Bug 386149

Summary:	Selinux and Emerge breakage
Product:	Gentoo Linux	Reporter:	darin hensley <coolio>
Component:	Hardened	Assignee:	SE Linux Bugs <selinux>
Status:	RESOLVED NEEDINFO
Severity:	major	CC:	coolio
Priority:	High
Version:	unspecified
Hardware:	AMD64
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	all the output and examples in file.

Description darin hensley 2011-10-07 21:44:41 UTC

on a new install, emerge breaks because of selinux. in addition, selinux it self is broken. id -Z complains that the kernel must be enabled with Selinux. but the kernel is enabled. in addition, all the policies have been installed and the entire filesystem has been relabeled. 

attached is the file with all the output and examples


Reproducible: Always

Steps to Reproduce:
1.new install with selinux enabled kernel from working selinux system.
2.set policy to targeted, install policies, rebuild sysvinit, reboot, relabel filesystem
3. emerge broken and selinux is broken.
Actual Results:  
 emerge broken and selinux is broken.id -Z shows selinux is not enabled in the kernel, everything else such as getenforce does.

Comment 1 darin hensley 2011-10-07 21:46:18 UTC

Created attachment 289137 [details]
all the output and examples in file.

could not cut and paste so best i could from command line.

Comment 2 darin hensley 2011-10-07 21:50:54 UTC

Also forgot to include that FEATURES="-selinux" does not fix the emerge breakage.

Comment 3 Anthony Basile gentoo-dev

2011-10-07 22:06:12 UTC

Did you follow the following?  If not, how did you deviate:

http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=1

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2011-10-08 09:26:01 UTC

All breakage might be related to the issue you have that "id -Z" sais you are not running on a SELinux enabled kernel. Verify that selinuxfs is mounted (should currently be at /selinux).

What is the output of "dmesg"?

Comment 5 darin hensley 2011-10-08 12:14:24 UTC

/selinux was verified as mounted in /proc/mounts. sysvinit does this automatically now.

Comment 6 Anthony Basile gentoo-dev

2011-10-08 14:27:10 UTC

(In reply to comment #5)
> /selinux was verified as mounted in /proc/mounts. sysvinit does this
> automatically now.

Ah!  Can you provide a link for documentation since this is important for our init scripts, fstab etc.

Comment 7 darin hensley 2011-10-08 15:49:41 UTC

(In reply to comment #6)
> (In reply to comment #5)
> > /selinux was verified as mounted in /proc/mounts. sysvinit does this
> > automatically now.
> 
> Ah!  Can you provide a link for documentation since this is important for our
> init scripts, fstab etc.

i'm using sys5init-2.88-r3. there is no link or documentation, but swift looked int the code of init and found the function call where it mounts /selinux.

Comment 8 Sven Vermeulen (RETIRED) gentoo-dev

2011-10-08 16:24:43 UTC

Yup, the patched sysvinit tool calls "selinux_init_loadpolicy", part of libselinux, which does, amongst other things:

        /*
         * Check for the existence of SELinux via selinuxfs, and 
         * mount it if present for use in the calls below.  
         */
        if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) {

Comment 9 Anthony Basile gentoo-dev

2011-10-09 17:25:56 UTC

(In reply to comment #8)
> Yup, the patched sysvinit tool calls "selinux_init_loadpolicy", part of
> libselinux, which does, amongst other things:
> 
>         /*
>          * Check for the existence of SELinux via selinuxfs, and 
>          * mount it if present for use in the calls below.  
>          */
>         if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno !=
> EBUSY) {

Okay but I think this is poor design in sysinit if there is no way of turning it off.

Comment 10 Sven Vermeulen (RETIRED) gentoo-dev

2011-10-13 16:42:09 UTC

It's poor design in libselinux... init just calls the function.

Comment 11 Sven Vermeulen (RETIRED) gentoo-dev

2011-10-24 19:08:35 UTC

Do you still have this issue, even with the recent stabilization of all selinux-related (newer) packages?