Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
[SELinux] broken policy and emerge file labeling
vmpn at hitechman
Sep 16, 2004, 2:03 PM
Post #1 of 4 (2141 views)
Permalink
I am unable to load a policy into the running kernel:

* Loading policy.17
/usr/sbin/load_policy: security_load_policy failed
make: *** [tmp/load] Error 3

My kernel is 2.6.7-gentoo-r11. I cannot find the cause of why this is
happening so I wanted to upgrade the kernel.

However I get:

>>> Setting SELinux security labels
/usr/sbin/setfiles: invalid context system_u:object_r:file_context_t on
line number 259
/usr/sbin/setfiles: read 702 specifications

Which I expect to get after trying to merge any package.


I am stuck with chicken and the egg problem:

emerge requires loaded policy
in order to load policy i need to emerge.

My question is how do I tell emerge not to relabel the files before
install? I can always run rlpkg afterwards.

Sincerely,
Vladimir Berezniker





--
gentoo-hardened@gentoo.org mailing list
Re: [SELinux] broken policy and emerge file labeling [ In reply to ]
pebenito at gentoo
Sep 16, 2004, 5:08 PM
Post #2 of 4 (2094 views)
Permalink
On Thu, 2004-09-16 at 17:03, Vladimir Berezniker wrote:
> I am unable to load a policy into the running kernel:
>
> * Loading policy.17
> /usr/sbin/load_policy: security_load_policy failed
> make: *** [tmp/load] Error 3
>
> My kernel is 2.6.7-gentoo-r11. I cannot find the cause of why this is
> happening so I wanted to upgrade the kernel.
>
> However I get:
>
> >>> Setting SELinux security labels
> /usr/sbin/setfiles: invalid context system_u:object_r:file_context_t on
> line number 259
> /usr/sbin/setfiles: read 702 specifications

As previously stated, you need to reboot.

http://marc.theaimsgroup.com/?l=gentoo-hardened&m=109448600406599&w=2

--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243

Attached Files:

Re: [SELinux] broken policy and emerge filelabeling [ In reply to ]
vmpn at hitechman
Sep 16, 2004, 6:00 PM
Post #3 of 4 (2108 views)
Permalink
<quote who="Chris PeBenito">
> On Thu, 2004-09-16 at 17:03, Vladimir Berezniker wrote:
>> I am unable to load a policy into the running kernel:
>>
>> * Loading policy.17
>> /usr/sbin/load_policy: security_load_policy failed
>> make: *** [tmp/load] Error 3
>>
>> My kernel is 2.6.7-gentoo-r11. I cannot find the cause of why this is
>> happening so I wanted to upgrade the kernel.
>>
>> However I get:
>>
>> >>> Setting SELinux security labels
>> /usr/sbin/setfiles: invalid context system_u:object_r:file_context_t on
>> line number 259
>> /usr/sbin/setfiles: read 702 specifications
>
> As previously stated, you need to reboot.
>
> http://marc.theaimsgroup.com/?l=gentoo-hardened&m=109448600406599&w=2
>
> --
> Chris PeBenito
> <pebenito@gentoo.org>
> Developer,
> Hardened Gentoo Linux
> Embedded Gentoo Linux
>
> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
> Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
>
Thank you very much. Reboot did in fact fix this.

However, I am still curious about asking emerge not to label files. The reason
I ask is that once before, I managed to messup /etc/security/selinux. I could
not get a policy to compile. I tried remerging base-policy, however it would
not work due to labeling step failing. So I was curious if there was a way to
ask emerge to skip the labeling step.

Sincerely,
Vladimir Berezniker





--
gentoo-hardened@gentoo.org mailing list
Re: [SELinux] broken policy and emerge filelabeling [ In reply to ]
pebenito at gentoo
Sep 16, 2004, 6:33 PM
Post #4 of 4 (2095 views)
Permalink
On Thu, 2004-09-16 at 21:00, Vladimir Berezniker wrote:
> However, I am still curious about asking emerge not to label files. The reason
> I ask is that once before, I managed to messup /etc/security/selinux. I could
> not get a policy to compile. I tried remerging base-policy, however it would
> not work due to labeling step failing. So I was curious if there was a way to
> ask emerge to skip the labeling step.

It runs if all are met:

1. USE=selinux
2. /selinux/context is available
3. /usr/sbin/setfiles is executable

if it comes down to it, you could `USE="-selinux" emerge
selinux-base-policy` without problem, just as long as you relabel
afterwords.

--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal