After following the SELinux conversion handbook, it is impossible to relabel /dev Reproducible: Always Steps to Reproduce: 1. ~# mkdir /mnt/gentoo 2. ~# mount -o bind / /mnt/gentoo 3. ~# setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev Actual Results: setfiles set context /mnt/gentoo/dev->kernel failed:'Operation not supported' Expected Results: Nothing
Hi, Are you able to set the security context of any file there? ~# chcon -t null_device_t /mnt/gentoo/dev/null
I'm unable to do so... Here is the output of the command you've posted : ks369665 ~ # chcon -t null_device_t /mnt/gentoo/dev/null chcon: Could not create the security context :: Invalid argument
Did you reboot with a SELinux-compatible kernel? ~# dmesg | grep -i SELinux or check if /selinux or /sys/fs/selinux have the selinux file system mounted (i.e. files and directories are visible inside it). Also make sure support for extended attributes is enabled in the kernel.
ks369665 ~ # dmesg | grep -i SELinux SELinux: Registering netfilter hooks grsec: mount of selinuxfs to /sys/fs/selinux by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0 grsec: mount of none to /selinux by /bin/mount[mount:7085] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/runscript.sh[runscript.sh:7078] uid/euid:0/0 gid/egid:0/0 ks369665 ~ # ls /selinux/ access booleans class context deny_unknown enforce load mls policy policyvers relabel user avc checkreqprot commit_pending_bools create disable initial_contexts member null policy_capabilities reject_unknown status ks369665 ~ # ls /sys/fs/selinux/ access booleans class context deny_unknown enforce load mls policy policyvers relabel user avc checkreqprot commit_pending_bools create disable initial_contexts member null policy_capabilities reject_unknown status ks369665 ~ # zgrep XATTR /proc/config.gz CONFIG_EXT4_FS_XATTR=y CONFIG_REISERFS_FS_XATTR=y CONFIG_TMPFS_XATTR=y CONFIG_PAX_XATTR_PAX_FLAGS=y Any ideas ?
Not immediately, no... Did you try rebooting and then restarting from that point (i.e. "Reboot, and Label the File System")?
Unfortunately, I rebooted and the same thing happened. I can't relabel /dev Do you want informations about my kernel config ? I'm using udev Here is the output of 'emerge --info' : Portage 2.1.11.9 (hardened/linux/amd64/selinux, gcc-4.5.4, glibc-2.15-r2, 3.5.4-hardened-r1 x86_64) ================================================================= System uname: Linux-3.5.4-hardened-r1-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q8300_@_2.50GHz-with-gentoo-2.1 Timestamp of tree: Mon, 15 Oct 2012 16:15:01 +0000 ccache version 3.1.7 [enabled] app-shells/bash: 4.2_p37 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.3-r2, 3.2.3 dev-util/ccache: 3.1.7 dev-util/cmake: 2.8.9 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.68 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.4 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers) sys-libs/glibc: 2.15-r2 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA Oracle-BCLA-JavaSE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--jobs=5 --load-average=5.0" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs ccache config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="ftp://mirror.ovh.net/gentoo-distfiles/" LANG="fr_FR.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="fr" MAKEOPTS="-j5 -l5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.fr.gentoo.org/gentoo-portage/" USE="acpi amd64 apache2 bzip2 cli cracklib crypt cxx dri gdbm gpm hardened iconv ipv6 justify logrotate mmx modules mudflap multilib mysql ncurses nls nptl open_perms openmp pam pax_kernel pcre pppd readline selinux session sse sse2 sse3 ssl ssse3 tcpd unicode urandom zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="prefork" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="fr" PHP_TARGETS="php5-4" PYTHON_TARGETS="python3_2" RUBY_TARGETS="ruby19" USERLAND="GNU" VIDEO_CARDS="vesa intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
The fact that you use udev doesn't matter. When we bind-mount / onto /mnt/gentoo, the result is that, at /mnt/gentoo/dev, you should have the device files that are on your root partition. Setfiles mentions "operation not supported", but refers to "kernel" (whereas I would expect it to mention the security context to be used). And chcon sais "invalid argument". Do you get any error in your logs (messages, or dmesg) right after you run the "chcon -t null_device_t /mnt/gentoo/dev/null" ? I think it doesn't have proper context information. If I give a wrong context, it gives a similar result: """ hpl ~ # chcon -v -t null2_device_t mount.log changing security context of 'mount.log' chcon: failed to change context of 'mount.log' to 'staff_u:object_r:null2_device_t': Invalid argument hpl ~ # dmesg | tail -1 [ 2390.004886] type=1401 audit(1350327448.558:508): op=setxattr invalid_context="staff_u:object_r:null2_device_t" """ Since selinux-base-policy is already installed, you should have a policy ready (and after reboot even loaded). However, from your dmesg output, it doesn't look like it loads it in: """ hpl ~ # dmesg | grep -i SELinux [ 0.000556] SELinux: Initializing. [ 0.000686] SELinux: Starting in enforcing mode [ 0.476366] SELinux: Registering netfilter hooks [ 2.978488] grsec: mount of selinuxfs to /sys/fs/selinux by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0 [ 3.011829] SELinux: 2048 avtab hash slots, 28769 rules. [ 3.016145] SELinux: 2048 avtab hash slots, 28769 rules. [ 3.017370] SELinux: 6 users, 31 roles, 1873 types, 108 bools [ 3.017373] SELinux: 81 classes, 28769 rules [ 3.018382] SELinux: Completing initialization. [ 3.018384] SELinux: Setting up existing superblocks. """
Ok, so I revert my box to hardened profile (no selinux), and I followed again the handbook. It seems to work now, but I'm not sure as I'm not able to connect to my box with SSH (the server refused my password). So I think I've got SELinux up and running, but my user can't connect to my server because it lacks the sysadm_r role. Is it possible to boot without SELinux activated and add the sysadm_r role to my user, and then reboot with SELinux enabled ?
Good news everyone ! I was able to login through ssh to my box, and to relabel all my /dev :) I switch from 'strict' to 'targeted' so as to be able to login. I don't know why it didn't work the first time, but my box is now with SELinux ks369665 ~ # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: strict Current mode: permissive Mode from config file: permissive Policy MLS status: disabled Policy deny_unknown status: denied Max kernel policy version: 28
