From: luc nac <lucnac@gmail.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] SELinux (targeted policy) and invalid context
Date: Wed, 17 Nov 2010 21:41:49 +0100 [thread overview]
Message-ID: <AANLkTik8d=NqEZwkMuBq5MdcedwpYoBMuwHgA8t07oPA@mail.gmail.com> (raw)
In-Reply-To: <4CE08989.9070600@giz-works.com>
Now I am trying to use SELinux (targeted policy) in a brand new Gentoo
stage3 (Kernel 2.6.32-hardened-r9), I tried all versions of
selinux-base-policy available, but relabeling the file system always
fails with the same error: "filespec_add: Conflicting specifications
for ...".
Am I still doing something wrong? The only thing that I can do to run
SELinux in Gentoo is try to make my own ebuild?
# rlpkg -a -r
Relabeling filesystem types: ext2 ext3 jfs xfs
filespec_add: conflicting specifications for /usr/bin/getconf and
/usr/lib/misc/glibc/getconf/POSIX_V6_ILP32_OFFBIG, using
system_u:object_r:lib_t.
filespec_eval: hash table stats: 251923 elements, 63077/65536 buckets
used, longest chain length 8
Scanning for shared libraries with text relocations...
0 libraries with text relocations, 0 not relabeled.
Scanning for PIE binaries with text relocations...
0 binaries with text relocations detected.
# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t
Init context: system_u:system_r:init_t
/sbin/agetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:sshd_t
File contexts:
Controlling term: unconfined_u:object_r:user_devpts_t
/sbin/init system_u:object_r:init_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/bin/login system_u:object_r:login_exec_t
/sbin/rc system_u:object_r:initrc_exec_t
/sbin/runscript.sh system_u:object_r:initrc_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/sh system_u:object_r:bin_t ->
system_u:object_r:shell_exec_t
/bin/bash system_u:object_r:shell_exec_t
/usr/bin/newrole system_u:object_r:newrole_exec_t
/lib/libc.so.6 system_u:object_r:lib_t ->
system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t ->
system_u:object_r:ld_so_t
# eselect profile list
Available profile symlink targets:
[1] default/linux/x86/10.0
[2] default/linux/x86/10.0/desktop
[3] default/linux/x86/10.0/desktop/gnome
[4] default/linux/x86/10.0/desktop/kde
[5] default/linux/x86/10.0/developer
[6] default/linux/x86/10.0/server
[7] hardened/linux/x86/10.0
[8] selinux/2007.0/x86
[9] selinux/2007.0/x86/hardened
[10] selinux/v2refpolicy/x86
[11] selinux/v2refpolicy/x86/desktop
[12] selinux/v2refpolicy/x86/developer
[13] selinux/v2refpolicy/x86/hardened *
[14] selinux/v2refpolicy/x86/server
# equery list -p selinux-base-policy
[ Searching for package 'selinux-base-policy' in all categories among: ]
* installed packages
[I--] [ ~] sec-policy/selinux-base-policy-2.20091215 (0)
* Portage tree (/usr/portage)
[-P-] [ ~] sec-policy/selinux-base-policy-2.20090730 (0)
[-P-] [ ~] sec-policy/selinux-base-policy-2.20090814 (0)
[-P-] [M ] sec-policy/selinux-base-policy-20080525 (0)
[-P-] [ ~] sec-policy/selinux-base-policy-20080525-r1 (0)
# semodule -l
apache 2.1.0
bind 1.10.0
gpg 2.2.1
java 2.2.0
local 1.0
mono 1.6.0
mozilla 2.1.1
mplayer 2.1.0
wine 1.6.0
xfs 1.6.0
xserver 3.3.1
On Mon, Nov 15, 2010 at 02:14, Chris Richards <gizmo@giz-works.com> wrote:
> Ok, first and foremost, I haven't tested targeted policy (I'm still sorting
> strict policy).
> Second, the handbook states that you should use v2refpolicy. You are
> running the 20070928 policy, which is v1 policy and is very very old. I'm
> guessing you are working with an old system that hasn't been converted to
> v2refpolicy.
> Third, even with v2refpolicy, the current version in the tree is now almost
> a year old and has issues (which is part of what I'm working to sort out).
> TBH, I'm not entirely certain it will boot in enforcing mode, although
> targeted policy will stand a better chance of working than strict policy.
>
> I'm working as fast as I can. Unfortunately, my spare time is pretty, well,
> 'spare' and has been for some time. If you want to make your own ebuild,
> you can find where to pull the latest release policy from
> http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease, or get the
> current development policy from the git repository at
> http://oss.tresys.com/git/refpolicy.git.
>
> Later,
> Gizmo
>
>
next prev parent reply other threads:[~2010-11-17 21:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-15 0:44 [gentoo-hardened] SELinux (targeted policy) and invalid context luc nac
2010-11-15 1:14 ` Chris Richards
2010-11-17 20:07 ` Sven Vermeulen
2010-11-17 20:41 ` luc nac [this message]
2010-11-17 21:30 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='AANLkTik8d=NqEZwkMuBq5MdcedwpYoBMuwHgA8t07oPA@mail.gmail.com' \
--to=lucnac@gmail.com \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox