Comment 1 Chris PeBenito (RETIRED) 2007-06-10 13:39:55 UTC

make sure that you have selinux-base-policy-20070329 installed

I am encountering the same problem and have selinux-base-policy-20070329 installed.  I receive the error when attempting to load the policy for arpwatch, dbus, gnupg, gpm, ntp, openldap, procmail, screen, snmpd, and sudo.  All of these are version 20070329.  Please let me know if you need additional information or how else I can assist.

$ equery l selinux-base-policy
[ Searching for package 'selinux-base-policy' in all categories among: ]
 * installed packages
[I--] [  ] sec-policy/selinux-base-policy-20070329 (0)
[stephenf@limbo portage]$ emerge --info
Portage 2.1.2.7 (selinux/x86/2006.1, gcc-4.1.2, glibc-2.4-r4, 2.6.20-gentoo-r7 i686)
=================================================================
System uname: 2.6.20-gentoo-r7 i686 Intel(R) Pentium(R) 4 CPU 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Mon, 11 Jun 2007 13:00:09 +0000
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=pentium4 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks loadpolicy metadata-transfer sandbox selinux sesandbox sfperms strict"
GENTOO_MIRRORS="ftp://ftp.ussg.iu.edu/pub/linux/gentoo http://mirror.datapipe.net/gentoo ftp://pandemonium.tiscali.de/pub/gentoo/ ftp://ftp.ecc.u-tokyo.ac.jp/GENTOO"
LANG="en_US.UTF-8"
LINGUAS="en"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
USE="X alsa avahi bash-completion berkdb cairo caps crypt cups dba dbus eds emacs evo fbcon firefox foomaticdb fortran freetype gd gdbm gif gnome gnutls gstreamer gtk gtk2 gtkhtml hal imlib ipv6 java jpeg ldap libwww mailwrapper midi milter mime mmx mono motif ncurses nls nptl nptlonly nsplugin opengl pam pcre pdf perl png posix ppds python readline samba sasl sdl selinux snmp sockets spell sse ssl tcpd threads truetype unicode vhosts x86 xml xml2 xv zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="fbdev i128 i740 i810 nv r128 radeon vesa vga"
Unset:  CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 3 Chris PeBenito (RETIRED) 2007-06-11 17:07:50 UTC

Try this script to reload all of the policies:

http://dev.gentoo.org/~pebenito/refresh_policy.sh

if you have local policy modules, you should run it from that directory.

Running the script worked.  The modules I listed before were successfully loaded.  Thanks.

Comment 5 Alon Bar-Lev (RETIRED) 2007-06-12 18:45:30 UTC

OK.
Works for me too... After this I can emerge the selinux packages.
Why it was initially broken?
Can you fix this?

Comment 6 Alon Bar-Lev (RETIRED) 2007-06-12 19:28:01 UTC

Tried to reemerge all packages...
Got:
 * Inserting the following modules into the strict module store: apm
libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not exit cleanly.
libsemanage.semanage_reload_policy: load_policy returned error code -1.
libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not exit cleanly.
libsemanage.semanage_reload_policy: load_policy returned error code -1.
semodule:  Failed!
 * Inserting the following modules into the targeted module store: apm
libsemanage.semanage_exec_prog: Child process /sbin/setfiles did not exit cleanly.
libsemanage.semanage_install_active: setfiles returned error code -1.
libsemanage.semanage_exec_prog: Child process /sbin/setfiles did not exit cleanly.
libsemanage.semanage_install_active: setfiles returned error code -1.
semodule:  Failed!
>>> sec-policy/selinux-acpi-20070329 merged.

BTW: Why ebuild succeeds if something wrong with policy?

Comment 7 Chris PeBenito (RETIRED) 2007-06-15 04:29:16 UTC

I'm not sure how you got into this position.  The base policy should have been updated first, which would make the dccp_recv available, and then modules compiled later would be insert cleanly with the availability of this perm.  Was selinux-base-policy-20070329 not the first policy merged?

Ebuild succeeds even if module insertion fails because module insertion is for convenience, and is optional.  Also its possible to have a case where you need to reinsert all of the modules simultaneously, which can't be done from portage (esp. if there are local policy modules).  If the ebuilds fail, then you'll never get all of the updated modules.

(In reply to comment #7)
> I'm not sure how you got into this position.  The base policy should have been
> updated first, which would make the dccp_recv available, and then modules
> compiled later would be insert cleanly with the availability of this perm.  Was
> selinux-base-policy-20070329 not the first policy merged?

In my case, selinux-base-policy-20070329 was emerged first.  After that, the various modules I listed previously were emerged.  

Examining the log from when selinux-base-policy-20070329 was emerged, I see the following for both the strict and targeted module stores:

libsepol.print_missing_requirements: samba's global requirements were not met: b
ool samba_share_nfs
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

Comment 9 Alon Bar-Lev (RETIRED) 2007-06-15 20:48:00 UTC

(In reply to comment #7)
> selinux-base-policy-20070329 not the first policy merged?

