Constraints: 91 Validatetrans: 0
Initial SIDs: 27 Fs_use: 22
Genfscon: 81 Portcon: 331
Netifcon: 0 Nodecon: 0
Permissives: 0 Polcap: 2
|
| Code: | gen2-selinux ~ # cat /etc/selinux/config
# This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=strict
|
|
|
| Back to top |
|
 |
Wormo
Retired Dev
Joined: 29 Nov 2004
Posts: 526
Location: SB County California
|
| Posted: Sun Apr 03, 2011 9:50 pm Post subject: Re: SELinux is disabled -- am I missing something obvious? |
|
|
| mbar wrote: | Hi all!
Yesterday I finished installing new, clean Gentoo with SELinux, using SELinux Handbook. I started with regular amd64 stage3 and afterwards I "switched" it to SELinux, just as it is described in Gentoo docs. Right now I'm after emerge -e world and have not progressed to xorg install. All of that I did under KVM, but it should not matter, right?
But still SELinux is not enabled.
Is there any on/off switch I'm not aware of?
|
Probably your kernel config is a little different than in the guide. Check for SECURITY_SELINUX_BOOTPARAM in your .config; if it is enabled, try adding 'selinux=1' to your boot parameters. |
|
| Back to top |
|
|
Sven Vermeulen
Retired Dev
Joined: 29 Aug 2002
Posts: 1345
Location: Mechelen, Belgium
|
| Posted: Mon Apr 04, 2011 7:10 pm Post subject: |
|
|
Can you give us your kernel configuration?
What does "sestatus -v" tell you?
_________________
Please add "[solved]" to the initial topic title when it is solved. |
|
| Back to top |
|
|
Sven Vermeulen
Retired Dev
Joined: 29 Aug 2002
Posts: 1345
Location: Mechelen, Belgium
|
| Posted: Mon Apr 04, 2011 9:07 pm Post subject: |
|
|
Also, see the Unable To Load SELinux Policy chapter in the SELinux handbook (part of the troubleshooting appendix).[/url]
_________________
Please add "[solved]" to the initial topic title when it is solved. |
|
| Back to top |
|
|
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1990
Location: Poland
|
| Posted: Tue Apr 05, 2011 10:24 am Post subject: Re: SELinux is disabled -- am I missing something obvious? |
|
|
| Wormo wrote: | | Probably your kernel config is a little different than in the guide. Check for SECURITY_SELINUX_BOOTPARAM in your .config; if it is enabled, try adding 'selinux=1' to your boot parameters. |
Added selinux=1, but it didn't help.
During booting, just before OpenRC init starts I can see the following message (I can't remember it word for werd) "SELinux: Could not load policy file /etc/selinux/strict/policy/policy.24 no space left on device.".
| Code: | #
# Security options
#
#
# Grsecurity
#
# CONFIG_GRKERNSEC is not set
#
# PaX
#
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_TASK_SIZE_MAX_SHIFT=42
CONFIG_PAX=y
#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_SANITIZE=y
# CONFIG_PAX_MEMORY_UDEREF is not set
# CONFIG_KEYS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
# CONFIG_SECURITYFS is not set
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_PATH is not set
# CONFIG_INTEL_TXT is not set
CONFIG_LSM_MMAP_MIN_ADDR=32768
CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
# CONFIG_SECURITY_SELINUX_AVC_STATS is not set
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_IMA is not set
CONFIG_DEFAULT_SECURITY_SELINUX=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_DEFAULT_SECURITY="selinux"
CONFIG_ASYNC_TX_DISABLE_PQ_VAL_DMA=y
CONFIG_ASYNC_TX_DISABLE_XOR_VAL_DMA=y
CONFIG_CRYPTO=y
#
|
Is the above enough? |
|
| Back to top |
|
|
Sven Vermeulen
Retired Dev
Joined: 29 Aug 2002
Posts: 1345
Location: Mechelen, Belgium
|
| Posted: Tue Apr 05, 2011 3:17 pm Post subject: |
|
|
The "no space left on device" is an important one. How is your diskspace currently?
_________________
Please add "[solved]" to the initial topic title when it is solved. |
|
| Back to top |
|
|
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1990
Location: Poland
|
| Posted: Wed Apr 06, 2011 4:08 am Post subject: |
|
|
Plenty 
| Code: | gen2-selinux ~ # df -h
System plików rozm. użyte dost. %uż. zamont. na
rootfs 12G 2,5G 9,0G 22% /
/dev/root 12G 2,5G 9,0G 22% /
rc-svcdir 1,0M 60K 964K 6% /lib64/rc/init.d
udev 10M 148K 9,9M 2% /dev
shm 1004M 0 1004M 0% /dev/shm
tmpfs 1004M 0 1004M 0% /tmp
|
| Code: | gen2-selinux ~ # tune2fs -l /dev/sda1
tune2fs 1.41.14 (22-Dec-2010)
Filesystem volume name: <none>
Last mounted on: /
Filesystem UUID: 0836082b-34bd-4eeb-bf11-ce0327c22c3a
Filesystem magic number: 0xEF53
Filesystem revision #: 1 (dynamic)
Filesystem features: ext_attr resize_inode dir_index filetype extent flex_bg sparse_super huge_file uninit_bg dir_nlink extra_isize
Filesystem flags: signed_directory_hash
Default mount options: (none)
Filesystem state: not clean
Errors behavior: Continue
Filesystem OS type: Linux
Inode count: 1200000
Block count: 6143478
Reserved block count: 0
Free blocks: 4716603
Free inodes: 927783
First block: 0
Block size: 2048
Fragment size: 2048
Reserved GDT blocks: 512
Blocks per group: 16384
Fragments per group: 16384
Inodes per group: 3200
Inode blocks per group: 400
Flex block group size: 16
Filesystem created: Fri Apr 1 11:30:46 2011
Last mount time: Wed Apr 6 06:05:50 2011
Last write time: Wed Apr 6 06:06:03 2011
Mount count: 14
Maximum mount count: 39
Last checked: Sun Apr 3 07:26:11 2011
Check interval: 15552000 (6 months)
Next check after: Fri Sep 30 07:26:11 2011
Lifetime writes: 34 GB
Reserved blocks uid: 0 (user root)
Reserved blocks gid: 0 (group root)
First inode: 11
Inode size: 256
Required extra isize: 28
Desired extra isize: 28
Default directory hash: half_md4
Directory Hash Seed: 78cf59f3-ae60-4582-bc32-cef79afc96fc |
| Code: | gen2-selinux ~ # cat /etc/fstab
# /etc/fstab: static file system information.
#
# noatime turns off atimes for increased performance (atimes normally aren't
# needed; notail increases performance of ReiserFS (at the expense of storage
# efficiency). It's safe to drop the noatime options if you want and to
# switch between notail / tail freely.
#
# The root filesystem should have a pass number of either 0 or 1.
# All other filesystems should have a pass number of 0 or greater than 1.
#
# See the manpage fstab(5) for more information.
#
# <fs> <mountpoint> <type> <opts> <dump/pass>
# NOTE: If your BOOT partition is ReiserFS, add the notail option to opts.
#/dev/BOOT /boot ext2 noauto,noatime 1 2
/dev/sda1 / ext4 noatime 0 1
#/dev/SWAP none swap sw 0 0
#/dev/cdrom /mnt/cdrom auto noauto,ro 0 0
#/dev/fd0 /mnt/floppy auto noauto 0 0
# glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for
# POSIX shared memory (shm_open, shm_unlink).
# (tmpfs is a dynamically expandable/shrinkable ramdisk, and will
# use almost no memory if not populated with files)
shm /dev/shm tmpfs nodev,nosuid,noexec 0 0
none /selinux selinuxfs defaults 0 0
tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t 0 0
|
Is this a problem with read-only filesystem during boot? There are no other warnings about that. |
|
| Back to top |
|
|
Sven Vermeulen
Retired Dev
Joined: 29 Aug 2002
Posts: 1345
Location: Mechelen, Belgium
|
| Posted: Wed Apr 06, 2011 2:17 pm Post subject: |
|
|
Can you try rebuilding selinux-base-policy:
| Code: |
~# emerge -1 selinux-base-policy
|
When building the policy, it also tries to (re)load it. Check if you get any errors there.
