Mailing List Archive

MessageBrian-

Look in /usr/src/linux/security/selinux/include/security.h to see what
policy versions your kernel is compatible with. My 2.6.7-r8 kernel lists 15
min and 17 max, so I was able to use POLICYCOMPAT = -c 17. AFAIK the policy
compiler is only backwards compatible 1 version level.

For some reason emerge chose to merge selinux-base-policy-20040906 on my
system too even though that package is flagged ~x86, and I found out after
the fact that it's not compatible with my kernel. I would like to see
hardened-dev-sources noted in the changelog what policy versions it
supports, rather than having to dig through the headers after its emerged.

Richard.
-----Original Message-----
From: Brian Fernald [mailto:bfernald@pobox.com]
Sent: Tuesday, September 14, 2004 4:47 PM
To: gentoo-hardened@lists.gentoo.org
Subject: [gentoo-hardened] building gentoo hardened - selinux


Hi,

I have just walked through the Gentoo SELinux handbook to build a new
system. Whenever I come to the point of loading the security policy, it
attempts to build a Policy of version 18 .. It reports the following :

make load
* Creating policy.conf
* Policy version: 18
* Kernel version: 16
* WARNING: Policy version mismatch. Is your POLICYCOMPAT set correctly?
* See http://hardened.gentoo.org/selinux/selinux-policy.xml#doc_chap6
* for more information.
* Compiling and installing policy.18
/usr/bin/checkpolicy: loading policy configuration from
/etc/security/selinux/src/policy.conf
security: 3 users, 5 roles, 367 types, 1 bools
security: 51 classes, 24552 rules
/usr/bin/checkpolicy: policy configuration loaded
/usr/bin/checkpolicy: writing binary representation (version 18) to
/etc/security/selinux/policy.18
* Building file_contexts
* Installing file_contexts
* Loading policy.18
/usr/sbin/load_policy: security_load_policy failed
make: *** [tmp/load] Error 3


... i then changed POLICYCOMPAT to be 16 and tried again :

make load
* Policy version: 16
* Kernel version: 16
* Compiling and installing policy.16
/usr/bin/checkpolicy: loading policy configuration from
/etc/security/selinux/src/policy.conf
security: 3 users, 5 roles, 367 types, 1 bools
security: 51 classes, 24552 rules
/usr/bin/checkpolicy: policy configuration loaded
/usr/bin/checkpolicy: writing binary representation (version 16) to
/etc/security/selinux/policy.16
* Loading policy.16
/usr/sbin/load_policy: security_load_policy failed
make: *** [tmp/load] Error 3


it still fails.

The system is currently booted to the LiveCD (as per instructions).. the
kernel downloaded and build was 2.6.7-hardened-r8 (emerge
hardened-dev-sources) ..

Could anyone shed some light on what I am doing incorrectly ?

Thanks,

Brian

Brian-

Upon further investigation it looks like the policy exports the headers to
the kernel, so maybe you will have to unmerge and then merge the older
policy. 0702 should work.

Richard.

