When i try to do a make load in /etc/security/selinux/src/policy i get the following error: kayak policy # make load * Creating policy.conf * Policy version: 15 * Kernel version: 15 * Compiling and installing policy.15 /usr/bin/checkpolicy: loading policy configuration from /etc/security/selinux/src/policy.conf security: 4 users, 5 roles, 384 types, 1 bools security: 51 classes, 26052 rules /usr/bin/checkpolicy: policy configuration loaded /usr/bin/checkpolicy: writing binary representation (version 15) to /etc/security/selinux/policy.15 warning: discarding booleans and conditional rules * Building file_contexts * Installing file_contexts * Loading policy.15 /usr/sbin/load_policy: Warning! Error while getting boolean names: No such file or directory Reproducible: Always Steps to Reproduce: 1. cd /etc/security/selinux/src/policy 2. make clean 3. make load Actual Results: kayak policy # make clean rm -f policy.15 rm -f policy.conf rm -fR tmp rm -f file_contexts/file_contexts kayak policy # make load * Creating policy.conf * Policy version: 15 * Kernel version: 15 * Compiling and installing policy.15 /usr/bin/checkpolicy: loading policy configuration from /etc/security/selinux/src/policy.conf security: 4 users, 5 roles, 384 types, 1 bools security: 51 classes, 26052 rules /usr/bin/checkpolicy: policy configuration loaded /usr/bin/checkpolicy: writing binary representation (version 15) to /etc/security/selinux/policy.15 warning: discarding booleans and conditional rules * Building file_contexts * Installing file_contexts * Loading policy.15 /usr/sbin/load_policy: Warning! Error while getting boolean names: No such file or directory Expected Results: kayak policy # make clean rm -f policy.15 rm -f policy.conf rm -fR tmp rm -f file_contexts/file_contexts kayak policy # make load * Creating policy.conf * Policy version: 15 * Kernel version: 15 * Compiling and installing policy.15 /usr/bin/checkpolicy: loading policy configuration from /etc/security/selinux/src/policy.conf security: 4 users, 5 roles, 384 types, 1 bools security: 51 classes, 26052 rules /usr/bin/checkpolicy: policy configuration loaded /usr/bin/checkpolicy: writing binary representation (version 15) to /etc/security/selinux/policy.15 warning: discarding booleans and conditional rules * Building file_contexts * Installing file_contexts * Loading policy.15 The reason being that /usr/bin/load_policy has now booleans. It seems that these booleans values can be saved to a file. /usr/bin/load_policy policy.15 in /etc/security/selinux yields: kayak selinux # /usr/sbin/load_policy policy.15 /usr/sbin/load_policy: Warning! Error while getting boolean names: No such file or directory but calling load_policy with -b switch yields: kayak selinux # /usr/sbin/load_policy -b policy.15 Warning! Error while reading /etc/security/booleans: No such file or directory touch /etc/security/booleans /usr/sbin/load_policy -b policy.15 does not produce any results, but doing a make load again will yield the same error. I have policycoreutils-1.16 checkpolicy-1.16 selinux-base-policy-20040906
output from emerge info: kayak root # emerge info Portage 2.0.51-r2 (selinux/2004.1/x86, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.4.27-hardened-r2 i686) ================================================================= System uname: 2.4.27-hardened-r2 i686 Pentium II (Klamath) Gentoo Base System version 1.4.16 Autoconf: sys-devel/autoconf-2.59-r5 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.14.90.0.8-r1 Headers: sys-kernel/linux-headers-2.4.21-r1 Libtools: sys-devel/libtool-1.5.2-r5 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O3 -march=i686 -fomit-frame-pointer -fforce-addr" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -march=i686 -fomit-frame-pointer -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.osuosl.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X arts berkdb crypt cups esd fam foomaticdb gif gpm hardened imagemagick imlib java junit kde ncurses nls opengl other_var1 other_var2 pam perl pic pie png postgres ppds python qt readline samba selinux ssl tcpd tiff usb x86 xml2 zlib" kayak root #
this is an expected warning. can you verify that the policy isnt loaded by looking at dmesg before and after attempting to load the policy
After dmesg here is the output. As you can see i don't have enforcing on, so all the avc errors. Thanks for your response. avc: denied { read } for pid=20540 exe=/usr/bin/checkpolicy name=ld.so.cache dev=09:01 ino=84859 scontext=root:sysadm_r:checkpolicy_t tcontext=root:object_r:etc_t tclass=file avc: denied { getattr } for pid=20540 exe=/usr/bin/checkpolicy name=ld.so.cache dev=09:01 ino=84859 scontext=root:sysadm_r:checkpolicy_t tcontext=root:object_r:etc_t tclass=file avc: denied { ioctl } for pid=20576 exe=/usr/bin/checkpolicy path=/etc/security/selinux/src/policy.conf dev=09:01 ino=51010 scontext=root:sysadm_r:checkpolicy_t tcontext=root:object_r:etc_t tclass=file avc: denied { write } for pid=20576 exe=/usr/bin/checkpolicy name=policy.15 dev=09:01 ino=52138 scontext=root:sysadm_r:checkpolicy_t tcontext=root:object_r:etc_t tclass=file avc: denied { read } for pid=20608 exe=/usr/sbin/load_policy name=ld.so.cache dev=09:01 ino=84859 scontext=root:sysadm_r:load_policy_t tcontext=root:object_r:etc_t tclass=file avc: denied { getattr } for pid=20608 exe=/usr/sbin/load_policy name=ld.so.cache dev=09:01 ino=84859 scontext=root:sysadm_r:load_policy_t tcontext=root:object_r:etc_t tclass=file avc: granted { load_policy } for pid=20608 exe=/usr/sbin/load_policy scontext=root:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security security: 4 users, 5 roles, 446 types security: 51 classes, 31065 rules
As evidenced by the last message in dmesg, the policy actually does get loaded. The message from load_policy is actually just a warning, which is poorly worded. Its a nonfatal warning since you have a version 15 policy, which doesn't have booleans. Checkpolicy 1.18 will be quieting this message. For your denials, a relabel should fix it. Several of the files seem to me mislabeled.