70215 – (selinux) unable to load new policies since upgrading to policycoreutils 1.16

Bug 70215 - (selinux) unable to load new policies since upgrading to policycoreutils 1.16

Summary: (selinux) unable to load new policies since upgrading to policycoreutils 1.16

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	x86 Linux

Importance:	High blocker (vote)
Assignee:	Chris PeBenito (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-11-05 19:12 UTC by Jacob Chacko
Modified:	2004-11-11 18:52 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jacob Chacko 2004-11-05 19:12:33 UTC

When i try to do a make load in /etc/security/selinux/src/policy
i get the following error:
kayak policy # make load
 * Creating policy.conf
 * Policy version: 15
 * Kernel version: 15
 * Compiling and installing policy.15
/usr/bin/checkpolicy:  loading policy configuration from /etc/security/selinux/src/policy.conf
security:  4 users, 5 roles, 384 types, 1 bools
security:  51 classes, 26052 rules
/usr/bin/checkpolicy:  policy configuration loaded
/usr/bin/checkpolicy:  writing binary representation (version 15) to /etc/security/selinux/policy.15
warning: discarding booleans and conditional rules
 * Building file_contexts
 * Installing file_contexts
 * Loading policy.15
/usr/sbin/load_policy:  Warning!  Error while getting boolean names:  No such file or directory

Reproducible: Always
Steps to Reproduce:
1. cd /etc/security/selinux/src/policy
2. make clean
3. make load

Actual Results:  
kayak policy # make clean
rm -f policy.15
rm -f policy.conf
rm -fR tmp
rm -f file_contexts/file_contexts
kayak policy # make load
 * Creating policy.conf
 * Policy version: 15
 * Kernel version: 15
 * Compiling and installing policy.15
/usr/bin/checkpolicy:  loading policy configuration from
/etc/security/selinux/src/policy.conf
security:  4 users, 5 roles, 384 types, 1 bools
security:  51 classes, 26052 rules
/usr/bin/checkpolicy:  policy configuration loaded
/usr/bin/checkpolicy:  writing binary representation (version 15) to
/etc/security/selinux/policy.15
warning: discarding booleans and conditional rules
 * Building file_contexts
 * Installing file_contexts
 * Loading policy.15
/usr/sbin/load_policy:  Warning!  Error while getting boolean names:  No such
file or directory


Expected Results:  
kayak policy # make clean
rm -f policy.15
rm -f policy.conf
rm -fR tmp
rm -f file_contexts/file_contexts
kayak policy # make load
 * Creating policy.conf
 * Policy version: 15
 * Kernel version: 15
 * Compiling and installing policy.15
/usr/bin/checkpolicy:  loading policy configuration from
/etc/security/selinux/src/policy.conf
security:  4 users, 5 roles, 384 types, 1 bools
security:  51 classes, 26052 rules
/usr/bin/checkpolicy:  policy configuration loaded
/usr/bin/checkpolicy:  writing binary representation (version 15) to
/etc/security/selinux/policy.15
warning: discarding booleans and conditional rules
 * Building file_contexts
 * Installing file_contexts
 * Loading policy.15


The reason being that /usr/bin/load_policy has now booleans.  It seems that
these booleans values can be saved to a file.  
/usr/bin/load_policy policy.15 in /etc/security/selinux yields:
kayak selinux # /usr/sbin/load_policy policy.15 
/usr/sbin/load_policy:  Warning!  Error while getting boolean names:  No such
file or directory

but calling load_policy with -b switch yields:
kayak selinux # /usr/sbin/load_policy -b policy.15 
Warning!  Error while reading /etc/security/booleans:  No such file or directory

touch /etc/security/booleans
/usr/sbin/load_policy -b policy.15

does not produce any results, but doing a make load again will yield the same error.

I have
policycoreutils-1.16
checkpolicy-1.16
selinux-base-policy-20040906

Comment 1 Jacob Chacko 2004-11-07 05:56:33 UTC

output from emerge info:
kayak root # emerge info
Portage 2.0.51-r2 (selinux/2004.1/x86, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.4.27-hardened-r2 i686)
=================================================================
System uname: 2.4.27-hardened-r2 i686 Pentium II (Klamath)
Gentoo Base System version 1.4.16
Autoconf: sys-devel/autoconf-2.59-r5
Automake: sys-devel/automake-1.8.5-r1
Binutils: sys-devel/binutils-2.14.90.0.8-r1
Headers:  sys-kernel/linux-headers-2.4.21-r1
Libtools: sys-devel/libtool-1.5.2-r5
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O3 -march=i686 -fomit-frame-pointer -fforce-addr"
CHOST="i686-pc-linux-gnu"
COMPILER=""
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O3 -march=i686 -fomit-frame-pointer -fforce-addr"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.osuosl.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X arts berkdb crypt cups esd fam foomaticdb gif gpm hardened imagemagick imlib java junit kde ncurses nls opengl other_var1 other_var2 pam perl pic pie png postgres ppds python qt readline samba selinux ssl tcpd tiff usb x86 xml2 zlib"

kayak root #

Comment 2 Chris PeBenito (RETIRED) gentoo-dev

2004-11-10 16:19:01 UTC

this is an expected warning.  can you verify that the policy isnt loaded by looking at dmesg before and after attempting to load the policy

Comment 3 Jacob Chacko 2004-11-11 11:03:32 UTC

After dmesg here is the output.  As you can see i don't have enforcing on, so all the avc errors.  Thanks for your response.

avc:  denied  { read } for  pid=20540 exe=/usr/bin/checkpolicy name=ld.so.cache dev=09:01 ino=84859 scontext=root:sysadm_r:checkpolicy_t tcontext=root:object_r:etc_t tclass=file

avc:  denied  { getattr } for  pid=20540 exe=/usr/bin/checkpolicy name=ld.so.cache dev=09:01 ino=84859 scontext=root:sysadm_r:checkpolicy_t tcontext=root:object_r:etc_t tclass=file

avc:  denied  { ioctl } for  pid=20576 exe=/usr/bin/checkpolicy path=/etc/security/selinux/src/policy.conf dev=09:01 ino=51010 scontext=root:sysadm_r:checkpolicy_t tcontext=root:object_r:etc_t tclass=file

avc:  denied  { write } for  pid=20576 exe=/usr/bin/checkpolicy name=policy.15 dev=09:01 ino=52138 scontext=root:sysadm_r:checkpolicy_t tcontext=root:object_r:etc_t tclass=file

avc:  denied  { read } for  pid=20608 exe=/usr/sbin/load_policy name=ld.so.cache dev=09:01 ino=84859 scontext=root:sysadm_r:load_policy_t tcontext=root:object_r:etc_t tclass=file

avc:  denied  { getattr } for  pid=20608 exe=/usr/sbin/load_policy name=ld.so.cache dev=09:01 ino=84859 scontext=root:sysadm_r:load_policy_t tcontext=root:object_r:etc_t tclass=file

avc:  granted  { load_policy } for  pid=20608 exe=/usr/sbin/load_policy scontext=root:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security
security:  4 users, 5 roles, 446 types
security:  51 classes, 31065 rules

Comment 4 Chris PeBenito (RETIRED) gentoo-dev

2004-11-11 18:52:37 UTC

As evidenced by the last message in dmesg, the policy actually does get loaded.  The message from load_policy is actually just a warning, which is poorly worded.  Its a nonfatal warning since you have a version 15 policy, which doesn't have booleans.  Checkpolicy 1.18 will be quieting this message.

For your denials, a relabel should fix it.  Several of the files seem to me mislabeled.