If this doesn't help, run
Does it give any errors?
_________________
Please add "[solved]" to the initial topic title when it is solved. |
|
| Back to top |
|
|
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1990
Location: Poland
|
| Posted: Thu Apr 07, 2011 6:39 am Post subject: |
|
|
Unfortunately that didn't help (but there's a message: /usr/sbin/setfiles set context /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r11/image/->kernel failed:'Operation not supported'), semodule is quiet:
| Code: | cat policy/modules/system/metadata.xml > tmp/system.xml
for i in policy/modules/system/application policy/modules/system/authlogin policy/modules/system/clock policy/modules/system/daemontools policy/modules/system/fstools policy/modules/system/getty policy/modules/system/hostname policy/modules/system/hotplug policy/modules/system/init policy/modules/system/ipsec policy/modules/system/iptables policy/modules/system/iscsi policy/modules/system/libraries policy/modules/system/locallogin policy/modules/system/logging policy/modules/system/lvm policy/modules/system/miscfiles policy/modules/system/modutils policy/modules/system/mount policy/modules/system/netlabel policy/modules/system/pcmcia policy/modules/system/raid policy/modules/system/selinuxutil policy/modules/system/setrans policy/modules/system/sysnetwork policy/modules/system/udev policy/modules/system/unconfined policy/modules/system/userdomain policy/modules/system/xen; do python -E support/segenxml.py -w -m $i >> tmp/system.xml; done
Creating policy.xml
echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > doc/policy.xml
echo '<!DOCTYPE policy SYSTEM "policy.dtd">' >> doc/policy.xml
echo '<policy>' >> doc/policy.xml
for i in admin apps kernel roles services system; do echo "<layer name=\"$i\">" >> doc/policy.xml; cat tmp/$i.xml >> doc/policy.xml; echo "</layer>" >> doc/policy.xml; done
cat doc/global_tunables.xml doc/global_booleans.xml >> doc/policy.xml
echo '</policy>' >> doc/policy.xml
if test -x /usr/bin/xmllint && test -f doc/policy.dtd; then \
/usr/bin/xmllint --noout --path doc/ --dtdvalid doc/policy.dtd doc/policy.xml ;\
fi
Updating policy/modules.conf and policy/booleans.conf
python -E support/sedoctool.py -b policy/booleans.conf -m policy/modules.conf -x doc/policy.xml
>>> Source unpacked in /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r11/work
>>> Compiling source in /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r11/work ...
Creating strict base module base.conf
Compiling strict base module
/usr/bin/checkmodule: loading policy configuration from base.conf
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/base.mod
Creating strict base module file contexts.
Creating strict base module package
Creating targeted base module base.conf
Compiling targeted base module
/usr/bin/checkmodule: loading policy configuration from base.conf
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/base.mod
Creating targeted base module file contexts.
Creating targeted base module package
>>> Source compiled.
>>> Test phase [not enabled]: sec-policy/selinux-base-policy-2.20101213-r11
>>> Install selinux-base-policy-2.20101213-r11 into /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r11/image/ category sec-policy
Installing strict base.pp policy package.
Installing strict policy headers.
Installing targeted base.pp policy package.
Installing targeted policy headers.
>>> Completed installing selinux-base-policy-2.20101213-r11 into /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r11/image/
>>> Installing (1 of 1) sec-policy/selinux-base-policy-2.20101213-r11
>>> Setting SELinux security labels
/usr/sbin/setfiles set context /var/tmp/portage/sec-policy/selinux-base-policy-2.20101213-r11/image/->kernel failed:'Operation not supported'
* Inserting base module into strict module store.
* Inserting base module into targeted module store.
>>> Auto-cleaning packages...
>>> No outdated packages were found on your system.
* GNU info directory index is up-to-date.
gen2-selinux ~ # semodule -n -B |
| Code: | gen2-selinux ~ # sestatus
SELinux status: disabled
gen2-selinux ~ # dmesg | grep SE
SELinux: Initializing.
SELinux: Starting in permissive mode
SELinux: Registering netfilter hooks
SELinux: 2048 avtab hash slots, 25762 rules.
SELinux: 2048 avtab hash slots, 25762 rules.
SELinux: 6 users, 6 roles, 1280 types, 43 bools
SELinux: 77 classes, 25762 rules |
|
|
| Back to top |
|
|
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1990
Location: Poland
|
| Posted: Thu Apr 07, 2011 7:50 am Post subject: Re: SELinux is disabled -- am I missing something obvious? |
|
|
| mbar wrote: | | SELinux: Could not load policy file /etc/selinux/strict/policy/policy.24 no space left on device |
Still I wonder what is the device with no space left, I have doubts if it's / device. |
|
| Back to top |
|
|
Sven Vermeulen
Retired Dev
Joined: 29 Aug 2002
Posts: 1345
Location: Mechelen, Belgium
|
| Posted: Fri Apr 08, 2011 7:33 pm Post subject: |
|
|
What does "sestatus -v" tell you?
_________________
Please add "[solved]" to the initial topic title when it is solved. |
|
| Back to top |
|
|
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1990
Location: Poland
|
| Posted: Sat Apr 09, 2011 5:37 am Post subject: |
|
|
Not much:
| Code: | gen2-selinux ~ # sestatus -v
SELinux status: disabled |
I even did "emerge -e world" yesterday as a desperate measure  but as you can see from above, it didn't help. Dmesg still shows something:
| Code: | gen2-selinux ~ # dmesg | grep SE
SELinux: Initializing.
SELinux: Starting in permissive mode
SELinux: Registering netfilter hooks
SELinux: 2048 avtab hash slots, 26232 rules.
SELinux: 2048 avtab hash slots, 26232 rules.
SELinux: 6 users, 6 roles, 1285 types, 43 bools
SELinux: 77 classes, 26232 rules
|
And there's still "no space left on device" during boot (just before openrc starts) and I have no idea what device could it be. |
|
| Back to top |
|
|
Sven Vermeulen
Retired Dev
Joined: 29 Aug 2002
Posts: 1345
Location: Mechelen, Belgium
|
| Posted: Sat Apr 09, 2011 9:17 am Post subject: |
|
|
Does the following command give the right result?
| Code: |
~# ldd /sbin/init | grep selinux
libselinux.so.1 => /lib/libselinux.so.1 (0x0123456789abcdef)
|
How come does df give you both rootfs and /dev/root? Shouldn't the first one not be there, and the second one something more akin to /dev/vda1 or so?
Try telling semodule to explicitly load the base policy:
| Code: |
~# cd /usr/share/selinux/strict
~# semodule -b base.pp
|
Check the output of dmesg even if no warning or error is given on the semodule command. Perhaps even add "-v" as option to semodule?
_________________
Please add "[solved]" to the initial topic title when it is solved. |
|
| Back to top |
|
|
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1990
Location: Poland
|
| Posted: Sat Apr 09, 2011 12:29 pm Post subject: |
|
|
Everything seems to be in order:
| Code: | gen2-selinux ~ # ldd /sbin/init | grep selinux
libselinux.so.1 => /lib64/libselinux.so.1 (0x000003528c54b000)
gen2-selinux ~ # cd /usr/share/selinux/strict
gen2-selinux strict # semodule
semodule semodule_deps semodule_expand semodule_link semodule_package
gen2-selinux strict # semodule -b
alsa.pp avahi.pp consolekit.pp dbus.pp gpm.pp java.pp mono.pp mplayer.pp policykit.pp sudo.pp wine.pp xfs.pp
apm.pp base.pp cups.pp gpg.pp include/ lpd.pp mozilla.pp mta.pp screen.pp uptime.pp xfce4.pp xserver.pp
gen2-selinux strict # semodule -b base.pp
gen2-selinux strict # sestatus -v
SELinux status: disabled
gen2-selinux strict # dmesg | tail
VFS: Mounted root (ext4 filesystem) on device 8:1.
Freeing unused kernel memory: 820k freed
SELinux: 2048 avtab hash slots, 26232 rules.
SELinux: 2048 avtab hash slots, 26232 rules.
SELinux: 6 users, 6 roles, 1285 types, 43 bools
SELinux: 77 classes, 26232 rules
<30>udev[1159]: starting version 167
e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
8021q: adding VLAN 0 to HW filter on device eth0
Attempt to access syslog with CAP_SYS_ADMIN but no CAP_SYSLOG (deprecated).
|
df shows "dual root" on all my Gentoo installs, it always was that way.
Another try:
| Code: | gen2-selinux strict # semodule -v -b base.pp
Attempting to install base module 'base.pp':
Ok: return value of 0.
Committing changes:
Ok: transaction number 0.
gen2-selinux strict # sestatus
SELinux status: disabled
gen2-selinux strict # dmesg | tail
VFS: Mounted root (ext4 filesystem) on device 8:1.
Freeing unused kernel memory: 820k freed
SELinux: 2048 avtab hash slots, 26232 rules.
SELinux: 2048 avtab hash slots, 26232 rules.
SELinux: 6 users, 6 roles, 1285 types, 43 bools
SELinux: 77 classes, 26232 rules
<30>udev[1159]: starting version 167
e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
8021q: adding VLAN 0 to HW filter on device eth0
Attempt to access syslog with CAP_SYS_ADMIN but no CAP_SYSLOG (deprecated). |
|
|
| Back to top |
|
|
Sven Vermeulen
Retired Dev
Joined: 29 Aug 2002
Posts: 1345
Location: Mechelen, Belgium
|
| Posted: Sat Apr 09, 2011 1:17 pm Post subject: |
|
|
We might be getting somewhere (with the CAP_SYSLOG capability stuff).
Could you try using gentoo-hardened-2.6.36-r9 instead of the .38 one?
I'm wondering if SELinux is enabled, but that the tools cannot work with the .38 kernels and the new capabilities and as such think it isn't enabled.
_________________
Please add "[solved]" to the initial topic title when it is solved. |
|
| Back to top |
|
|
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1990
Location: Poland
|
| Posted: Mon Apr 11, 2011 7:55 am Post subject: |
|
|
Almost bingo!!!
| Code: | gen2-selinux ~ # uname -r
2.6.36-hardened-r9
gen2-selinux ~ # sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: strict
|
Thank you very much for your effort
So what's next now? Should I file a bug somewhere? Should I wait for new userspace selinux tools?
Now (on .36-hardened-r9) I don't get the "no space left on device" during boot so SELinux starts. May this be a bug in .38 hardened series?
EDIT: 2.6.37-hardened-r7 also works OK |
|
| Back to top |
|
|
Sven Vermeulen
Retired Dev
Joined: 29 Aug 2002
Posts: 1345
Location: Mechelen, Belgium
|
| Posted: Mon Apr 11, 2011 5:01 pm Post subject: |
|
|
If you could file a bug on https://bugs.gentoo.org that would be great. It'll allow the developers to at least be notified that .38 has issues for SELinux (and which ones) so that it can be investigated before .38 would become stable.
_________________
Please add "[solved]" to the initial topic title when it is solved. |
|
| Back to top |
|
|
mbar
Veteran
Joined: 19 Jan 2005
Posts: 1990
Location: Poland
|
|
| Back to top |
|
|
marios
n00b
Joined: 02 Apr 2011
Posts: 10
|
| Posted: Mon Apr 25, 2011 9:58 am Post subject: |
|
|
I have the same problem: selinux is disabled with message in boot " no space left on device "
hardened-sources-2.6.36-r9 works , but hardened-sources-2.6.38-r1 doesn't.
Hi SWIFT ! i'm marios |
|
| Back to top |
|
|
|
Installing Gentoo
