Hello, I got the new policy. But it seems many modules fail in linkage state with the following message [This was taken from sec-policy/selinux-snmpd-20070329] --- * Inserting the following modules into the strict module store: snmp libsepol.permission_copy_callback: Module snmp depends on permission dccp_recv in class node, not satisfied libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! * Inserting the following modules into the targeted module store: snmp libsepol.permission_copy_callback: Module snmp depends on permission dccp_recv in class node, not satisfied libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! --- Using 2.6.21 genpatches 4 # emerge --info Portage 2.1.2.9 (selinux/x86/2006.1, gcc-4.1.2, glibc-2.5-r3, 2.6.21-suspend2-r5 i686) ================================================================= System uname: 2.6.21-suspend2-r5 i686 Intel(R) Pentium(R) M processor 1.80GHz Gentoo Base System release 1.12.9 Timestamp of tree: Mon, 04 Jun 2007 01:47:01 +0000 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O3 -march=pentium-m -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-O3 -march=pentium-m -fomit-frame-pointer -pipe" DISTDIR="/var/gentoo/distfiles" FEATURES="autoaddcvs cvs distlocks loadpolicy metadata-transfer parallel-fetch sandbox selinux sesandbox sfperms strict userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.hamakor.org.il/pub/mirrors/gentoo http://gentoo.osuosl.org" LANG="he" LINGUAS="en he" MAKEOPTS="-j2" PKGDIR="/var/gentoo/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /usr/local/alon-barlev-portage /usr/local/ase-portage" SYNC="" USE="X aac acpi alsa apache2 arts berkdb bidi bluetooth bzip2 cairo crypt cups curl dbus dri dvd encode esd fam gif gpm gstreamer gtk iconv ipv6 jpeg jpeg2k kde kdeenablefinal kerberos ldap logrotate midi mmx mp3 mpeg ncurses nls nptl nptlonly ogg opengl pam png python qt3 qt4 readline samba sdl selinux smartcard spell sse sse2 ssl svga tcpd tiff truetype unicode vorbis wifi x86 xcomposite xinerama xml xv zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" CAMERAS="canon ptp2" ELIBC="glibc" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en he" USERLAND="GNU" VIDEO_CARDS="radeon fglrx" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
make sure that you have selinux-base-policy-20070329 installed
I am encountering the same problem and have selinux-base-policy-20070329 installed. I receive the error when attempting to load the policy for arpwatch, dbus, gnupg, gpm, ntp, openldap, procmail, screen, snmpd, and sudo. All of these are version 20070329. Please let me know if you need additional information or how else I can assist. $ equery l selinux-base-policy [ Searching for package 'selinux-base-policy' in all categories among: ] * installed packages [I--] [ ] sec-policy/selinux-base-policy-20070329 (0) [stephenf@limbo portage]$ emerge --info Portage 2.1.2.7 (selinux/x86/2006.1, gcc-4.1.2, glibc-2.4-r4, 2.6.20-gentoo-r7 i686) ================================================================= System uname: 2.6.20-gentoo-r7 i686 Intel(R) Pentium(R) 4 CPU 2.40GHz Gentoo Base System release 1.12.9 Timestamp of tree: Mon, 11 Jun 2007 13:00:09 +0000 dev-java/java-config: 1.3.7, 2.0.32 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium4 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -march=pentium4 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks loadpolicy metadata-transfer sandbox selinux sesandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.ussg.iu.edu/pub/linux/gentoo http://mirror.datapipe.net/gentoo ftp://pandemonium.tiscali.de/pub/gentoo/ ftp://ftp.ecc.u-tokyo.ac.jp/GENTOO" LANG="en_US.UTF-8" LINGUAS="en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" USE="X alsa avahi bash-completion berkdb cairo caps crypt cups dba dbus eds emacs evo fbcon firefox foomaticdb fortran freetype gd gdbm gif gnome gnutls gstreamer gtk gtk2 gtkhtml hal imlib ipv6 java jpeg ldap libwww mailwrapper midi milter mime mmx mono motif ncurses nls nptl nptlonly nsplugin opengl pam pcre pdf perl png posix ppds python readline samba sasl sdl selinux snmp sockets spell sse ssl tcpd threads truetype unicode vhosts x86 xml xml2 xv zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="fbdev i128 i740 i810 nv r128 radeon vesa vga" Unset: CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Try this script to reload all of the policies: http://dev.gentoo.org/~pebenito/refresh_policy.sh if you have local policy modules, you should run it from that directory.
Running the script worked. The modules I listed before were successfully loaded. Thanks.
OK. Works for me too... After this I can emerge the selinux packages. Why it was initially broken? Can you fix this?
Tried to reemerge all packages... Got: * Inserting the following modules into the strict module store: apm libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not exit cleanly. libsemanage.semanage_reload_policy: load_policy returned error code -1. libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not exit cleanly. libsemanage.semanage_reload_policy: load_policy returned error code -1. semodule: Failed! * Inserting the following modules into the targeted module store: apm libsemanage.semanage_exec_prog: Child process /sbin/setfiles did not exit cleanly. libsemanage.semanage_install_active: setfiles returned error code -1. libsemanage.semanage_exec_prog: Child process /sbin/setfiles did not exit cleanly. libsemanage.semanage_install_active: setfiles returned error code -1. semodule: Failed! >>> sec-policy/selinux-acpi-20070329 merged. BTW: Why ebuild succeeds if something wrong with policy?
I'm not sure how you got into this position. The base policy should have been updated first, which would make the dccp_recv available, and then modules compiled later would be insert cleanly with the availability of this perm. Was selinux-base-policy-20070329 not the first policy merged? Ebuild succeeds even if module insertion fails because module insertion is for convenience, and is optional. Also its possible to have a case where you need to reinsert all of the modules simultaneously, which can't be done from portage (esp. if there are local policy modules). If the ebuilds fail, then you'll never get all of the updated modules.
(In reply to comment #7) > I'm not sure how you got into this position. The base policy should have been > updated first, which would make the dccp_recv available, and then modules > compiled later would be insert cleanly with the availability of this perm. Was > selinux-base-policy-20070329 not the first policy merged? In my case, selinux-base-policy-20070329 was emerged first. After that, the various modules I listed previously were emerged. Examining the log from when selinux-base-policy-20070329 was emerged, I see the following for both the strict and targeted module stores: libsepol.print_missing_requirements: samba's global requirements were not met: b ool samba_share_nfs libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!
(In reply to comment #7) > selinux-base-policy-20070329 not the first policy merged? Yes. > to reinsert all of the modules simultaneously, which can't be done from portage > (esp. if there are local policy modules). If the ebuilds fail, then you'll > never get all of the updated modules. But if I have local policy, it should not have conflict with these ones, right? So when this state will be reached?
This happens with large restructuring in policy. See: http://marc.info/?l=gentoo-hardened&m=117573233110226&w=2 I don't expect this type of thing to happen unless it corresponds with a profile change/upgrade. However the 2006.1 SELinux profile has always been a dev profile, so I don't consider it an issue.
Hmmm... Can you please help me solve the issue? Whenever I emerge sec-policy/selinux-base-policy-20070329 I get: * Inserting base module into strict module store. libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not exit cleanly. libsemanage.semanage_reload_policy: load_policy returned error code -1. libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not exit cleanly. libsemanage.semanage_reload_policy: load_policy returned error code -1. semodule: Failed! * Inserting base module into targeted module store. libsemanage.semanage_exec_prog: Child process /sbin/setfiles did not exit cleanly. libsemanage.semanage_install_active: setfiles returned error code -1. libsemanage.semanage_exec_prog: Child process /sbin/setfiles did not exit cleanly. libsemanage.semanage_install_active: setfiles returned error code -1. semodule: Failed! How can I fix this? What should I unmerge/remove in order to return to a working state? Thanks!
can you paste any messages in dmesg, when this happens
All I see relevant is: Jun 23 19:52:08 alon1 audit(1182617528.756:15574): avc: denied { read } for pid=25111 comm="ebuild.sh" name="selinux-base-policy-20070329.ebuild" dev=loop5 ino=2268321 scontext=root:sysadm_r:portage_t.sandbox tcontext=system_u:object_r:unlabeled_t tclass=file Jun 23 19:53:15 alon1 audit(1182617595.646:15578): avc: denied { rename } for pid=26590 comm="semodule" name="active" dev=loop5 ino=850016 scontext=root:sysadm_r:semanage_t tcontext=user_u:object_r:selinux_config_t tclass=dir But I am not in enforce mode...
I've got the same problem here # emerge selinux-openvpn [..] libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not exit cleanly. libsemanage.semanage_reload_policy: load_policy returned error code -1. libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not exit cleanly. libsemanage.semanage_reload_policy: load_policy returned error code -1. semodule: Failed! dmesg reads: grsec: From censored: signal 11 sent to /usr/sbin/semodule[semodule:20900] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/semodule[semodule:20899] uid/euid:0/0 gid/egid:0/0 grsec: From censored: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/semodule[semodule:20900] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/semodule[semodule:20899] uid/euid:0/0 gid/egid:0/0 but if I do a manual # cd /usr/share/selinux/strict # semodule -s strict -i openvpn.pp # exits cleanly # semodule -l | grep openvpn openvpn 1.1.2 the machine is in permissive mode akara ~ # emerge --info Portage 2.1.2.9 (selinux/x86, gcc-3.4.6, glibc-2.5-r4, 2.6.21-hardened-r2-a043 i686) ================================================================= System uname: 2.6.21-hardened-r2-a043 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 07 Jul 2007 14:20:01 +0000 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.23b virtual/os-headers: 2.6.8.1-r1, 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /var/qmail/alias /var/qmail/control /var/service" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/local/portage/distfiles" FEATURES="buildpkg collision-protect distlocks loadpolicy metadata-transfer sandbox selinux sesandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp.roedu.net/pub/mirrors/gentoo.org ftp://ftp.lug.ro/gentoo http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo" PKGDIR="/local/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/local/portage/build" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/local/portage/overlay" SYNC="rsync://mirrors.bu.avira.com/gentoo-portage" USE="bzip2 caps crypt hardened nptl nptlonly pam pic readline selinux sse sse2 ssl unicode utf8 x86 zlib" ELIBC="glibc" KERNEL="linux" USERLAND="GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
bug #184520 opened for the segfaulting semodule since it might be a portage bug