> -----Original Message-----
> From: Brian Fernald [mailto:bscottfernald@gmail.com]
> Sent: Tuesday, September 14, 2004 6:22 PM
> To: Richard Simpson
> Cc: gentoo-hardened@lists.gentoo.org
> Subject: Re: [gentoo-hardened] building gentoo hardened - selinux
>
>
> Hi Richard,
>
> my security.h lists 15 - 17.. however, no matter which I build
> (POLICYCOMPAT), it still fails to load. I am quite perplexed.. have
> re-completed multiple rebuilds of gentoo just to make sure I am not
> missing something... yet, everytime, can't load any policy...
>
> Brian
>
>
>
> ----- Original Message -----
> From: Richard Simpson <richard.simpson@wgint.com>
> Date: Tue, 14 Sep 2004 18:04:15 -0600
> Subject: RE: [gentoo-hardened] building gentoo hardened - selinux
> To: Brian Fernald <bfernald@pobox.com>, gentoo-hardened@lists.gentoo.org
>
>
> Brian-
>
> Look in /usr/src/linux/security/selinux/include/security.h to see what
> policy versions your kernel is compatible with. My 2.6.7-r8 kernel
> lists 15 min and 17 max, so I was able to use POLICYCOMPAT = -c 17.
> AFAIK the policy compiler is only backwards compatible 1 version
> level.
>
> For some reason emerge chose to merge selinux-base-policy-20040906 on
> my system too even though that package is flagged ~x86, and I found
> out after the fact that it's not compatible with my kernel. I would
> like to see hardened-dev-sources noted in the changelog what policy
> versions it supports, rather than having to dig through the headers
> after its emerged.
>
> Richard.
>
>
>
> -----Original Message-----
> From: Brian Fernald [mailto:bfernald@pobox.com]
> Sent: Tuesday, September 14, 2004 4:47 PM
> To: gentoo-hardened@lists.gentoo.org
> Subject: [gentoo-hardened] building gentoo hardened - selinux
>
>
> Hi,
>
> I have just walked through the Gentoo SELinux handbook to build a new
> system. Whenever I come to the point of loading the security
> policy, it attempts to build a Policy of version 18 .. It reports
> the following :
>
> make load
> * Creating policy.conf
> * Policy version: 18
> * Kernel version: 16
> * WARNING: Policy version mismatch. Is your POLICYCOMPAT set correctly?
> * See http://hardened.gentoo.org/selinux/selinux-policy.xml#doc_chap6
> * for more information.
> * Compiling and installing policy.18
> /usr/bin/checkpolicy: loading policy configuration from
> /etc/security/selinux/src/policy.conf
> security: 3 users, 5 roles, 367 types, 1 bools
> security: 51 classes, 24552 rules
> /usr/bin/checkpolicy: policy configuration loaded
> /usr/bin/checkpolicy: writing binary representation (version 18) to
> /etc/security/selinux/policy.18
> * Building file_contexts
> * Installing file_contexts
> * Loading policy.18
> /usr/sbin/load_policy: security_load_policy failed
> make: *** [tmp/load] Error 3
>
>
> ... i then changed POLICYCOMPAT to be 16 and tried again :
>
> make load
> * Policy version: 16
> * Kernel version: 16
> * Compiling and installing policy.16
> /usr/bin/checkpolicy: loading policy configuration from
> /etc/security/selinux/src/policy.conf
> security: 3 users, 5 roles, 367 types, 1 bools
> security: 51 classes, 24552 rules
> /usr/bin/checkpolicy: policy configuration loaded
> /usr/bin/checkpolicy: writing binary representation (version 16) to
> /etc/security/selinux/policy.16
> * Loading policy.16
> /usr/sbin/load_policy: security_load_policy failed
> make: *** [tmp/load] Error 3
>
>
> it still fails.
>
> The system is currently booted to the LiveCD (as per instructions)..
> the kernel downloaded and build was 2.6.7-hardened-r8 (emerge
> hardened-dev-sources) ..
>
> Could anyone shed some light on what I am doing incorrectly ?
>
> Thanks,
>
> Brian
>
>


--
gentoo-hardened@gentoo.org mailing list

Hi Brian,

I had the same problem last night,
however this morning I got a work around,
yet I am not sure if it is correct or not,cause
I am a SELinux newbie.

At this point I reboot and logged into the new
created system,whilst I answered the question,
after I entered root as user,with yes and entered
the following:

first question (roll: I think it was) I answered with

sysadm_r

and the next question I answered with

sysadm_t

After the login I cd into /etc/security/sellinux/src/policy.
Then I punched in the following commands:

make clean
make load
make relabel

It went all well so far,nevertheless as I mentioned earlier,
I am not 100% sure if it is 100% save or if I did miss
something.


Hope I could help.

Victor

PS: Next hours I will be at the gym,cu than.

Richard Simpson wrote:

