After emerging any SELinux policy, I see following message: * Inserting the following modules, with base, into the mcs module store: application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork tmpfiles udev userdomain usermanage unprivuser xdg The --base option is deprecated. Use --install instead. sysnetwork: Warning: 'else' blocks in optional statements are unsupported in CIL. Dropping from output. * Inserting the following modules, with base, into the mls module store: application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork tmpfiles udev userdomain usermanage unprivuser xdg The --base option is deprecated. Use --install instead. sysnetwork: Warning: 'else' blocks in optional statements are unsupported in CIL. Dropping from output. Failed to resolve filecon statement at 42 of /var/lib/selinux/mls/tmp/modules/400/miscfiles/cil Failed to resolve ast semodule: Failed! * ERROR: sec-policy/selinux-base-policy-2.20141203-r3::gentoo failed (postinst phase): * Failed to load in base and modules application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork tmpfiles udev userdomain usermanage unprivuser xdg in the mls policy store * * Call stack: * ebuild.sh, line 93: Called pkg_postinst * environment, line 1785: Called die * The specific snippet of code: * semodule -s ${i} -b base.pp ${COMMAND} || die "Failed to load in base and modules ${MODS} in the $i policy store"; * * If you need support, post the output of `emerge --info '=sec-policy/selinux-base-policy-2.20141203-r3::gentoo'`, * the complete build log and the output of `emerge -pqv '=sec-policy/selinux-base-policy-2.20141203-r3::gentoo'`. * The complete build log is located at '/var/tmp/portage/sec-policy/selinux-base-policy-2.20141203-r3/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/sec-policy/selinux-base-policy-2.20141203-r3/temp/environment'. * Working directory: '/usr/share/selinux/mls' * S: '/var/tmp/portage/sec-policy/selinux-base-policy-2.20141203-r3/work/' !!! FAILED postinst: 1 This happened only in MLS module store. emerge --info =sec-policy/selinux-base-policy-2.20141203-r3::gentoo: Portage 2.2.17 (python 3.4.2-final-0, hardened/linux/amd64/selinux, gcc-4.9.2, glibc-2.20-r1, 3.18.5-sbs x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.18.5-sbs-x86_64-Intel-R-_Core-TM-_i3_CPU_M_350_@_2.27GHz-with-gentoo-2.2 KiB Mem: 2810716 total, 598848 free KiB Swap: 6143996 total, 6143996 free Timestamp of repository gentoo: Thu, 12 Feb 2015 08:00:01 +0000 sh bash 4.3_p33-r1 ld GNU ld (Gentoo 2.24 p1.4) 2.24 app-shells/bash: 4.3_p33-r1::gentoo dev-java/java-config: 2.2.0::gentoo dev-lang/perl: 5.20.1-r4::gentoo dev-lang/python: 2.7.9-r2::gentoo, 3.4.2::gentoo dev-util/cmake: 3.1.0::gentoo dev-util/pkgconfig: 0.28-r2::gentoo sys-apps/baselayout: 2.2::gentoo sys-apps/openrc: 0.13.9::gentoo sys-apps/sandbox: 2.6-r1::gentoo sys-devel/autoconf: 2.69::gentoo sys-devel/automake: 1.11.6-r1::gentoo, 1.15::gentoo sys-devel/binutils: 2.24-r3::gentoo sys-devel/gcc: 4.9.2::gentoo sys-devel/gcc-config: 1.8::gentoo sys-devel/libtool: 2.4.5::gentoo sys-devel/make: 4.1-r1::gentoo sys-kernel/linux-headers: 3.19::gentoo (virtual/os-headers) sys-libs/glibc: 2.20-r1::security-sbs Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 lxde-new location: /usr/local/portage/lxde-new masters: gentoo priority: 0 security-sbs location: /usr/local/portage/security-sbs masters: gentoo priority: 1 security-testing location: /usr/local/portage/security-testing masters: gentoo priority: 2 mate-overlay location: /var/lib/layman/mate masters: gentoo priority: 3 gnome location: /var/lib/layman/gnome masters: gentoo priority: 4 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=native -mtune=native" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=native -mtune=native" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" USE="X aac acl alsa amd64 audit berkdb bluetooth branding bzip2 cairo caja cli cmake cracklib crypt crywrap cups cxx dbus dhcpcd dri egl evdev exif flac fontconfig foomatic gdbm gdbus glib gmp gnome-keyring gnutls graphite gstreamer gtk gtk3 hardened iconv icu imlib infinality introspection ios ipod ipv6 java jpeg justify lcms libmpeg2 libnotify libproxy math mmx mmxext modemmanager modules mp3 mtp multilib natspec ncurses networkmanager nls nptl ntpl obex ogg open_perms opengl openmp os-prober pam pax_kernel pcre peer_perms pic plymouth png policykit popcnt powermanagement ppp pulseaudio python python2_7 python3_4 readline selinux session shared-glapi sna socialweb spell sse sse2 sse3 sse4_1 sse4_2 ssl ssse3 startup-notification svg symlink systemd tcpd theora thesaurus threads tiff tracker truetype ubac udev udisks unicode upower urandom v4l v4l2 vaapi vala vorbis wavpack wayland x264 xattr xdg xinerama xml xorg xtpax xvid zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="ru" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="2.7" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= sec-policy/selinux-base-policy-2.20141203-r3::gentoo was built with the following: USE="-unconfined" ABI_X86="64" emerge -pqv =sec-policy/selinux-base-policy-2.20141203-r3::gentoo [ebuild R ] sec-policy/selinux-base-policy-2.20141203-r3 USE="-unconfined"
Also important information: I use systemd and dracut, not OpenRC and genkernel.
