Comment 1 Jeroen Roovers (RETIRED) 2011-06-10 02:37:22 UTC

LANG="lt_LT.utf8"

Can't read that. Please attach something generated with LANG=C.

http://paste.pocoo.org/show/403322/
http://paste.pocoo.org/show/403318/

Attach those too.

[32;01m * [39;49;00mPackage:    sec-policy/selinux-ldap-2.20101213-r1
[32;01m * [39;49;00mRepository: gentoo
[32;01m * [39;49;00mMaintainer: selinux@gentoo.org
[32;01m * [39;49;00mUSE:        amd64 elibc_glibc kernel_linux selinux userland_GNU
[32;01m * [39;49;00mFEATURES:   sandbox selinux sesandbox
>>> Unpacking source...
>>> Unpacking refpolicy-2.20101213.tar.bz2 to /var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/work
 [32;01m*[0m Patching strict
 [32;01m*[0m Applying fix-services-ldap-r1.patch ...
[A[229C [34;01m[ [32;01mok[34;01m ][0m
 [32;01m*[0m Patching targeted
 [32;01m*[0m Applying fix-services-ldap-r1.patch ...
[A[229C [34;01m[ [32;01mok[34;01m ][0m
>>> Source unpacked in /var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/work
>>> Compiling source in /var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/work ...
make: Entering directory `/var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/work/strict'
Compiling strict ldap module
/usr/bin/checkmodule:  loading policy configuration from tmp/ldap.tmp
ldap.te":22:ERROR 'syntax error' at token 'init_script_file' on line 2180:
init_script_file(slapd_initrc_exec_t)
type slapd_initrc_exec_t;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/ldap.mod] Error 1
make: Leaving directory `/var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/work/strict'
 [31;01m*[0m ERROR: sec-policy/selinux-ldap-2.20101213-r1 failed (compile phase):
 [31;01m*[0m   strict compile failed
 [31;01m*[0m 
 [31;01m*[0m Call stack:
 [31;01m*[0m     ebuild.sh, line   56:  Called src_compile
 [31;01m*[0m   environment, line 2234:  Called selinux-policy-2_src_compile
 [31;01m*[0m   environment, line 2150:  Called die
 [31;01m*[0m The specific snippet of code:
 [31;01m*[0m           make NAME=$i -C "${S}"/${i} || die "${i} compile failed";
 [31;01m*[0m 
 [31;01m*[0m If you need support, post the output of 'emerge --info =sec-policy/selinux-ldap-2.20101213-r1',
 [31;01m*[0m the complete build log and the output of 'emerge -pqv =sec-policy/selinux-ldap-2.20101213-r1'.
 [31;01m*[0m The complete build log is located at '/var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/temp/build.log'.
 [31;01m*[0m The ebuild environment file is located at '/var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/temp/environment'.
 [31;01m*[0m S: '/var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/work/'

Portage 2.1.9.42 (selinux/2007.0/amd64/hardened, gcc-4.3.4-hardenednopie, libc-0-r0, 2.6.32-hardened-r9 x86_64)
=================================================================
System uname: Linux-2.6.32-hardened-r9-x86_64-Dual_Core_AMD_Opteron-tm-_Processor_275-with-gentoo-2.0.2
Timestamp of tree: Thu, 09 Jun 2011 07:00:01 +0000
app-shells/bash:     4.1_p9
dev-java/java-config: 2.1.11-r3
dev-lang/python:     2.4.4-r13, 2.5.4-r3, 2.6.6-r2, 2.7.1-r1, 3.1.3-r1
dev-util/cmake:      2.8.4-r1
sys-apps/baselayout: 2.0.2
sys-apps/openrc:     0.8.2-r1
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.65-r1
sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       3.4.6-r2, 4.1.2, 4.3.4, 4.4.5
sys-devel/gcc-config: 1.4.1-r1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.82
sys-kernel/linux-headers: 2.6.36.1
sys-libs/glibc:      2.12.2
virtual/os-headers:  0
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=athlon64 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages loadpolicy news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="C"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 apache2 berkdb big-tables caps cgi cli cracklib crypt ctype cups curl cxx dbus dhcp dri embedded examples extensions fontconfig fortran gd hardened hash iconv imap ipv6 jpeg json ldap maildir modules mudflap mysql mysqli ncurses nls openmp pam pcre pdo perl php pic png pppd python readline rss sasl selinux session simplexml soap sqlite sqlite3 ssl tcpd truetype unicode vhosts xml xmlrpc xorg xpm xsl zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions proxy proxy_http ctions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias cgi" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Which version of selinux-base-policy are you running?