>Brian-
>
>Upon further investigation it looks like the policy exports the headers to
>the kernel, so maybe you will have to unmerge and then merge the older
>policy. 0702 should work.
>
>Richard.
>
>
>
>>-----Original Message-----
>>From: Brian Fernald [mailto:bscottfernald@gmail.com]
>>Sent: Tuesday, September 14, 2004 6:22 PM
>>To: Richard Simpson
>>Cc: gentoo-hardened@lists.gentoo.org
>>Subject: Re: [gentoo-hardened] building gentoo hardened - selinux
>>
>>
>>Hi Richard,
>>
>>my security.h lists 15 - 17.. however, no matter which I build
>>(POLICYCOMPAT), it still fails to load. I am quite perplexed.. have
>>re-completed multiple rebuilds of gentoo just to make sure I am not
>>missing something... yet, everytime, can't load any policy...
>>
>>Brian
>>
>>
>>
>>----- Original Message -----
>>From: Richard Simpson <richard.simpson@wgint.com>
>>Date: Tue, 14 Sep 2004 18:04:15 -0600
>>Subject: RE: [gentoo-hardened] building gentoo hardened - selinux
>>To: Brian Fernald <bfernald@pobox.com>, gentoo-hardened@lists.gentoo.org
>>
>>
>>Brian-
>>
>>Look in /usr/src/linux/security/selinux/include/security.h to see what
>>policy versions your kernel is compatible with. My 2.6.7-r8 kernel
>>lists 15 min and 17 max, so I was able to use POLICYCOMPAT = -c 17.
>>AFAIK the policy compiler is only backwards compatible 1 version
>>level.
>>
>>For some reason emerge chose to merge selinux-base-policy-20040906 on
>>my system too even though that package is flagged ~x86, and I found
>>out after the fact that it's not compatible with my kernel. I would
>>like to see hardened-dev-sources noted in the changelog what policy
>>versions it supports, rather than having to dig through the headers
>>after its emerged.
>>
>>Richard.
>>
>>
>>
>>-----Original Message-----
>>From: Brian Fernald [mailto:bfernald@pobox.com]
>>Sent: Tuesday, September 14, 2004 4:47 PM
>>To: gentoo-hardened@lists.gentoo.org
>>Subject: [gentoo-hardened] building gentoo hardened - selinux
>>
>>
>>Hi,
>>
>>I have just walked through the Gentoo SELinux handbook to build a new
>>system. Whenever I come to the point of loading the security
>>policy, it attempts to build a Policy of version 18 .. It reports
>>the following :
>>
>> make load
>> * Creating policy.conf
>> * Policy version: 18
>> * Kernel version: 16
>> * WARNING: Policy version mismatch. Is your POLICYCOMPAT set correctly?
>> * See http://hardened.gentoo.org/selinux/selinux-policy.xml#doc_chap6
>> * for more information.
>> * Compiling and installing policy.18
>>/usr/bin/checkpolicy: loading policy configuration from
>>/etc/security/selinux/src/policy.conf
>>security: 3 users, 5 roles, 367 types, 1 bools
>>security: 51 classes, 24552 rules
>>/usr/bin/checkpolicy: policy configuration loaded
>>/usr/bin/checkpolicy: writing binary representation (version 18) to
>>/etc/security/selinux/policy.18
>> * Building file_contexts
>> * Installing file_contexts
>> * Loading policy.18
>>/usr/sbin/load_policy: security_load_policy failed
>>make: *** [tmp/load] Error 3
>>
>>
>>... i then changed POLICYCOMPAT to be 16 and tried again :
>>
>> make load
>> * Policy version: 16
>> * Kernel version: 16
>> * Compiling and installing policy.16
>>/usr/bin/checkpolicy: loading policy configuration from
>>/etc/security/selinux/src/policy.conf
>>security: 3 users, 5 roles, 367 types, 1 bools
>>security: 51 classes, 24552 rules
>>/usr/bin/checkpolicy: policy configuration loaded
>>/usr/bin/checkpolicy: writing binary representation (version 16) to
>>/etc/security/selinux/policy.16
>> * Loading policy.16
>>/usr/sbin/load_policy: security_load_policy failed
>>make: *** [tmp/load] Error 3
>>
>>
>>it still fails.
>>
>>The system is currently booted to the LiveCD (as per instructions)..
>>the kernel downloaded and build was 2.6.7-hardened-r8 (emerge
>>hardened-dev-sources) ..
>>
>>Could anyone shed some light on what I am doing incorrectly ?
>>
>>Thanks,
>>
>>Brian
>>
>>
>>
>>
>
>
>--
>gentoo-hardened@gentoo.org mailing list
>
>
>
>

--
gentoo-hardened@gentoo.org mailing list

This all has to do with the headers update that has been going on for
the last couple weeks. The livecd has to be updated too, and I
overlooked this fact. I'll try to get a new livecd out ASAP.


On Tue, 2004-09-14 at 20:04, Richard Simpson wrote:
> Brian-
>
> Look in /usr/src/linux/security/selinux/include/security.h to see what
> policy versions your kernel is compatible with. My 2.6.7-r8 kernel
> lists 15 min and 17 max, so I was able to use POLICYCOMPAT = -c 17.
> AFAIK the policy compiler is only backwards compatible 1 version
> level.
>
> For some reason emerge chose to merge selinux-base-policy-20040906 on
> my system too even though that package is flagged ~x86, and I found
> out after the fact that it's not compatible with my kernel. I would
> like to see hardened-dev-sources noted in the changelog what policy
> versions it supports, rather than having to dig through the headers
> after its emerged.
>
> Richard.
> -----Original Message-----
> From: Brian Fernald [mailto:bfernald@pobox.com]
> Sent: Tuesday, September 14, 2004 4:47 PM
> To: gentoo-hardened@lists.gentoo.org
> Subject: [gentoo-hardened] building gentoo hardened - selinux
>
>
> Hi,
>
> I have just walked through the Gentoo SELinux handbook to
> build a new system. Whenever I come to the point of loading
> the security policy, it attempts to build a Policy of version
> 18 .. It reports the following :
>
> make load
> * Creating policy.conf
> * Policy version: 18
> * Kernel version: 16
> * WARNING: Policy version mismatch. Is your POLICYCOMPAT set
> correctly?
> * See
> http://hardened.gentoo.org/selinux/selinux-policy.xml#doc_chap6
> * for more information.
> * Compiling and installing policy.18
> /usr/bin/checkpolicy: loading policy configuration from
> /etc/security/selinux/src/policy.conf
> security: 3 users, 5 roles, 367 types, 1 bools
> security: 51 classes, 24552 rules
> /usr/bin/checkpolicy: policy configuration loaded
> /usr/bin/checkpolicy: writing binary representation (version
> 18) to /etc/security/selinux/policy.18
> * Building file_contexts
> * Installing file_contexts
> * Loading policy.18
> /usr/sbin/load_policy: security_load_policy failed
> make: *** [tmp/load] Error 3
>
>
> ... i then changed POLICYCOMPAT to be 16 and tried again :
>
> make load
> * Policy version: 16
> * Kernel version: 16
> * Compiling and installing policy.16
> /usr/bin/checkpolicy: loading policy configuration from
> /etc/security/selinux/src/policy.conf
> security: 3 users, 5 roles, 367 types, 1 bools
> security: 51 classes, 24552 rules
> /usr/bin/checkpolicy: policy configuration loaded
> /usr/bin/checkpolicy: writing binary representation (version
> 16) to /etc/security/selinux/policy.16
> * Loading policy.16
> /usr/sbin/load_policy: security_load_policy failed
> make: *** [tmp/load] Error 3
>
>
> it still fails.
>
> The system is currently booted to the LiveCD (as per
> instructions).. the kernel downloaded and build was
> 2.6.7-hardened-r8 (emerge hardened-dev-sources) ..
>
> Could anyone shed some light on what I am doing incorrectly ?
>
> Thanks,
>
> Brian
>
--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243