cat /etc/selinux/config # This file controls the state of SELinux on the system on boot. # SELINUX can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE can take one of these four values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. # mls - Full SELinux protection with Multi-Level Security # mcs - Full SELinux protection with Multi-Category Security # (mls, but only one sensitivity level) SELINUXTYPE=mcs
I cannot switch store to MLS due to this.
When I try to custom load MLS modules, I see following: # cd /usr/share/selinux/mls mls # semodule -i base.pp -i $(ls *.pp | grep -v base.pp) sysnetwork: Warning: 'else' blocks in optional statements are unsupported in CIL. Dropping from output. Failed to resolve filecon statement at 42 of /var/lib/selinux/mcs/tmp/modules/400/miscfiles/cil Failed to resolve ast semodule: Failed!
hi, I would need to see the cil generated file, can you run and post the output of: /usr/libexec/selinux/hll/pp /usr/share/selinux/mcs/miscfiles.pp
Here: /usr/libexec/selinux/hll/pp /usr/share/selinux/mls/miscfiles.pp (filecon "/emul/linux/x86/usr/(X11R6/)?lib/X11/locale(/.*)?" any (system_u object_r locale_t ((s0) (s0)))) (filecon "/etc/avahi/etc/localtime" file (system_u object_r locale_t ((s0) (s0)))) (filecon "/etc/httpd/alias/[^/]*\.db(\.[^/]*)*" file (system_u object_r cert_t ((s0) (s0)))) (filecon "/etc/localtime" file (system_u object_r locale_t ((s0) (s0)))) (filecon "/etc/pki/certs/(.*)?" file (system_u object_r cert_t ((s0) (s0)))) (filecon "/etc/pki/private/(.*)?" file (system_u object_r cert_t ((s0) (s0)))) (filecon "/etc/ssl/certs/(.*)?" file (system_u object_r cert_t ((s0) (s0)))) (filecon "/etc/ssl/private/(.*)?" file (system_u object_r cert_t ((s0) (s0)))) (filecon "/etc/timezone" file (system_u object_r locale_t ((s0) (s0)))) (filecon "/opt/(.*/)?man(/.*)?" any (system_u object_r man_t ((s0) (s0)))) (filecon "/srv/([^/]*/)?ftp(/.*)?" any (system_u object_r public_content_t ((s0) (s0)))) (filecon "/srv/([^/]*/)?rsync(/.*)?" any (system_u object_r public_content_t ((s0) (s0)))) (filecon "/usr/lib/locale(/.*)?" any (system_u object_r locale_t ((s0) (s0)))) (filecon "/usr/lib/perl5/man(/.*)?" any (system_u object_r man_t ((s0) (s0)))) (filecon "/usr/local/share/ca-certificates(/.*)?" any (system_u object_r cert_t ((s0) (s0)))) (filecon "/usr/local/man(/.*)?" any (system_u object_r man_t ((s0) (s0)))) (filecon "/usr/local/share/man(/.*)?" any (system_u object_r man_t ((s0) (s0)))) (filecon "/usr/local/share/fonts(/.*)?" any (system_u object_r man_t ((s0) (s0)))) (filecon "/usr/man(/.*)?" any (system_u object_r man_t ((s0) (s0)))) (filecon "/usr/share/ca-certificates(/.*)?" any (system_u object_r cert_t ((s0) (s0)))) (filecon "/usr/share/fonts(/.*)?" any (system_u object_r fonts_t ((s0) (s0)))) (filecon "/usr/share/X11/fonts(/.*)?" any (system_u object_r fonts_t ((s0) (s0)))) (filecon "/usr/share/ghostscript/fonts(/.*)?" any (system_u object_r fonts_t ((s0) (s0)))) (filecon "/usr/share/locale(/.*)?" any (system_u object_r locale_t ((s0) (s0)))) (filecon "/usr/share/man(/.*)?" any (system_u object_r man_t ((s0) (s0)))) (filecon "/usr/share/postgresql/[^/]*/man(/.*)?" any (system_u object_r man_t ((s0) (s0)))) (filecon "/usr/share/X11/locale(/.*)?" any (system_u object_r locale_t ((s0) (s0)))) (filecon "/usr/share/zoneinfo(/.*)?" any (system_u object_r locale_t ((s0) (s0)))) (filecon "/usr/share/ssl/certs(/.*)?" any (system_u object_r cert_t ((s0) (s0)))) (filecon "/usr/share/ssl/private(/.*)?" any (system_u object_r cert_t ((s0) (s0)))) (filecon "/usr/X11R6/lib/X11/fonts(/.*)?" any (system_u object_r fonts_t ((s0) (s0)))) (filecon "/usr/X11R6/man(/.