for example: when i'm trying to `make clean load` (with enforcing=1) in /etc/security/selinux/src/policy, make process dies with permission denied: # make clean load rm -f policy.conf policy.20 rm -fR tmp rm -f file_contexts/file_contexts rm -f flask/*.h * Creating policy.conf * Policy version: 20 * Kernel version: 20 * Compiling and installing policy.20 /usr/bin/checkpolicy: loading policy configuration from /etc/security/selinux/src/policy.conf /usr/bin/checkpolicy: unable to open /etc/security/selinux/src/policy.conf make: *** [/etc/security/selinux/policy.20] Error 1 # ls -laZ /etc/security/selinux/src/policy.conf -rw-r--r-- root root (null) /etc/security/selinux/src/policy.conf # restorecon -v /etc/security/selinux/src/policy.conf restorecon reset /etc/security/selinux/src/policy.conf context ->system_u:object_r:policy_src_t -- so i can't switch to enforcing=1 at all, because everything creates with null context. -- Portage 2.1_pre7-r2 (selinux/2004.1/amd64/lib64, gcc-3.4.5, glibc-2.3.5-r2, 2.6.14-hardened-r6 x86_64) ================================================================= System uname: 2.6.14-hardened-r6 x86_64 AMD Opteron(tm) Processor 248 Gentoo Base System version 1.6.14 ccache version 2.3 [enabled] dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=opteron -mtune=opteron -funroll-loops -pipe -ftracer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=x86-64 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks loadpolicy metadata-transfer relabel sandbox selinux sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 bash-completion bzip2 crypt emul-linux-x86 nptl nptlonly pam readline selinux ssl threads userlocales vhosts zlib elibc_glibc kernel_linux userland_GNU" Unset: ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
are you using xfs?
yes.
# mount /dev/sda2 on / type xfs (rw,noatime) none on /selinux type selinuxfs (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) udev on /dev type tmpfs (rw,nosuid) devpts on /dev/pts type devpts (rw) none on /dev/shm type tmpfs (rw) # sestatus -v SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Policy version: 20 Policy booleans: secure_mode inactive ssh_sysadm_login inactive user_ping inactive Process contexts: Current context: voxus:sysadm_r:sysadm_t Init context: system_u:system_r:init_t /sbin/agetty system_u:system_r:getty_t /usr/sbin/sshd system_u:system_r:sshd_t File contexts: Controlling term: voxus:object_r:sysadm_devpts_t /sbin/init system_u:object_r:init_exec_t /sbin/agetty system_u:object_r:getty_exec_t /bin/login system_u:object_r:login_exec_t /sbin/rc system_u:object_r:initrc_exec_t /sbin/runscript.sh system_u:object_r:initrc_exec_t /usr/sbin/sshd system_u:object_r:sshd_exec_t /etc/passwd voxus:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /bin/bash system_u:object_r:shell_exec_t /bin/sash system_u:object_r:shell_exec_t /usr/bin/newrole system_u:object_r:newrole_exec_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
XFS is broken on selinux for 2.6.14 and 2.6.15. It is fixed in 2.6.16. Please see: http://marc.theaimsgroup.com/?l=gentoo-hardened&m=113433863728029&w=2
yep, just found it too. thank you.