@@ -272,6 +276,42 @@ It is also not a bad idea to report (after verifying=
if it hasn't been reported
first) this on Gentoo's bugzilla=
so=20
that the default policies are updated accordingly.
+During installation of a package, you might see the following error mess=
age:
+
+
+
Code Listing5.5: Erro=
r message during package installation
+
+>> Installing (1 of 1) net-dns/host-991529
+>>> Setting SELinux security labels
+ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded=
: ignored.
+
+
+
+This message should only occur after the=
Setting SELinux security
+labels message. It happens because SELinux tells glibc to disable=
=20
+LD_PRELOAD (and other environmen=
t variables that are considered=20
+potentially harmful) during domain transitions. Here, portage calls the
+setfiles command (part of a SELi=
nux installation) and as such=20
+transitions from portage_t to setfiles_t, which clears the environment
+variable.
+
+
+We believe that it is safer to trust the SELinux policy here (as setfile=
s runs
+in its own confined domain anyhow) rather than updating the policy to al=
low
+transitioning between portage_t to setfiles_t without clearing these=20
+environment variables. Note that libsandbox.so =
is not disabled during builds
+and merges, only during the activity where Portage labels the fil=
es it=20
+just merged.
+
+
+So the error is in our opinion cosmetic and can be ignored (but sadly no=
t
+hidden).
+
diff --git a/html/selinux/hb-using-enforcing.html b/html/selinux/hb-using=
-enforcing.html
index 810722f..eb5d08a 100644
--- a/html/selinux/hb-using-enforcing.html
+++ b/html/selinux/hb-using-enforcing.html
@@ -3,7 +3,7 @@
-
+
@@ -141,8 +141,7 @@ system as the intention was to ignore the output anyh=
ow.
So how can we ensure that this rule doesn't fill up our AVC logs? Well, =
we need
-to create a module (like we have seen before and which we discuss in a l=
ater
-chapter again :-):
+to create a module (like we have seen before in (Creating Specific =
Allow Rules)):
Code Listing1.1: Crea=
ting a module to ignore these AVC denials
diff --git a/html/selinux/hb-using-permissive.html b/html/selinux/hb-usin=
g-permissive.html
index b1a43d8..edb5a19 100644
--- a/html/selinux/hb-using-permissive.html
+++ b/html/selinux/hb-using-permissive.html
@@ -308,7 +308,7 @@ files whose context you want to set. Writing policy m=
odules is described later
in this book in (Adding SELinux Policy
Modules).
-
If a denial isn't resolved through an available SELinux policy module or=
a
corrective action taken against the target file or directory, or there
@@ -381,6 +381,10 @@ order to load a module, you can use semodule -i mod
+ With semodule -i modulename.pp you (re)install a module (or install
+ a higher version of said module)
+
+
With semodule -u modulename.pp you upgrade an existing installed
module with a new version of this module