Please try installing the latest one available /and/ make sure that it is loaded (i.e. cksum /etc/selinux/strict/modules/active/base.pp /usr/share/selinux/strict/base.pp should give the same checksums for both files)

Does that help?

(In reply to comment #4)
> Which version of selinux-base-policy are you running?
> 
> Please try installing the latest one available /and/ make sure that it is
> loaded (i.e. cksum /etc/selinux/strict/modules/active/base.pp
> /usr/share/selinux/strict/base.pp should give the same checksums for both
> files)
> 
> Does that help?

sec-policy/selinux-base-policy-20080525

# load_policy
SELinux:  Could not downgrade policy file /etc/selinux/strict/policy/policy.24, searching for an older version.
SELinux:  Could not downgrade policy file /etc/selinux/strict/policy/policy.23, searching for an older version.
SELinux:  Could not downgrade policy file /etc/selinux/strict/policy/policy.21, searching for an older version.
SELinux:  Could not open policy file <= /etc/selinux/strict/policy/policy.24:  No such file or directory
load_policy:  Can't load policy:  No such file or directory

:/

sec-policy/selinux-base-policy-20080525 is an old policy that isn't supported anymore. Can you build sec-policy/selinux-base-policy-2.20101213-r16?

I think there is some problem with versioning....


# eix sec-policy/selinux-base-policy
[I] sec-policy/selinux-base-policy
     Available versions:  ~2.20090730 ~2.20090814 ~2.20091215 ~2.20101213-r11 ~2.20101213-r12 2.20101213-r16 20080525 ~20080525-r1 {(+)open_perms +peer_perms +ubac}
     Installed versions:  20080525(00:25:39 06/11/11)
     Homepage:            http://www.gentoo.org/proj/en/hardened/selinux/
     Description:         Gentoo base policy for SELinux


# echo "=sec-policy/selinux-base-policy-20080525" >> /etc/portage/package.mask



# emerge -av selinux-base-policy
FEATURES variable contains unknown value(s): loadpolicy

 * IMPORTANT: 7 news items need reading for repository 'gentoo'.
 * Use eselect news to read news items.


These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     UD] sec-policy/selinux-base-policy-2.20101213-r16 [20080525] USE="open_perms%* peer_perms%* ubac%*" 0 kB

Total: 1 package (1 downgrade), Size of downloads: 0 kB

!!! Multiple package instances within a single package slot have been pulled
!!! into the dependency graph, resulting in a slot conflict:

sec-policy/selinux-base-policy:0

  (sec-policy/selinux-base-policy-20080525, installed) pulled in by
    >=sec-policy/selinux-base-policy-20080525 required by (sec-policy/selinux-gnupg-20080525, installed)
    (and 10 more with the same problem)

  (sec-policy/selinux-base-policy-2.20101213-r16, ebuild scheduled for merge) pulled in by
    (no parents that aren't satisfied by other packages in this slot)


It may be possible to solve this problem by using package.mask to
prevent one of those packages from being selected. However, it is also
possible that conflicting dependencies exist such that they are
impossible to satisfy simultaneously.  If such a conflict exists in
the dependencies of two different packages, then those packages can
not be installed simultaneously. You may want to try a larger value of
the --backtrack option, such as --backtrack=30, in order to see if
that will solve this conflict automatically.

For more information, see MASKED PACKAGES section in the emerge man
page or refer to the Gentoo Handbook.


 * IMPORTANT: 7 news items need reading for repository 'gentoo'.
 * Use eselect news to read news items.

The SELinux profile you are using isn't supported anymore too.

Switch to the v2refpolicy ones (or even the new selinux profiles that are subprofiles of the main ones, like hardened/linux/amd64/selinux). These profiles mask out the 2008* ones.

# eselect profile list
Available profile symlink targets:
  [1]   default/linux/amd64/10.0
  [2]   default/linux/amd64/10.0/desktop
  [3]   default/linux/amd64/10.0/desktop/gnome
  [4]   default/linux/amd64/10.0/desktop/kde
  [5]   default/linux/amd64/10.0/developer
  [6]   default/linux/amd64/10.0/no-multilib
  [7]   default/linux/amd64/10.0/server
  [8]   hardened/linux/amd64
  [9]   hardened/linux/amd64/selinux
  [10]  hardened/linux/amd64/no-multilib
  [11]  hardened/linux/amd64/no-multilib/selinux
  [12]  selinux/2007.0/amd64
  [13]  selinux/2007.0/amd64/hardened
  [14]  selinux/v2refpolicy/amd64
  [15]  selinux/v2refpolicy/amd64/desktop
  [16]  selinux/v2refpolicy/amd64/developer
  [17]  selinux/v2refpolicy/amd64/hardened *
  [18]  selinux/v2refpolicy/amd64/server



# emerge -uDNv system && revdep-rebuild -e -i && emerge -uDNv world && revdep-rebuild -e -i
FEATURES variable contains unknown value(s): loadpolicy

 * IMPORTANT: 7 news items need reading for repository 'gentoo'.
 * Use eselect news to read news items.


These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild  N    ] sec-policy/selinux-ldap-2.20101213-r1  0 kB
[ebuild     UD] sec-policy/selinux-mysql-2.20101213-r1 [20080525] 0 kB
[ebuild  N    ] sec-policy/selinux-openldap-2.20101213-r1  0 kB
[ebuild     U ] dev-db/mysql-5.1.56 [5.1.51] USE="big-tables community embedded perl (selinux) ssl -cluster -debug -extraengine -latin1 -max-idx-128 -minimal -pbxt -profiling -static -test -xtradb" 0 kB

Total: 4 packages (1 upgrade, 1 downgrade, 2 new), Size of downloads: 0 kB

!!! The following installed packages are masked:
- sec-policy/selinux-dhcp-20080525 (masked by: package.mask)
/usr/portage/profiles/selinux/v2refpolicy/package.mask:
# force version 2.YYYYMMDD policy over version YYYYMMDD policy

- sec-policy/selinux-gnupg-20080525 (masked by: package.mask)
- sec-policy/selinux-dbus-20080525 (masked by: package.mask)
- sec-policy/selinux-openvpn-20080525 (masked by: package.mask)
- sec-policy/selinux-tftpd-20080525 (masked by: package.mask)
- sec-policy/selinux-courier-imap-20080525 (masked by: package.mask)
- sec-policy/selinux-apache-20080525 (masked by: package.mask)
- sec-policy/selinux-ftpd-20080525 (masked by: package.mask)
- sec-policy/selinux-base-policy-20080525 (masked by: package.mask)
- sec-policy/selinux-ntp-20080525 (masked by: package.mask)
- sec-policy/selinux-postfix-20080525 (masked by: package.mask)
For more information, see the MASKED PACKAGES section in the emerge
man page or refer to the Gentoo Handbook.



>>> Verifying ebuild manifests

>>> Starting parallel fetch

>>> Emerging (1 of 4) sec-policy/selinux-ldap-2.20101213-r1
 * refpolicy-2.20101213.tar.bz2 RMD160 SHA1 SHA256 size ;-) ...                                                                                                                                                                       [ ok ]
 * Package:    sec-policy/selinux-ldap-2.20101213-r1
 * Repository: gentoo
 * Maintainer: selinux@gentoo.org
 * USE:        amd64 elibc_glibc kernel_linux selinux userland_GNU
 * FEATURES:   sandbox selinux sesandbox
>>> Unpacking source...
>>> Unpacking refpolicy-2.20101213.tar.bz2 to /var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/work
 * Patching strict
 * Applying fix-services-ldap-r1.patch ...                                                                                                                                                                                            [ ok ]
 * Patching targeted
 * Applying fix-services-ldap-r1.patch ...                                                                                                                                                                                            [ ok ]
>>> Source unpacked in /var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/work
>>> Compiling source in /var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/work ...
make: Entering directory `/var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/work/strict'
Compiling strict ldap module
/usr/bin/checkmodule:  loading policy configuration from tmp/ldap.tmp
ldap.te":22:ERROR 'syntax error' at token 'init_script_file' on line 2180:
init_script_file(slapd_initrc_exec_t)
type slapd_initrc_exec_t;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/ldap.mod] Error 1
make: Leaving directory `/var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/work/strict'
 * ERROR: sec-policy/selinux-ldap-2.20101213-r1 failed (compile phase):
 *   strict compile failed
 *
 * Call stack:
 *     ebuild.sh, line   56:  Called src_compile
 *   environment, line 2234:  Called selinux-policy-2_src_compile
 *   environment, line 2150:  Called die
 * The specific snippet of code:
 *           make NAME=$i -C "${S}"/${i} || die "${i} compile failed";
 *
 * If you need support, post the output of 'emerge --info =sec-policy/selinux-ldap-2.20101213-r1',
 * the complete build log and the output of 'emerge -pqv =sec-policy/selinux-ldap-2.20101213-r1'.
 * The complete build log is located at '/var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/temp/environment'.
 * S: '/var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/work/'

