Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 73175 - sec-policy/selinux-bind-20041120 doesnt load into policy management version 18
Summary: sec-policy/selinux-bind-20041120 doesnt load into policy management version 18
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: x86 Linux
: High major (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-02 15:34 UTC by Nicolas Vilz
Modified: 2004-12-04 07:49 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nicolas Vilz 2004-12-02 15:34:41 UTC 
when I try to load sec-policy/selinux-bind, the policy compilation crashes with following errormessage:

domains/program/named.te:14:ERROR 'attribute reserved_port_type is not declared' at token ';' on line 38365:
#
type rndc_port_t, port_type, reserved_port_type;
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration
make: *** [/etc/security/selinux/policy.18] Error 1
make: Leaving directory `/etc/security/selinux/src/policy'                                                                                             [ !! ]

afterwards the whole labeling crashes with following errmor message:

/usr/sbin/setfiles:  invalid context system_u:object_r:named_conf_t on line number 824
/usr/sbin/setfiles:  invalid context system_u:object_r:named_exec_t on line number 825
/usr/sbin/setfiles:  invalid context system_u:object_r:ndc_exec_t on line number 826
/usr/sbin/setfiles:  invalid context system_u:object_r:named_var_run_t on line number 827
/usr/sbin/setfiles:  invalid context system_u:object_r:named_var_run_t on line number 828
/usr/sbin/setfiles:  invalid context system_u:object_r:named_var_run_t on line number 829
/usr/sbin/setfiles:  invalid context system_u:object_r:named_exec_t on line number 830
/usr/sbin/setfiles:  invalid context system_u:object_r:named_zone_t on line number 833
/usr/sbin/setfiles:  invalid context system_u:object_r:named_conf_t on line number 834
/usr/sbin/setfiles:  invalid context system_u:object_r:named_conf_t on line number 835
Exiting after 10 errors.   


I have to remove all entries about bind in policy.conf and I have to delete the file named.te under /etc/security/selinux/src/policy/domains/program to fix my policies.


loadpolicy
 * Automatically loading policy ...
make: Entering directory `/etc/security/selinux/src/policy'
 * Creating policy.conf
 * Policy version: 18
 * Kernel version: 18
 * Compiling and installing policy.18
/usr/bin/checkpolicy:  loading policy configuration from /etc/security/selinux/src/policy.conf
domains/program/named.te:14:ERROR 'attribute reserved_port_type is not declared' at token ';' on line 38365:
#
type rndc_port_t, port_type, reserved_port_type;
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration
make: *** [/etc/security/selinux/policy.18] Error 1
make: Leaving directory `/etc/security/selinux/src/policy'                                                                                             [ !! ]
 * Regenerating file contexts ...
/usr/sbin/setfiles:  invalid context system_u:object_r:named_conf_t on line number 824
/usr/sbin/setfiles:  invalid context system_u:object_r:named_exec_t on line number 825
/usr/sbin/setfiles:  invalid context system_u:object_r:ndc_exec_t on line number 826
/usr/sbin/setfiles:  invalid context system_u:object_r:named_var_run_t on line number 827
/usr/sbin/setfiles:  invalid context system_u:object_r:named_var_run_t on line number 828
/usr/sbin/setfiles:  invalid context system_u:object_r:named_var_run_t on line number 829
/usr/sbin/setfiles:  invalid context system_u:object_r:named_exec_t on line number 830
/usr/sbin/setfiles:  invalid context system_u:object_r:named_zone_t on line number 833
/usr/sbin/setfiles:  invalid context system_u:object_r:named_conf_t on line number 834
/usr/sbin/setfiles:  invalid context system_u:object_r:named_conf_t on line number 835
Exiting after 10 errors.                                                                                                                               [ !! ]
>>> Regenerating /etc/ld.so.cache...
 * Caching service dependencies ...
 *  Cannot add provide 'net', as a service with the same name exists!                                                                                  [ ok ]
>>> sec-policy/selinux-bind-20041120 merged.


Reproducible: Always
Steps to Reproduce:
1. emerge sec-policy/selinux-bind
2. cd /etc/security/selinux/src/policy && make load # if you don't have loadpolicy USE-Flag
3. rlpkg <insert_any_package_here>

Actual Results:  
my hole policy crashed.. everytime...

Expected Results:  
should have integrated this policy without errors...

after trying to integrate this policy, every merge fails, because after merging
any package, portage wants to label it, which fails.. you have to unmerge it
explicitely and you have to remove all hints about it under
/etc/security/selinux/src/policy ... i performed make clean && make load after
cleaning...

its also confusing, that portage reports this ebuild to be merged...

my emerge info
Portage 2.0.51-r3 (selinux/2004.1/x86, gcc-3.3.4, glibc-2.3.4.20040808-r1,
2.6.9-gentoo-r6 i686)
=================================================================
System uname: 2.6.9-gentoo-r6 i686 Pentium II (Klamath)
Gentoo Base System version 1.6.6
Autoconf: sys-devel/autoconf-2.59-r5
Automake: sys-devel/automake-1.8.5-r1
Binutils: sys-devel/binutils-2.15.90.0.1.1-r3
Headers:  sys-kernel/linux-headers-2.4.19-r1,sys-kernel/linux-headers-2.4.21-r1
Libtools: sys-devel/libtool-1.5.2-r7
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -mcpu=i686 -pipe"
CHOST="i686-pc-linux-gnu"
COMPILER=""
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -mcpu=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig candy ccache distlocks loadpolicy sandbox
sfperms strict"
GENTOO_MIRRORS="ftp://ftp.tu-clausthal.de/pub/linux/gentoo/
ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo
http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/
ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/
http://ftp.uni-erlangen.de/pub/mirrors/gentoo
ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo
http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/
http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/
ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/
ftp://ftp.gentoo.mesh-solutions.com/gentoo/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://192.168.100.1/gentoo-portage"
USE="acpi berkdb crypt gd gdbm gif ipv6 mysql ncurses nls oav pam perl png
python readline selinux slang snmp ssl tcpd x86 zlib"
Comment 1 petre rodan (RETIRED) gentoo-dev 2004-12-02 23:48:22 UTC 
sec-policy/selinux-bind-20041120 is ~ masked for a good reason. If you value the integrity of your system you shouldn't mix masked and stable policies.

to fix your problem, do a 

USE="-selinux" emerge selinux-bind-20040428
make -C /etc/security/selinux/src/policy clean reload relabel

and remove the selinux-bind line from /etc/portage/package.keywords
Comment 2 Nicolas Vilz 2004-12-03 13:32:05 UTC 
actually I don't mix stable and unstable policies, i just have unstable policies installed (on Version 18) ... In fact, all policies i installed are in /etc/portage/package.keywords ...

Any further Suggestions? *G*
Comment 3 petre rodan (RETIRED) gentoo-dev 2004-12-04 07:49:52 UTC 
all currently masked policies depend on the base-policy-20041123 (that is ~ masked)
that in turn, depends on sys-apps/checkpolicy-1.18 (that is also masked)
etc

so to summarize, you either use ONLY stable packages, or go ahead with masked ones and suffer the consequences.