*)?" any (system_u object_r man_t ((s0) (s0)))) (filecon "/usr/share/misc/(pci|usb)\.ids" file (system_u object_r hwdata_t ((s0) (s0)))) (filecon "/var/ftp(/.*)?" any (system_u object_r public_content_t ((s0) (s0)))) (filecon "/var/lib/texmf(/.*)?" any (system_u object_r tetex_data_t ((s0) (s0)))) (filecon "/var/cache/fontconfig(/.*)?" any (system_u object_r fonts_cache_t ((s0) (s0)))) (filecon "/var/cache/fonts(/.*)?" any (system_u object_r tetex_data_t ((s0) (s0)))) (filecon "/var/cache/man(/.*)?" any (system_u object_r man_cache_t ((s0) (s0)))) (filecon "/var/named/chroot/etc/pki(/.*)?" any (system_u object_r cert_t ((s0) (s0)))) (filecon "/var/spool/abrt-upload(/.*)?" any (system_u object_r public_content_rw_t ((s0) (s0)))) (filecon "/var/spool/texmf(/.*)?" any (system_u object_r tetex_data_t ((s0) (s0)))) (filecon "HOME_DIR/.pki(/.*)?" any (system_u object_r cert_home_t (systemlow systemlow))) (filecon "/etc/fonts(/.*)?" any (system_u object_r fonts_t ((s0) (s0)))) (typealias catman_t) (typealiasactual catman_t man_t) (typeattribute cert_type) (typeattributeset cert_type (cert_t cert_home_t )) (type cert_t) (roletype object_r cert_t) (type cert_home_t) (roletype object_r cert_home_t) (type fonts_t) (roletype object_r fonts_t) (type fonts_cache_t) (roletype object_r fonts_cache_t) (type hwdata_t) (roletype object_r hwdata_t) (type locale_t) (roletype object_r locale_t) (type man_t) (roletype object_r man_t) (type man_cache_t) (roletype object_r man_cache_t) (type public_content_t) (roletype object_r public_content_t) (type public_content_rw_t) (roletype object_r public_content_rw_t) (type test_file_t) (roletype object_r test_file_t) (type tetex_data_t) (roletype object_r tetex_data_t) (roleattributeset cil_gen_require system_r) (typeattributeset cil_gen_require file_type) (typeattributeset file_type (cert_t cert_home_t fonts_t fonts_cache_t hwdata_t locale_t man_t man_cache_t public_content_t public_content_rw_t test_file_t tetex_data_t )) (typeattributeset cil_gen_require non_security_file_type) (typeattributeset non_security_file_type (cert_t cert_home_t fonts_t fonts_cache_t hwdata_t locale_t man_t man_cache_t public_content_t public_content_rw_t test_file_t tetex_data_t )) (typeattributeset cil_gen_require non_auth_file_type) (typeattributeset non_auth_file_type (cert_t cert_home_t fonts_t fonts_cache_t hwdata_t locale_t man_t man_cache_t public_content_t public_content_rw_t test_file_t tetex_data_t )) (typeattributeset cil_gen_require user_home_content_type) (typeattributeset user_home_content_type (cert_home_t )) (typeattributeset cil_gen_require user_home_t) (typeattributeset cil_gen_require polymember) (typeattributeset polymember (cert_home_t tetex_data_t )) (typeattributeset cil_gen_require ubac_constrained_type) (typeattributeset ubac_constrained_type (cert_home_t )) (typeattributeset cil_gen_require tmpfile) (typeattributeset tmpfile (tetex_data_t )) (typeattributeset cil_gen_require tmp_t) (allow cert_home_t user_home_t (filesystem (associate)))
Line 42 is: (filecon "HOME_DIR/.pki(/.*)?" any (system_u object_r cert_home_t (systemlow systemlow))) Do you have any problems with any other HOME_DIR contexts? and are your users and logins set correctly? does the output of these commands look sane?: semanage user -l semanage login -l
I cannot even switch to MLS policy store from MCS, because I do not have file /etc/selinux/mls/policy/policy.<version> It occasionally located in /home/<username>/.cache/.fr-dKOXll/etc/selinux/mls/policy/policy.<version>
fixed in commit 1142e65e5281195a865c737d4640db42ae91c89a miscfiles: gen_contexts was missing the sensitivity The ,s0 was missing from gen_context() will be in the -r8 policy
r8 is in ~arch now
r8 is stable