From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-3114-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1PHoPH-0003tO-Kn
	for garchives@archives.gentoo.org; Mon, 15 Nov 2010 02:02:55 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 2D7D4E076F
	for <garchives@archives.gentoo.org>; Mon, 15 Nov 2010 02:02:55 +0000 (UTC)
Received: from mail.aoaforums.com (www.aoaforums.com [174.123.188.106])
	by pigeon.gentoo.org (Postfix) with ESMTP id 5C719E062A
	for <gentoo-hardened@lists.gentoo.org>; Mon, 15 Nov 2010 01:14:53 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail.aoaforums.com (Postfix) with ESMTP id BC3A5E114E
	for <gentoo-hardened@lists.gentoo.org>; Mon, 15 Nov 2010 01:14:52 +0000 (GMT)
X-DKIM: Sendmail DKIM Filter v2.8.3 mail.aoaforums.com BC3A5E114E
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=giz-works.com;
	s=20080229-giz-works-com; t=1289783692;
	bh=tiD3Yq5n5slliEq6Ro4hB3Nxesk=;
	h=Message-ID:Date:From:MIME-Version:To:Subject:References:
	 In-Reply-To:Content-Type:Content-Transfer-Encoding;
	b=nPZRZNW1/nqMhywueIFD7eKmBHF4ihap086lPGtkevadaeQ/MONxSktSyilN8Si/O
	 caSAADqNKTecG7WXGx0+XS6oPrBAe7PcOor8fcIjx2ZTCUp/H9anL4Iq/Ki7mCEOtV
	 NC9JaMBtpTWZF5f2z1B0xT26JvYPqSGJk7bkaK+o=
X-Virus-Scanned: amavisd-new at aoaforums.com
Received: from mail.aoaforums.com ([127.0.0.1])
	by localhost (aoaforums.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id CeE4r4w0AZ7T for <gentoo-hardened@lists.gentoo.org>;
	Mon, 15 Nov 2010 01:14:50 +0000 (GMT)
Received: from [10.0.0.9] (ppp-70-129-190-83.dsl.spfdmo.swbell.net [70.129.190.83])
	by mail.aoaforums.com (Postfix) with ESMTPSA id 8E8011709E
	for <gentoo-hardened@lists.gentoo.org>; Mon, 15 Nov 2010 01:14:50 +0000 (GMT)
Message-ID: <4CE08989.9070600@giz-works.com>
Date: Sun, 14 Nov 2010 19:14:49 -0600
From: Chris Richards <gizmo@giz-works.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101103 Fedora/1.0-0.33.b2pre.fc14 Thunderbird/3.1.6
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] SELinux (targeted policy) and invalid context
References: <AANLkTinkgK6pH3LuuONS6hYeL92kga=iiGrGuAopCOe_@mail.gmail.com>
In-Reply-To: <AANLkTinkgK6pH3LuuONS6hYeL92kga=iiGrGuAopCOe_@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 252c8387-8b2e-4db4-996c-b170b991550a
X-Archives-Hash: dd6d6ce83da51c1a4c30864b54378808

On 11/14/2010 06:44 PM, luc nac wrote:
> Thanks to all of you who have been interested in my previous message.
> I'm encountering much more problems than expected and I can't find a
> forum where to discuss about SELinux in Gentoo. I didn't find much
> help in this one http://forums.gentoo.org/viewforum-f-18.html . If
> this is not the right place to ask help, please tell me!
>
> Now I'm trying to install the targeted policy but I can't succeed.
> Trying to relabel the filesystem I obtain an error:
> localhost ~ # rlpkg -a -r
> Relabeling filesystem types: ext2 ext3 jfs xfs
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 21
> has invalid context user_u:object_r:user_tmp_t
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 32
> has invalid context root:object_r:user_tmp_t
> Scanning for shared libraries with text relocations...
> 0 libraries with text relocations, 0 not relabeled.
> Scanning for PIE binaries with text relocations...
> 0 binaries with text relocations detected.
>
> The same error appears trying to emerge any package.
>
> Commenting this line:
> /tmp/gconfd-USER	-d	system_u:object_r:ROLE_tmp_t
> in /etc/selinux/targeted/contexts/files/homedir_template
> and then launching the genhomedircon command, successive rlpk (and
> emerge) succeed until next reboot.
> I think that this is a bad solution!
>
> In SELinux FAQ http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=3
> (section 3.f. Setfiles error messages ) it's written that "If /selinux
> is mounted, then most likely there is new policy that has not yet been
> loaded; therefore, the contexts have not yet become valid."
>
> I emerged a lot of modules, much more than needed considering that
> this is a Gentoo stage 3 system.
>
> localhost ~ # equery list selinux-
> [ Searching for package 'selinux-' in all categories among: ]
>   * installed packages
> [I--] [  ] sec-policy/selinux-apache-20070928 (0)
> [I--] [  ] sec-policy/selinux-arpwatch-20070928 (0)
> [I--] [  ] sec-policy/selinux-base-policy-20070928 (0)
> [I--] [  ] sec-policy/selinux-bind-20070928 (0)
> [I--] [  ] sec-policy/selinux-dbus-20070928 (0)
> [I--] [  ] sec-policy/selinux-desktop-20070928 (0)
> [I--] [  ] sec-policy/selinux-dhcp-20070928 (0)
> [I--] [  ] sec-policy/selinux-dnsmasq-20070928 (0)
> [I--] [  ] sec-policy/selinux-games-20070928 (0)
> [I--] [  ] sec-policy/selinux-gnupg-20070928 (0)
> [I--] [  ] sec-policy/selinux-gpm-20070928 (0)
> [I--] [  ] sec-policy/selinux-logrotate-20070928 (0)
> [I--] [  ] sec-policy/selinux-nfs-20070928 (0)
> [I--] [  ] sec-policy/selinux-openldap-20070928 (0)
> [I--] [  ] sec-policy/selinux-portmap-20070928 (0)
> [I--] [  ] sec-policy/selinux-samba-20070928 (0)
> [I--] [  ] sec-policy/selinux-sudo-20070928 (0)
> [I--] [  ] sec-policy/selinux-tcpd-20070928 (0)
> [I--] [  ] sec-policy/selinux-tftpd-20070928 (0)
>
> localhost ~ # semodule -l
> apache	1.8.0
> arpwatch	1.4.0
> bind	1.5.0
> dbus	1.7.0
> dhcp	1.4.0
> dnsmasq	1.4.0
> games	1.4.0
> gpg	1.4.0
> gpm	1.3.0
> java	1.6.0
> ldap	1.5.0
> logrotate	1.6.0
> mono	1.3.0
> mozilla	1.4.0
> mplayer	1.3.0
> portmap	1.5.0
> rpc	1.6.0
> samba	1.6.0
> sudo	1.2.0
> tftp	1.5.0
> wine	1.4.0
> xfs	1.2.0
> xserver	1.6.0
>
> localhost ~ # cat /etc/selinux/targeted/contexts/files/homedir_template
> HOME_DIR/.+	system_u:object_r:ROLE_home_t
> HOME_DIR/((www)|(web)|(public_html))(/.+)?	system_u:object_r:httpd_user_content_t
> HOME_ROOT/lost\+found/.*	<<none>>
> HOME_DIR	-d	system_u:object_r:ROLE_home_dir_t
> HOME_ROOT	-d	system_u:object_r:home_root_t
> /tmp/gconfd-USER	-d	system_u:object_r:ROLE_tmp_t
> HOME_ROOT/\.journal	<<none>>
> HOME_ROOT/lost\+found	-d	system_u:object_r:lost_found_t
Ok, first and foremost, I haven't tested targeted policy (I'm still 
sorting strict policy).
Second, the handbook states that you should use v2refpolicy.  You are 
running the 20070928 policy, which is v1 policy and is very very old.  
I'm guessing you are working with an old system that hasn't been 
converted to v2refpolicy.
Third, even with v2refpolicy, the current version in the tree is now 
almost a year old and has issues (which is part of what I'm working to 
sort out).  TBH, I'm not entirely certain it will boot in enforcing 
mode, although targeted policy will stand a better chance of working 
than strict policy.

I'm working as fast as I can.  Unfortunately, my spare time is pretty, 
well, 'spare' and has been for some time.  If you want to make your own 
ebuild, you can find where to pull the latest release policy from 
http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get 
the current development policy from the git repository at 
http://oss.tresys.com/git/refpolicy.git.

Later,
Gizmo