when I try to load sec-policy/selinux-bind, the policy compilation crashes with following errormessage: domains/program/named.te:14:ERROR 'attribute reserved_port_type is not declared' at token ';' on line 38365: # type rndc_port_t, port_type, reserved_port_type; /usr/bin/checkpolicy: error(s) encountered while parsing configuration make: *** [/etc/security/selinux/policy.18] Error 1 make: Leaving directory `/etc/security/selinux/src/policy' [ !! ] afterwards the whole labeling crashes with following errmor message: /usr/sbin/setfiles: invalid context system_u:object_r:named_conf_t on line number 824 /usr/sbin/setfiles: invalid context system_u:object_r:named_exec_t on line number 825 /usr/sbin/setfiles: invalid context system_u:object_r:ndc_exec_t on line number 826 /usr/sbin/setfiles: invalid context system_u:object_r:named_var_run_t on line number 827 /usr/sbin/setfiles: invalid context system_u:object_r:named_var_run_t on line number 828 /usr/sbin/setfiles: invalid context system_u:object_r:named_var_run_t on line number 829 /usr/sbin/setfiles: invalid context system_u:object_r:named_exec_t on line number 830 /usr/sbin/setfiles: invalid context system_u:object_r:named_zone_t on line number 833 /usr/sbin/setfiles: invalid context system_u:object_r:named_conf_t on line number 834 /usr/sbin/setfiles: invalid context system_u:object_r:named_conf_t on line number 835 Exiting after 10 errors. I have to remove all entries about bind in policy.conf and I have to delete the file named.te under /etc/security/selinux/src/policy/domains/program to fix my policies. loadpolicy * Automatically loading policy ... make: Entering directory `/etc/security/selinux/src/policy' * Creating policy.conf * Policy version: 18 * Kernel version: 18 * Compiling and installing policy.18 /usr/bin/checkpolicy: loading policy configuration from /etc/security/selinux/src/policy.conf domains/program/named.te:14:ERROR 'attribute reserved_port_type is not declared' at token ';' on line 38365: # type rndc_port_t, port_type, reserved_port_type; /usr/bin/checkpolicy: error(s) encountered while parsing configuration make: *** [/etc/security/selinux/policy.18] Error 1 make: Leaving directory `/etc/security/selinux/src/policy' [ !! ] * Regenerating file contexts ... /usr/sbin/setfiles: invalid context system_u:object_r:named_conf_t on line number 824 /usr/sbin/setfiles: invalid context system_u:object_r:named_exec_t on line number 825 /usr/sbin/setfiles: invalid context system_u:object_r:ndc_exec_t on line number 826 /usr/sbin/setfiles: invalid context system_u:object_r:named_var_run_t on line number 827 /usr/sbin/setfiles: invalid context system_u:object_r:named_var_run_t on line number 828 /usr/sbin/setfiles: invalid context system_u:object_r:named_var_run_t on line number 829 /usr/sbin/setfiles: invalid context system_u:object_r:named_exec_t on line number 830 /usr/sbin/setfiles: invalid context system_u:object_r:named_zone_t on line number 833 /usr/sbin/setfiles: invalid context system_u:object_r:named_conf_t on line number 834 /usr/sbin/setfiles: invalid context system_u:object_r:named_conf_t on line number 835 Exiting after 10 errors. [ !! ] >>> Regenerating /etc/ld.so.cache... * Caching service dependencies ... * Cannot add provide 'net', as a service with the same name exists! [ ok ] >>> sec-policy/selinux-bind-20041120 merged. Reproducible: Always Steps to Reproduce: 1. emerge sec-policy/selinux-bind 2. cd /etc/security/selinux/src/policy && make load # if you don't have loadpolicy USE-Flag 3. rlpkg <insert_any_package_here> Actual Results: my hole policy crashed.. everytime... Expected Results: should have integrated this policy without errors... after trying to integrate this policy, every merge fails, because after merging any package, portage wants to label it, which fails.. you have to unmerge it explicitely and you have to remove all hints about it under /etc/security/selinux/src/policy ... i performed make clean && make load after cleaning... its also confusing, that portage reports this ebuild to be merged... my emerge info Portage 2.0.51-r3 (selinux/2004.1/x86, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.6.9-gentoo-r6 i686) ================================================================= System uname: 2.6.9-gentoo-r6 i686 Pentium II (Klamath) Gentoo Base System version 1.6.6 Autoconf: sys-devel/autoconf-2.59-r5 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.15.90.0.1.1-r3 Headers: sys-kernel/linux-headers-2.4.19-r1,sys-kernel/linux-headers-2.4.21-r1 Libtools: sys-devel/libtool-1.5.2-r7 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -mcpu=i686 -pipe" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -mcpu=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig candy ccache distlocks loadpolicy sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://192.168.100.1/gentoo-portage" USE="acpi berkdb crypt gd gdbm gif ipv6 mysql ncurses nls oav pam perl png python readline selinux slang snmp ssl tcpd x86 zlib"
sec-policy/selinux-bind-20041120 is ~ masked for a good reason. If you value the integrity of your system you shouldn't mix masked and stable policies. to fix your problem, do a USE="-selinux" emerge selinux-bind-20040428 make -C /etc/security/selinux/src/policy clean reload relabel and remove the selinux-bind line from /etc/portage/package.keywords
actually I don't mix stable and unstable policies, i just have unstable policies installed (on Version 18) ... In fact, all policies i installed are in /etc/portage/package.keywords ... Any further Suggestions? *G*
all currently masked policies depend on the base-policy-20041123 (that is ~ masked) that in turn, depends on sys-apps/checkpolicy-1.18 (that is also masked) etc so to summarize, you either use ONLY stable packages, or go ahead with masked ones and suffer the consequences.