I've changed my system to selinux. After following the hardened guide, an emerge -upvDN world is required. Then this error occures. Reproducible: Always Steps to Reproduce: 1. Change to SELINUX 2. Recompile gpm with the SELINUX USE Flag 3. Actual Results: >>> Emerging (1 of 2) sec-policy/selinux-gpm-20070928 >>> Failed to emerge sec-policy/selinux-gpm-20070928, Log file: >>> '/var/tmp/portage/sec-policy/selinux-gpm-20070928/temp/build.log' make: Entering directory `/var/tmp/portage/sec-policy/selinux-gpm-20070928/work/strict' Compiling strict gpm module gpm.te:72: Warning: userdom_dontaudit_search_sysadm_home_dirs(gpm_t) has been deprecated. Please use sysadm_dontaudit_search_home_dirs() instead. /usr/bin/checkmodule: loading policy configuration from tmp/gpm.tmp gpm.te":44:ERROR 'permission open is not defined for class sock_file' at token ';' on line 2474: allow gpm_t gpmctl_t:sock_file { create open getattr setattr read write append rename link unlink ioctl lock }; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/gpm.mod] Error 1 make: Leaving directory `/var/tmp/portage/sec-policy/selinux-gpm-20070928/work/strict' * * ERROR: sec-policy/selinux-gpm-20070928 failed. * Call stack: * ebuild.sh, line 49: Called src_compile * environment, line 2235: Called selinux-policy-2_src_compile * environment, line 2166: Called die * The specific snippet of code: * make NAME=$i -C ${S}/${i} || die "${i} compile failed"; * The die message: * strict compile failed * * If you need support, post the topmost build error, and the call stack if relevant. * A complete build log is located at '/var/tmp/portage/sec-policy/selinux-gpm-20070928/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/sec-policy/selinux-gpm-20070928/temp/environment'. * Expected Results: Installing gpm successfully.
My emerge --info: # emerge --info Portage 2.1.6.7 (selinux/2007.0/amd64, gcc-4.1.2, glibc-2.8_p20080602-r1, 2.6.27.10-grsec x86_64) ================================================================= System uname: Linux-2.6.27.10-grsec-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T9400_@_2.53GHz-with-glibc2.2.5 Timestamp of tree: Mon, 23 Mar 2009 09:30:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p39 dev-java/java-config: 1.3.7-r1, 2.1.7 dev-lang/python: 2.4.4-r14, 2.5.2-r7 dev-python/pycrypto: 2.0.1-r8 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.4.8 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -fomit-frame-pointer -march=k8" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -pipe -fomit-frame-pointer -march=k8" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distlocks fixpackages loadpolicy parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://gentoo.arcticnetwork.ca/pub/gentoo/ http://gentoo.arcticnetwork.ca/source/ ftp://mirrors.tera-byte.com/pub/gentoo http://gentoo.mirrors.tera-byte.com/ ftp://distro.ibiblio.org/pub/linux/distributions/gentoo/ http://distro.ibiblio.org/pub/linux/distributions/gentoo/ ftp://ftp.gtlib.gatech.edu/pub/gentoo http://www.gtlib.gatech.edu/pub/gentoo ftp://ftp.ussg.iu.edu/pub/linux/gentoo ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/ http://ftp.ucsb.edu/pub/mirrors/linux/gentoo/ ftp://gentoo.mirrors.pair.com/ ftp://gentoo.mirrors.tds.net/gentoo http://mirror.datapipe.net/gentoo ftp://mirror.datapipe.net/gentoo http://gentoo.cites.uiuc.edu/pub/gentoo/ ftp://gentoo.cites.uiuc.edu/pub/gentoo/ http://gd.tuwien.ac.at/opsys/linux/gentoo/ ftp://gd.tuwien.ac.at/opsys/linux/gentoo/ http://mirror.bih.net.ba/gentoo/ ftp://mirror.bih.net.ba/gentoo/ http://gentoo.mirror.web4u.cz/ ftp://gentoo.mirror.web4u.cz/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo http://de-mirror.org/distro/gentoo/ ftp://de-mirror.org/distro/gentoo/ http://gentoo.tiscali.nl/ ftp://gentoo.tiscali.nl/pub/mirror/gentoo/ http://gentoo.mirror.pw.edu.pl/ http://ftp.roedu.net/pub/mirrors/gentoo.org/ ftp://ftp.roedu.net/pub/mirrors/gentoo.org/ http://mirror.switch.ch/ftp/mirror/gentoo/ ftp://mirror.switch.ch/mirror/gentoo/ http://ftp.linux.org.tr/gentoo/ ftp://ftp.linux.org.tr/pub/gentoo/ ftp://ftp.swin.edu.au/gentoo http://ftp.swin.edu.au/gentoo " LDFLAGS="" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X amd64 bash-completion berkdb cli cracklib crypt cups dri fortran gdbm gpm hardened iconv ipv6 isdnlog jpeg midi mmx mudflap ncurses nls nptl nptlonly opengl openmp pam pcre perl pic png pppd python readline reflection selinux session spl sse sse2 ssl tcpd unicode vim-syntax xinerama xorg zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="intel vesa radeonhd radeon" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
you need to reinstall your base module since the running policy is not matching the installed policy headers. semodule -b /usr/share/selinux/strict/base.pp