Yes.

> to reinsert all of the modules simultaneously, which can't be done from portage
> (esp. if there are local policy modules).  If the ebuilds fail, then you'll
> never get all of the updated modules.

But if I have local policy, it should not have conflict with these ones, right? So when this state will be reached?

Comment 10 Chris PeBenito (RETIRED) 2007-06-18 14:36:23 UTC

This happens with large restructuring in policy.  See:

http://marc.info/?l=gentoo-hardened&m=117573233110226&w=2

I don't expect this type of thing to happen unless it corresponds with a profile change/upgrade.  However the 2006.1 SELinux profile has always been a dev profile, so I don't consider it an issue.

Comment 11 Alon Bar-Lev (RETIRED) 2007-06-22 15:31:18 UTC

Hmmm...
Can you please help me solve the issue?

Whenever I emerge sec-policy/selinux-base-policy-20070329 I get:
 * Inserting base module into strict module store.
libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not exit cleanly.
libsemanage.semanage_reload_policy: load_policy returned error code -1.
libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not exit cleanly.
libsemanage.semanage_reload_policy: load_policy returned error code -1.
semodule:  Failed!
 * Inserting base module into targeted module store.
libsemanage.semanage_exec_prog: Child process /sbin/setfiles did not exit cleanly.
libsemanage.semanage_install_active: setfiles returned error code -1.
libsemanage.semanage_exec_prog: Child process /sbin/setfiles did not exit cleanly.
libsemanage.semanage_install_active: setfiles returned error code -1.
semodule:  Failed!

How can I fix this? What should I unmerge/remove in order to return to a working state?

Thanks!

Comment 12 Chris PeBenito (RETIRED) 2007-06-23 16:44:08 UTC

can you paste any messages in dmesg, when this happens

Comment 13 Alon Bar-Lev (RETIRED) 2007-06-23 16:58:12 UTC

All I see relevant is:
Jun 23 19:52:08 alon1 audit(1182617528.756:15574): avc:  denied  { read } for  pid=25111 comm="ebuild.sh" name="selinux-base-policy-20070329.ebuild" dev=loop5 ino=2268321 scontext=root:sysadm_r:portage_t.sandbox tcontext=system_u:object_r:unlabeled_t tclass=file
Jun 23 19:53:15 alon1 audit(1182617595.646:15578): avc:  denied  { rename } for  pid=26590 comm="semodule" name="active" dev=loop5 ino=850016 scontext=root:sysadm_r:semanage_t tcontext=user_u:object_r:selinux_config_t tclass=dir


But I am not in enforce mode...

Comment 14 petre rodan (RETIRED) 2007-07-07 15:22:45 UTC

I've got the same problem here 

# emerge selinux-openvpn
[..]
libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not exit cleanly.
libsemanage.semanage_reload_policy: load_policy returned error code -1.
libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not exit cleanly.
libsemanage.semanage_reload_policy: load_policy returned error code -1.
semodule:  Failed!

dmesg reads:
grsec: From censored: signal 11 sent to /usr/sbin/semodule[semodule:20900] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/semodule[semodule:20899] uid/euid:0/0 gid/egid:0/0
grsec: From censored: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/sbin/semodule[semodule:20900] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/semodule[semodule:20899] uid/euid:0/0 gid/egid:0/0

but if I do a manual
# cd /usr/share/selinux/strict
# semodule -s strict -i openvpn.pp # exits cleanly
# semodule -l | grep openvpn
openvpn 1.1.2

the machine is in permissive mode

akara ~ # emerge --info
Portage 2.1.2.9 (selinux/x86, gcc-3.4.6, glibc-2.5-r4, 2.6.21-hardened-r2-a043 i686)
=================================================================
System uname: 2.6.21-hardened-r2-a043 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Sat, 07 Jul 2007 14:20:01 +0000
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.8.1-r1, 2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/qmail/alias /var/qmail/control /var/service"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/local/portage/distfiles"
FEATURES="buildpkg collision-protect distlocks loadpolicy metadata-transfer sandbox selinux sesandbox sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="ftp://ftp.roedu.net/pub/mirrors/gentoo.org ftp://ftp.lug.ro/gentoo http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo"
PKGDIR="/local/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/local/portage/build"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/local/portage/overlay"
SYNC="rsync://mirrors.bu.avira.com/gentoo-portage"
USE="bzip2 caps crypt hardened nptl nptlonly pam pic readline selinux sse sse2 ssl unicode utf8 x86 zlib" ELIBC="glibc" KERNEL="linux" USERLAND="GNU"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 15 petre rodan (RETIRED) 2007-07-07 17:27:16 UTC

bug #184520 opened for the segfaulting semodule since it might be a portage bug