>>> Failed to emerge sec-policy/selinux-ldap-2.20101213-r1, Log file:

>>>  '/var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/temp/build.log'

 * Messages for package sec-policy/selinux-ldap-2.20101213-r1:

 * ERROR: sec-policy/selinux-ldap-2.20101213-r1 failed (compile phase):
 *   strict compile failed
 *
 * Call stack:
 *     ebuild.sh, line   56:  Called src_compile
 *   environment, line 2234:  Called selinux-policy-2_src_compile
 *   environment, line 2150:  Called die
 * The specific snippet of code:
 *           make NAME=$i -C "${S}"/${i} || die "${i} compile failed";
 *
 * If you need support, post the output of 'emerge --info =sec-policy/selinux-ldap-2.20101213-r1',
 * the complete build log and the output of 'emerge -pqv =sec-policy/selinux-ldap-2.20101213-r1'.
 * The complete build log is located at '/var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/temp/environment'.
 * S: '/var/tmp/portage/sec-policy/selinux-ldap-2.20101213-r1/work/'

 * IMPORTANT: 7 news items need reading for repository 'gentoo'.
 * Use eselect news to read news items.






# emerge -v selinux-base-policy
FEATURES variable contains unknown value(s): loadpolicy

 * IMPORTANT: 7 news items need reading for repository 'gentoo'.
 * Use eselect news to read news items.


These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     UD] sec-policy/selinux-base-policy-2.20101213-r16 [20080525] USE="open_perms%* peer_perms%* ubac%*" 0 kB

Total: 1 package (1 downgrade), Size of downloads: 0 kB

!!! Multiple package instances within a single package slot have been pulled
!!! into the dependency graph, resulting in a slot conflict:

sec-policy/selinux-base-policy:0

  (sec-policy/selinux-base-policy-20080525, installed) pulled in by
    >=sec-policy/selinux-base-policy-20080525 required by (sec-policy/selinux-gnupg-20080525, installed)
    (and 10 more with the same problem)

  (sec-policy/selinux-base-policy-2.20101213-r16, ebuild scheduled for merge) pulled in by
    (no parents that aren't satisfied by other packages in this slot)


It may be possible to solve this problem by using package.mask to
prevent one of those packages from being selected. However, it is also
possible that conflicting dependencies exist such that they are
impossible to satisfy simultaneously.  If such a conflict exists in
the dependencies of two different packages, then those packages can
not be installed simultaneously. You may want to try a larger value of
the --backtrack option, such as --backtrack=30, in order to see if
that will solve this conflict automatically.

For more information, see MASKED PACKAGES section in the emerge man
page or refer to the Gentoo Handbook.


!!! The following installed packages are masked:
- sec-policy/selinux-dhcp-20080525 (masked by: package.mask)
/usr/portage/profiles/selinux/v2refpolicy/package.mask:
# force version 2.YYYYMMDD policy over version YYYYMMDD policy

- sec-policy/selinux-gnupg-20080525 (masked by: package.mask)
- sec-policy/selinux-mysql-20080525 (masked by: package.mask)
- sec-policy/selinux-dbus-20080525 (masked by: package.mask)
- sec-policy/selinux-openvpn-20080525 (masked by: package.mask)
- sec-policy/selinux-tftpd-20080525 (masked by: package.mask)
- sec-policy/selinux-courier-imap-20080525 (masked by: package.mask)
- sec-policy/selinux-apache-20080525 (masked by: package.mask)
- sec-policy/selinux-ftpd-20080525 (masked by: package.mask)
- sec-policy/selinux-ntp-20080525 (masked by: package.mask)
- sec-policy/selinux-postfix-20080525 (masked by: package.mask)
For more information, see the MASKED PACKAGES section in the emerge
man page or refer to the Gentoo Handbook.


 * IMPORTANT: 7 news items need reading for repository 'gentoo'.
 * Use eselect news to read news items.




emerge --info

Portage 2.1.9.42 (selinux/v2refpolicy/amd64/hardened, gcc-4.3.4-hardenednopie, libc-0-r0, 2.6.32-hardened-r9 x86_64)
=================================================================
System uname: Linux-2.6.32-hardened-r9-x86_64-Dual_Core_AMD_Opteron-tm-_Processor_275-with-gentoo-2.0.2
Timestamp of tree: Sat, 11 Jun 2011 11:30:01 +0000
app-shells/bash:     4.1_p9
dev-java/java-config: 2.1.11-r3
dev-lang/python:     2.4.4-r13, 2.5.4-r3, 2.6.6-r2, 2.7.1-r1, 3.1.3-r1
dev-util/cmake:      2.8.4-r1
sys-apps/baselayout: 2.0.2
sys-apps/openrc:     0.8.2-r1
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.65-r1
sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       3.4.6-r2, 4.1.2, 4.3.4, 4.4.5
sys-devel/gcc-config: 1.4.1-r1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.82
sys-kernel/linux-headers: 2.6.36.1
sys-libs/glibc:      2.12.2
virtual/os-headers:  0
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=athlon64 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages loadpolicy news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="C"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 apache2 berkdb big-tables caps cgi cli cracklib crypt ctype cups curl cxx dbus dhcp dri embedded examples extensions fontconfig fortran gd hardened hash iconv imap ipv6 jpeg json ldap maildir modules mudflap mysql mysqli ncurses nls openmp pam pcre pdo perl php pic png pppd python readline rss sasl selinux session simplexml soap sqlite sqlite3 ssl tcpd truetype unicode vhosts xml xmlrpc xorg xpm xsl zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions proxy proxy_http ctions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias cgi" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Too bad I'm not able to create an old 2008* guests here :-(

Could you unmerge all selinux-* packages (except selinux-base-policy) first? This way we make sure that no dependencies are hindering an upgrade.

Next, (re)install selinux-base-policy-2.20101213-r16.
- If you notice that your system is trying to install a -2008 one instead, make sure you didn't unmask it.
- If you notice that the build fails when it wants to load the new policy, you might need to unload all (old) selinux modules first (semodule -l to see, semodule -r <modname> to remove) because those might have dependencies on the old base policy

Once selinux-base-policy-2.20101213-r16 is built and loaded, we can reinstall the selinux-* packages (all -2.20101213 versions), most likely by just updating the system (it will pull in the necessary dependencies then).

http://paste.pocoo.org/show/406023/

The load errors are because selinux modules that are currently in memory relie on the old base module.

Can you put selinux in permissive mode (if not already), remove all selinux modules (semodule -r <modname>) until you have a "clean" one, then upgrade the base policy?

You'll need to relabel your system afterwards (but only when the base is installed/loaded as well as all new modules).

selinux is currently disabled

# getenforce
Disabled


and I removed all modules from memory
# semodule -l
No modules.


Still:
http://paste.pocoo.org/show/406853/


:/

The following line:

libsepol.print_missing_requirements: courier's global requirements were not met: type/attribute system_chkpwd_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).

This means that "courier" is using the type/attribute system_chkpwd_t. Do you have a courier service running at this moment? Perhaps the old base policy had courier as part of it (rather than a separate module) whereas the current one doesn't?

The type/attribute system_chkpwd_t doesn't seem to exist anymore in the recent policies.

(In reply to comment #14)
> The following line:
> 
> libsepol.print_missing_requirements: courier's global requirements were not
> met: type/attribute system_chkpwd_t (No such file or directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No such file or
> directory).
> 
> This means that "courier" is using the type/attribute system_chkpwd_t. Do you
> have a courier service running at this moment? Perhaps the old base policy had
> courier as part of it (rather than a separate module) whereas the current one
> doesn't?
> 
> The type/attribute system_chkpwd_t doesn't seem to exist anymore in the recent
> policies.

Stopped courier service and tried reemerge base policy - same result.

If you run "ps -efZ | grep courier_" do you still get any process(es) that seem to be running in the courier domain?

(In reply to comment #16)
> If you run "ps -efZ | grep courier_" do you still get any process(es) that seem
> to be running in the courier domain?
# ps -A | grep courier
#

# ps -efZ | grep courier_
-  root     27417  7801  0 18:48 pts/1    00:00:00 grep --colour=auto courier_

Nope.

Not sure if that's okay for you, but perhaps we should remove the current policy. Reboot with "selinux=0" so that SELinux is not active. Next, remove (or at least rename/backup ;-) the policy.23 and/or policy.24 files in /etc/selinux/*/policy. Then, reboot but with "enforcing=0" instead of "selinux=0". This will have SELinux enabled, but not in enforcing mode.

Hopefully that will allow you to insert the new base policy in memory.

Comment 19 Anthony Basile 2011-07-22 10:45:51 UTC

Reopen this bug if the fix doesn't work for you.