Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
Selinux Update Failed
cor at cor
Dec 13, 2012, 11:34 PM
Post #1 of 5 (2661 views)
Permalink
Hi:

On my system with the last update I receive a warning message of:

* SELinux module load failed. Trying full reload...
* Failed to reload SELinux policies.
*
* If this is *not* the last SELinux module package being installed,
* then you can safely ignore this as the reloads will be retried
* with other, recent modules.
*
* If it is the last SELinux module package being installed however,
* then it is advised to look at the error above and take appropriate
* action since the new SELinux policies are not loaded until the
* command finished succesfully.
*
* To reload, run the following command from within
/usr/share/selinux/targeted:
* semodule -b base.pp -i $(ls *.pp | grep -v base.pp)
* or
* semodule -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v
unconfined.pp)
* depending on if you need the unconfined domain loaded as well or not.

When I tried to execute the cmd manual:

k53s cor # cd /usr/share/selinux/targeted/
k53s targeted # semodule -b base.pp -i $(ls *.pp | grep -v base.pp)
libsepol.permission_copy_callback: Module mysql depends on permission
epollwakeup in class capability2, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule: Failed!

Any ideas?

Regards:
Cor

Attached Files:

Re: Selinux Update Failed [ In reply to ]
swift at gentoo
Dec 15, 2012, 2:30 AM
Post #2 of 5 (2614 views)
Permalink
On Fri, Dec 14, 2012 at 09:34:49AM +0200, Cor Legemaat wrote:
> On my system with the last update I receive a warning message of:
>
> * SELinux module load failed. Trying full reload...
> * Failed to reload SELinux policies.
> *
> * If this is *not* the last SELinux module package being installed,
> * then you can safely ignore this as the reloads will be retried
> * with other, recent modules.
> *
> * If it is the last SELinux module package being installed however,
> * then it is advised to look at the error above and take appropriate
> * action since the new SELinux policies are not loaded until the
> * command finished succesfully.
> *
> * To reload, run the following command from within
> /usr/share/selinux/targeted:
> * semodule -b base.pp -i $(ls *.pp | grep -v base.pp)
> * or
> * semodule -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v
> unconfined.pp)
> * depending on if you need the unconfined domain loaded as well or not.
>
> When I tried to execute the cmd manual:
>
> k53s cor # cd /usr/share/selinux/targeted/
> k53s targeted # semodule -b base.pp -i $(ls *.pp | grep -v base.pp)
> libsepol.permission_copy_callback: Module mysql depends on permission
> epollwakeup in class capability2, not satisfied (No such file or directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No such file or
> directory).
> semodule: Failed!

What kernel version are you running?

What does "ls /sys/fs/selinux/class/capability2/perms/" give back?

There was a small window where the block_suspend capability was called
epollwakeup, but that was resolved in July this year...

Also check if selinux-mysql is (still) installed on your system (or needed),
perhaps the mysql.pp file is outdated. The command "ls -ltr
/usr/share/selinux/strict/" should show that most/all modules are built
fairly close to each other.