Hi!

Had the same problems. Yesterday I recompiled and reinstalled the
kernel. I ran make clean and make load on the polices, but no make
relabel and it worked for me.

Another, maybe related question: I am running a 2.6.7-hardeneded-r8
kernel, should I install the linux26-headers and uninstall
linux-headers? What do I have to do to my system if I do that?

/Fredrik

-----Original Message-----
From: Chris PeBenito [mailto:pebenito@gentoo.org]
Sent: den 15 september 2004 12:59
To: Richard Simpson
Cc: Brian Fernald; gentoo-hardened@lists.gentoo.org
Subject: RE: [gentoo-hardened] building gentoo hardened - selinux

This all has to do with the headers update that has been going on for
the last couple weeks. The livecd has to be updated too, and I
overlooked this fact. I'll try to get a new livecd out ASAP.


On Tue, 2004-09-14 at 20:04, Richard Simpson wrote:
> Brian-
>
> Look in /usr/src/linux/security/selinux/include/security.h to see what

> policy versions your kernel is compatible with. My 2.6.7-r8 kernel
> lists 15 min and 17 max, so I was able to use POLICYCOMPAT = -c 17.
> AFAIK the policy compiler is only backwards compatible 1 version
> level.
>
> For some reason emerge chose to merge selinux-base-policy-20040906 on
> my system too even though that package is flagged ~x86, and I found
> out after the fact that it's not compatible with my kernel. I would
> like to see hardened-dev-sources noted in the changelog what policy
> versions it supports, rather than having to dig through the headers
> after its emerged.
>
> Richard.
> -----Original Message-----
> From: Brian Fernald [mailto:bfernald@pobox.com]
> Sent: Tuesday, September 14, 2004 4:47 PM
> To: gentoo-hardened@lists.gentoo.org
> Subject: [gentoo-hardened] building gentoo hardened - selinux
>
>
> Hi,
>
> I have just walked through the Gentoo SELinux handbook to
> build a new system. Whenever I come to the point of loading
> the security policy, it attempts to build a Policy of version
> 18 .. It reports the following :
>
> make load
> * Creating policy.conf
> * Policy version: 18
> * Kernel version: 16
> * WARNING: Policy version mismatch. Is your POLICYCOMPAT set
> correctly?
> * See
>
http://hardened.gentoo.org/selinux/selinux-policy.xml#doc_chap6
> * for more information.
> * Compiling and installing policy.18
> /usr/bin/checkpolicy: loading policy configuration from
> /etc/security/selinux/src/policy.conf
> security: 3 users, 5 roles, 367 types, 1 bools
> security: 51 classes, 24552 rules
> /usr/bin/checkpolicy: policy configuration loaded
> /usr/bin/checkpolicy: writing binary representation (version
> 18) to /etc/security/selinux/policy.18
> * Building file_contexts
> * Installing file_contexts
> * Loading policy.18
> /usr/sbin/load_policy: security_load_policy failed
> make: *** [tmp/load] Error 3
>
>
> ... i then changed POLICYCOMPAT to be 16 and tried again :
>
> make load
> * Policy version: 16
> * Kernel version: 16
> * Compiling and installing policy.16
> /usr/bin/checkpolicy: loading policy configuration from
> /etc/security/selinux/src/policy.conf
> security: 3 users, 5 roles, 367 types, 1 bools
> security: 51 classes, 24552 rules
> /usr/bin/checkpolicy: policy configuration loaded
> /usr/bin/checkpolicy: writing binary representation (version
> 16) to /etc/security/selinux/policy.16
> * Loading policy.16
> /usr/sbin/load_policy: security_load_policy failed
> make: *** [tmp/load] Error 3
>
>
> it still fails.
>
> The system is currently booted to the LiveCD (as per
> instructions).. the kernel downloaded and build was
> 2.6.7-hardened-r8 (emerge hardened-dev-sources) ..
>
> Could anyone shed some light on what I am doing incorrectly ?
>
> Thanks,
>
> Brian
>
--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243

--
gentoo-hardened@gentoo.org mailing list

I just modified the current livecd and put in a new policy. I'm
uploading it to http://dev.gentoo.org/~pebenito/. I've got slow upload,
so check back in at least an hour. Someone please test to verify it
fixes the load problem.

On Wed, 2004-09-15 at 06:59, Chris PeBenito wrote:
> This all has to do with the headers update that has been going on for
> the last couple weeks. The livecd has to be updated too, and I
> overlooked this fact. I'll try to get a new livecd out ASAP.
>
>
> On Tue, 2004-09-14 at 20:04, Richard Simpson wrote:
> > Brian-
> >
> > Look in /usr/src/linux/security/selinux/include/security.h to see what
> > policy versions your kernel is compatible with. My 2.6.7-r8 kernel
> > lists 15 min and 17 max, so I was able to use POLICYCOMPAT = -c 17.
> > AFAIK the policy compiler is only backwards compatible 1 version
> > level.
> >
> > For some reason emerge chose to merge selinux-base-policy-20040906 on
> > my system too even though that package is flagged ~x86, and I found
> > out after the fact that it's not compatible with my kernel. I would
> > like to see hardened-dev-sources noted in the changelog what policy
> > versions it supports, rather than having to dig through the headers
> > after its emerged.
> >
> > Richard.
> > -----Original Message-----
> > From: Brian Fernald [mailto:bfernald@pobox.com]
> > Sent: Tuesday, September 14, 2004 4:47 PM
> > To: gentoo-hardened@lists.gentoo.org
> > Subject: [gentoo-hardened] building gentoo hardened - selinux
> >
> >
> > Hi,
> >
> > I have just walked through the Gentoo SELinux handbook to
> > build a new system. Whenever I come to the point of loading
> > the security policy, it attempts to build a Policy of version
> > 18 .. It reports the following :
> >
> > make load
> > * Creating policy.conf
> > * Policy version: 18
> > * Kernel version: 16
> > * WARNING: Policy version mismatch. Is your POLICYCOMPAT set
> > correctly?
> > * See
> > http://hardened.gentoo.org/selinux/selinux-policy.xml#doc_chap6
> > * for more information.
> > * Compiling and installing policy.18
> > /usr/bin/checkpolicy: loading policy configuration from
> > /etc/security/selinux/src/policy.conf
> > security: 3 users, 5 roles, 367 types, 1 bools
> > security: 51 classes, 24552 rules
> > /usr/bin/checkpolicy: policy configuration loaded
> > /usr/bin/checkpolicy: writing binary representation (version
> > 18) to /etc/security/selinux/policy.18
> > * Building file_contexts
> > * Installing file_contexts
> > * Loading policy.18
> > /usr/sbin/load_policy: security_load_policy failed
> > make: *** [tmp/load] Error 3
> >
> >
> > ... i then changed POLICYCOMPAT to be 16 and tried again :
> >
> > make load
> > * Policy version: 16
> > * Kernel version: 16
> > * Compiling and installing policy.16
> > /usr/bin/checkpolicy: loading policy configuration from
> > /etc/security/selinux/src/policy.conf
> > security: 3 users, 5 roles, 367 types, 1 bools
> > security: 51 classes, 24552 rules
> > /usr/bin/checkpolicy: policy configuration loaded
> > /usr/bin/checkpolicy: writing binary representation (version
> > 16) to /etc/security/selinux/policy.16
> > * Loading policy.16
> > /usr/sbin/load_policy: security_load_policy failed
> > make: *** [tmp/load] Error 3
> >
> >
> > it still fails.
> >
> > The system is currently booted to the LiveCD (as per
> > instructions).. the kernel downloaded and build was
> > 2.6.7-hardened-r8 (emerge hardened-dev-sources) ..
> >
> > Could anyone shed some light on what I am doing incorrectly ?
> >
> > Thanks,
> >
> > Brian
> >
--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243

Hi Chris,

is there a work around,e.g. to mount a part of
the new iso and try make load again?

Thanks in advance.

Victor

Chris PeBenito wrote:

>I just modified the current livecd and put in a new policy. I'm
>uploading it to http://dev.gentoo.org/~pebenito/. I've got slow upload,
>so check back in at least an hour. Someone please test to verify it
>fixes the load problem.
>
>On Wed, 2004-09-15 at 06:59, Chris PeBenito wrote:
>
>
>>This all has to do with the headers update that has been going on for
>>the last couple weeks. The livecd has to be updated too, and I
>>overlooked this fact. I'll try to get a new livecd out ASAP.
>>
>>
>>On Tue, 2004-09-14 at 20:04, Richard Simpson wrote:
>>
>>
>>>Brian-
>>>
>>>Look in /usr/src/linux/security/selinux/include/security.h to see what
>>>policy versions your kernel is compatible with. My 2.6.7-r8 kernel
>>>lists 15 min and 17 max, so I was able to use POLICYCOMPAT = -c 17.
>>>AFAIK the policy compiler is only backwards compatible 1 version
>>>level.
>>>
>>>For some reason emerge chose to merge selinux-base-policy-20040906 on
>>>my system too even though that package is flagged ~x86, and I found
>>>out after the fact that it's not compatible with my kernel. I would
>>>like to see hardened-dev-sources noted in the changelog what policy
>>>versions it supports, rather than having to dig through the headers
>>>after its emerged.
>>>
>>>Richard.
>>> -----Original Message-----
>>> From: Brian Fernald [mailto:bfernald@pobox.com]
>>> Sent: Tuesday, September 14, 2004 4:47 PM
>>> To: gentoo-hardened@lists.gentoo.org
>>> Subject: [gentoo-hardened] building gentoo hardened - selinux
>>>
>>>
>>> Hi,
>>>
>>> I have just walked through the Gentoo SELinux handbook to
>>> build a new system. Whenever I come to the point of loading
>>> the security policy, it attempts to build a Policy of version
>>> 18 .. It reports the following :
>>>
>>> make load
>>> * Creating policy.conf
>>> * Policy version: 18
>>> * Kernel version: 16
>>> * WARNING: Policy version mismatch. Is your POLICYCOMPAT set
>>> correctly?
>>> * See
>>> http://hardened.gentoo.org/selinux/selinux-policy.xml#doc_chap6
>>> * for more information.
>>> * Compiling and installing policy.18
>>> /usr/bin/checkpolicy: loading policy configuration from
>>> /etc/security/selinux/src/policy.conf
>>> security: 3 users, 5 roles, 367 types, 1 bools
>>> security: 51 classes, 24552 rules
>>> /usr/bin/checkpolicy: policy configuration loaded
>>> /usr/bin/checkpolicy: writing binary representation (version
>>> 18) to /etc/security/selinux/policy.18
>>> * Building file_contexts
>>> * Installing file_contexts
>>> * Loading policy.18
>>> /usr/sbin/load_policy: security_load_policy failed
>>> make: *** [tmp/load] Error 3
>>>
>>>
>>> ... i then changed POLICYCOMPAT to be 16 and tried again :
>>>
>>> make load
>>> * Policy version: 16
>>> * Kernel version: 16
>>> * Compiling and installing policy.16
>>> /usr/bin/checkpolicy: loading policy configuration from
>>> /etc/security/selinux/src/policy.conf
>>> security: 3 users, 5 roles, 367 types, 1 bools
>>> security: 51 classes, 24552 rules
>>> /usr/bin/checkpolicy: policy configuration loaded
>>> /usr/bin/checkpolicy: writing binary representation (version
>>> 16) to /etc/security/selinux/policy.16
>>> * Loading policy.16
>>> /usr/sbin/load_policy: security_load_policy failed
>>> make: *** [tmp/load] Error 3
>>>
>>>
>>> it still fails.
>>>
>>> The system is currently booted to the LiveCD (as per
>>> instructions).. the kernel downloaded and build was
>>> 2.6.7-hardened-r8 (emerge hardened-dev-sources) ..
>>>
>>> Could anyone shed some light on what I am doing incorrectly ?
>>>
>>> Thanks,
>>>
>>> Brian
>>>
>>>
>>>

--
gentoo-hardened@gentoo.org mailing list

Hi everyone,

again me I think I got an idea,maybe it will work.

I want to try the following:
- do a make in than boot in the new selinux system
- login as root
- cd /etc/security/selinux/src/policy/
- make load
- make relabel
- make policy
- make install

So I will try and report in a second.

See you.

Victor

Victor Banatean wrote:

> Hi Chris,
>
> is there a work around,e.g. to mount a part of
> the new iso and try make load again?
>
> Thanks in advance.
>
> Victor
>
> Chris PeBenito wrote:
>
>> I just modified the current livecd and put in a new policy. I'm
>> uploading it to http://dev.gentoo.org/~pebenito/. I've got slow upload,
>> so check back in at least an hour. Someone please test to verify it
>> fixes the load problem.
>>
>> On Wed, 2004-09-15 at 06:59, Chris PeBenito wrote:
>>
>>
>>> This all has to do with the headers update that has been going on for
>>> the last couple weeks. The livecd has to be updated too, and I
>>> overlooked this fact. I'll try to get a new livecd out ASAP.
>>>
>>>
>>> On Tue, 2004-09-14 at 20:04, Richard Simpson wrote:
>>>
>>>
>>>> Brian-
>>>>
>>>> Look in /usr/src/linux/security/selinux/include/security.h to see what
>>>> policy versions your kernel is compatible with. My 2.6.7-r8 kernel
>>>> lists 15 min and 17 max, so I was able to use POLICYCOMPAT = -c 17.
>>>> AFAIK the policy compiler is only backwards compatible 1 version
>>>> level.
>>>>
>>>> For some reason emerge chose to merge selinux-base-policy-20040906 on
>>>> my system too even though that package is flagged ~x86, and I found
>>>> out after the fact that it's not compatible with my kernel. I would
>>>> like to see hardened-dev-sources noted in the changelog what policy
>>>> versions it supports, rather than having to dig through the headers
>>>> after its emerged.
>>>>
>>>> Richard.
>>>> -----Original Message-----
>>>> From: Brian Fernald [mailto:bfernald@pobox.com]
>>>> Sent: Tuesday, September 14, 2004 4:47 PM
>>>> To: gentoo-hardened@lists.gentoo.org
>>>> Subject: [gentoo-hardened] building gentoo hardened - selinux
>>>> Hi,
>>>> I have just walked through the Gentoo SELinux
>>>> handbook to
>>>> build a new system. Whenever I come to the point of loading
>>>> the security policy, it attempts to build a Policy of version
>>>> 18 .. It reports the following :
>>>> make load
>>>> * Creating policy.conf
>>>> * Policy version: 18
>>>> * Kernel version: 16
>>>> * WARNING: Policy version mismatch. Is your POLICYCOMPAT set
>>>> correctly?
>>>> * See
>>>> http://hardened.gentoo.org/selinux/selinux-policy.xml#doc_chap6
>>>> * for more information.
>>>> * Compiling and installing policy.18
>>>> /usr/bin/checkpolicy: loading policy configuration from
>>>> /etc/security/selinux/src/policy.conf
>>>> security: 3 users, 5 roles, 367 types, 1 bools
>>>> security: 51 classes, 24552 rules
>>>> /usr/bin/checkpolicy: policy configuration loaded
>>>> /usr/bin/checkpolicy: writing binary representation (version
>>>> 18) to /etc/security/selinux/policy.18
>>>> * Building file_contexts
>>>> * Installing file_contexts
>>>> * Loading policy.18
>>>> /usr/sbin/load_policy: security_load_policy failed
>>>> make: *** [tmp/load] Error 3
>>>> ... i then changed POLICYCOMPAT to be 16
>>>> and tried again :
>>>> make load
>>>> * Policy version: 16
>>>> * Kernel version: 16
>>>> * Compiling and installing policy.16
>>>> /usr/bin/checkpolicy: loading policy configuration from
>>>> /etc/security/selinux/src/policy.conf
>>>> security: 3 users, 5 roles, 367 types, 1 bools
>>>> security: 51 classes, 24552 rules
>>>> /usr/bin/checkpolicy: policy configuration loaded
>>>> /usr/bin/checkpolicy: writing binary representation (version
>>>> 16) to /etc/security/selinux/policy.16
>>>> * Loading policy.16
>>>> /usr/sbin/load_policy: security_load_policy failed
>>>> make: *** [tmp/load] Error 3
>>>> it still fails. The system
>>>> is currently booted to the LiveCD (as per
>>>> instructions).. the kernel downloaded and build was
>>>> 2.6.7-hardened-r8 (emerge hardened-dev-sources) ..
>>>> Could anyone shed some light on what I am doing
>>>> incorrectly ?
>>>> Thanks,
>>>> Brian
>>>>
>>>
>
> --
> gentoo-hardened@gentoo.org mailing list
>
>

--
gentoo-hardened@gentoo.org mailing list

Victor Banatean wrote:

> Hi everyone,
>
> again me I think I got an idea,maybe it will work.
>
> I want to try the following:
> - do a make in than boot in the new selinux system
> - login as root
> - cd /etc/security/selinux/src/policy/
> - make load
> - make relabel
fine.

> - make policy
> - make install
unnecessary, the policy has already been built and installed (by the
make load target)


>
> So I will try and report in a second.
>
> See you.
>
> Victor
>
> Victor Banatean wrote:
>
>> Hi Chris,
>>
>> is there a work around,e.g. to mount a part of
>> the new iso and try make load again?
>>
>> Thanks in advance.
>>
>> Victor
>>
>> Chris PeBenito wrote:
>>
>>> I just modified the current livecd and put in a new policy. I'm
>>> uploading it to http://dev.gentoo.org/~pebenito/. I've got slow upload,
>>> so check back in at least an hour. Someone please test to verify it
>>> fixes the load problem.
>>>
>>> On Wed, 2004-09-15 at 06:59, Chris PeBenito wrote:
>>>
>>>
>>>> This all has to do with the headers update that has been going on for
>>>> the last couple weeks. The livecd has to be updated too, and I
>>>> overlooked this fact. I'll try to get a new livecd out ASAP.
>>>>
>>>>
>>>> On Tue, 2004-09-14 at 20:04, Richard Simpson wrote:
>>>>
>>>>
>>>>> Brian-
>>>>>
>>>>> Look in /usr/src/linux/security/selinux/include/security.h to see what
>>>>> policy versions your kernel is compatible with. My 2.6.7-r8 kernel
>>>>> lists 15 min and 17 max, so I was able to use POLICYCOMPAT = -c 17.
>>>>> AFAIK the policy compiler is only backwards compatible 1 version
>>>>> level.
>>>>>
>>>>> For some reason emerge chose to merge selinux-base-policy-20040906 on
>>>>> my system too even though that package is flagged ~x86, and I found
>>>>> out after the fact that it's not compatible with my kernel. I would
>>>>> like to see hardened-dev-sources noted in the changelog what policy
>>>>> versions it supports, rather than having to dig through the headers
>>>>> after its emerged.
>>>>>
>>>>> Richard.
>>>>> -----Original Message-----
>>>>> From: Brian Fernald [mailto:bfernald@pobox.com]
>>>>> Sent: Tuesday, September 14, 2004 4:47 PM
>>>>> To: gentoo-hardened@lists.gentoo.org
>>>>> Subject: [gentoo-hardened] building gentoo hardened - selinux
>>>>> Hi,
>>>>> I have just walked through the Gentoo SELinux
>>>>> handbook to
>>>>> build a new system. Whenever I come to the point of loading
>>>>> the security policy, it attempts to build a Policy of version
>>>>> 18 .. It reports the following :
>>>>> make load
>>>>> * Creating policy.conf
>>>>> * Policy version: 18
>>>>> * Kernel version: 16
>>>>> * WARNING: Policy version mismatch. Is your POLICYCOMPAT set
>>>>> correctly?
>>>>> * See
>>>>> http://hardened.gentoo.org/selinux/selinux-policy.xml#doc_chap6
>>>>> * for more information.
>>>>> * Compiling and installing policy.18
>>>>> /usr/bin/checkpolicy: loading policy configuration from
>>>>> /etc/security/selinux/src/policy.conf
>>>>> security: 3 users, 5 roles, 367 types, 1 bools
>>>>> security: 51 classes, 24552 rules
>>>>> /usr/bin/checkpolicy: policy configuration loaded
>>>>> /usr/bin/checkpolicy: writing binary representation (version
>>>>> 18) to /etc/security/selinux/policy.18
>>>>> * Building file_contexts
>>>>> * Installing file_contexts
>>>>> * Loading policy.18
>>>>> /usr/sbin/load_policy: security_load_policy failed
>>>>> make: *** [tmp/load] Error 3
>>>>> ... i then changed POLICYCOMPAT to be 16
>>>>> and tried again :
>>>>> make load
>>>>> * Policy version: 16
>>>>> * Kernel version: 16
>>>>> * Compiling and installing policy.16
>>>>> /usr/bin/checkpolicy: loading policy configuration from
>>>>> /etc/security/selinux/src/policy.conf
>>>>> security: 3 users, 5 roles, 367 types, 1 bools
>>>>> security: 51 classes, 24552 rules
>>>>> /usr/bin/checkpolicy: policy configuration loaded
>>>>> /usr/bin/checkpolicy: writing binary representation (version
>>>>> 16) to /etc/security/selinux/policy.16
>>>>> * Loading policy.16
>>>>> /usr/sbin/load_policy: security_load_policy failed
>>>>> make: *** [tmp/load] Error 3
>>>>> it still fails. The system
>>>>> is currently booted to the LiveCD (as per
>>>>> instructions).. the kernel downloaded and build was
>>>>> 2.6.7-hardened-r8 (emerge hardened-dev-sources) ..
>>>>> Could anyone shed some light on what I am doing
>>>>> incorrectly ?
>>>>> Thanks,
>>>>> Brian
>>>>>
>>>>
>>>>
>>
>> --
>> gentoo-hardened@gentoo.org mailing list
>>
>>
>
> --
> gentoo-hardened@gentoo.org mailing list
>
>


--
gentoo-hardened@gentoo.org mailing list

Hi Gentoo-Hardened-list,

Joshua Brindle wrote:

> Victor Banatean wrote:
>
>> Hi everyone,
>>
>> again me I think I got an idea,maybe it will work.
>>
>> I want to try the following:
>> - do a make in than boot in the new selinux system
>> - login as root
>> - cd /etc/security/selinux/src/policy/
>> - make load
>> - make relabel
>
> fine.
>
I had not had the chance to login as root,
for that reason I installed the new Gentoo-SELinux
from Chris.

>> - make policy
>> - make install
>
> unnecessary, the policy has already been built and installed (by the
> make load target)
>
>
>>
>> So I will try and report in a second.
>>
>> See you.
>>
>> Victor
>>
>> Victor Banatean wrote:
>>
>>> Hi Chris,
>>>
>>> is there a work around,e.g. to mount a part of
>>> the new iso and try make load again?
>>>
>>> Thanks in advance.
>>>
>>> Victor
>>>
>>> Chris PeBenito wrote:
>>>
>>>> I just modified the current livecd and put in a new policy. I'm
>>>> uploading it to http://dev.gentoo.org/~pebenito/. I've got slow
>>>> upload,
>>>> so check back in at least an hour. Someone please test to verify it
>>>> fixes the load problem.
>>>>
I had tried your new version,as a result I could install the new policy,
however not load it.
Nevertheless I could do it after a reboot.
So now I am working with the new environment.

Thanks for your immediate help Chris.

Yours sincerely,
Victor


--
gentoo-hardened@gentoo.org mailing list