Wkr,
Sven Vermeulen
Re: Selinux Update Failed [ In reply to ]
cor at cor
Dec 17, 2012, 12:06 PM
Post #3 of 5 (2626 views)
Permalink
On 12/15/12 12:30, Sven Vermeulen wrote:
> On Fri, Dec 14, 2012 at 09:34:49AM +0200, Cor Legemaat wrote:
>> On my system with the last update I receive a warning message of:
>>
>> * SELinux module load failed. Trying full reload...
>> * Failed to reload SELinux policies.
>> *
>> * If this is *not* the last SELinux module package being installed,
>> * then you can safely ignore this as the reloads will be retried
>> * with other, recent modules.
>> *
>> * If it is the last SELinux module package being installed however,
>> * then it is advised to look at the error above and take appropriate
>> * action since the new SELinux policies are not loaded until the
>> * command finished succesfully.
>> *
>> * To reload, run the following command from within
>> /usr/share/selinux/targeted:
>> * semodule -b base.pp -i $(ls *.pp | grep -v base.pp)
>> * or
>> * semodule -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v
>> unconfined.pp)
>> * depending on if you need the unconfined domain loaded as well or not.
>>
>> When I tried to execute the cmd manual:
>>
>> k53s cor # cd /usr/share/selinux/targeted/
>> k53s targeted # semodule -b base.pp -i $(ls *.pp | grep -v base.pp)
>> libsepol.permission_copy_callback: Module mysql depends on permission
>> epollwakeup in class capability2, not satisfied (No such file or directory).
>> libsemanage.semanage_link_sandbox: Link packages failed (No such file or
>> directory).
>> semodule: Failed!
> What kernel version are you running?
>
> What does "ls /sys/fs/selinux/class/capability2/perms/" give back?
>
> There was a small window where the block_suspend capability was called
> epollwakeup, but that was resolved in July this year...
>
> Also check if selinux-mysql is (still) installed on your system (or needed),
> perhaps the mysql.pp file is outdated. The command "ls -ltr
> /usr/share/selinux/strict/" should show that most/all modules are built
> fairly close to each other.
>
> Wkr,
> Sven Vermeulen
>
>
Hi:

kernel = linux-3.5.4-hardened-r1

k53s cor # ls /sys/fs/selinux/class/capability2/perms/
epollwakeup mac_admin mac_override syslog wake_alarm

k53s cor # ls -ltr /usr/share/selinux/targeted/
show the time difference within 21 seconds but mysql.pp is not there.

mysql.pp is in "/etc/selinux/targeted/modules/active/modules/", don't
know why an uninstall didn't remove it, can I just delete the file?

mysql nor selinux-mysql is installed.

Regards:
Cor

Attached Files:

Re: Selinux Update Failed [ In reply to ]
swift at gentoo
Dec 18, 2012, 11:14 AM
Post #4 of 5 (2618 views)
Permalink
On Mon, Dec 17, 2012 at 10:06:19PM +0200, Cor Legemaat wrote:
> kernel = linux-3.5.4-hardened-r1
>
> k53s cor # ls /sys/fs/selinux/class/capability2/perms/
> epollwakeup mac_admin mac_override syslog wake_alarm
>
> k53s cor # ls -ltr /usr/share/selinux/targeted/
> show the time difference within 21 seconds but mysql.pp is not there.
>
> mysql.pp is in "/etc/selinux/targeted/modules/active/modules/", don't
> know why an uninstall didn't remove it, can I just delete the file?
>
> mysql nor selinux-mysql is installed.

Ah, you will need to remove the module from the policy store yourself:

~# semodule -s targeted -r mysql

If you just run "semodule -r myself" you remove it from the active store,
but not from all stores that you have on your system (the ones in
POLICY_TYPES).

Wkr,
Sven Vermeulen
Re: Selinux Update Failed - Solved [ In reply to ]
cor at cor
Dec 29, 2012, 12:29 PM
Post #5 of 5 (2620 views)
Permalink
Hi:

Solved, tnx Sven.

Regards:
Cor

On 12/18/12 21:14, Sven Vermeulen wrote:
> On Mon, Dec 17, 2012 at 10:06:19PM +0200, Cor Legemaat wrote:
>> kernel = linux-3.5.4-hardened-r1
>>
>> k53s cor # ls /sys/fs/selinux/class/capability2/perms/
>> epollwakeup mac_admin mac_override syslog wake_alarm
>>
>> k53s cor # ls -ltr /usr/share/selinux/targeted/
>> show the time difference within 21 seconds but mysql.pp is not there.
>>
>> mysql.pp is in "/etc/selinux/targeted/modules/active/modules/", don't
>> know why an uninstall didn't remove it, can I just delete the file?
>>
>> mysql nor selinux-mysql is installed.
> Ah, you will need to remove the module from the policy store yourself:
>
> ~# semodule -s targeted -r mysql
>
> If you just run "semodule -r myself" you remove it from the active store,
> but not from all stores that you have on your system (the ones in
> POLICY_TYPES).
>
> Wkr,
> Sven Vermeulen
>
>

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal