Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 491804

Summary: =sys-apps/policycoreutils-2.2.1-r1, =sys-libs/libsemanage-2.2 - semanage broken when using strict policies
Product: Gentoo Linux Reporter: Amadeusz Sławiński <amade>
Component: SELinuxAssignee: Sven Vermeulen (RETIRED) <swift>
Status: RESOLVED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: selinux-utils
Package list:
Runtime testing required: ---

Description Amadeusz Sławiński 2013-11-20 19:33:27 UTC 
It doesn't work even in permissive:

# semanage fcontext -a -t swapfile_t "/swapfile"
libsepol.context_from_record: MLS is disabled, but MLS context "s0" found (No such file or directory).
libsepol.context_from_record: could not create context structure (Invalid argument).
libsemanage.validate_handler: invalid context system_u:object_r:swapfile_t:s0 specified for /swapfile [all files] (Invalid argument).
libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument).
OSError: Invalid argument

# semanage login -a -s staff_u amade            
libsemanage.validate_handler: MLS is disabled, but MLS range s0 was found for Unix user amade (No such file or directory).
libsemanage.validate_handler: seuser mapping [amade -> (staff_u, s0)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
OSError: No such file or directory



Reproducible: Always




Portage 2.2.7 (hardened/linux/amd64/no-multilib/selinux, gcc-4.8.2, glibc-2.17, 3.11.8-hardened x86_64)
=================================================================
System uname: Linux-3.11.8-hardened-x86_64-Intel-R-_Core-TM-_i3_CPU_M_350_@_2.27GHz-with-gentoo-2.2
KiB Mem:     2996988 total,   2036772 free
KiB Swap:    3145724 total,   3145724 free
Timestamp of tree: Mon, 18 Nov 2013 00:45:01 +0000
ld GNU ld (GNU Binutils) 2.23.2
app-shells/bash:          4.2_p45
dev-lang/python:          2.7.5-r4, 3.2.5-r3, 3.3.2-r2
dev-util/cmake:           2.8.12.1-r1
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.13.4, 1.14
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.7.3-r1, 4.8.1-r1, 4.8.2
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.11 (virtual/os-headers)
sys-libs/glibc:           2.17
Repositories: gentoo local-overlay
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA AdobeFlash-11.x"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=native -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=native -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs clean-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/home/amade/overlay"
SYNC=""
USE="X aac acpi alsa amd64 bash-completion berkdb bzip2 cli cracklib crypt cxx dri dvd flac gdbm gif gnutls gold gpg hardened iconv icu ipv6 jpeg jpeg2k justify mmx mmxext mng modules mp3 mudflap ncurses nls nptl open_perms opengl openmp pam pax_kernel pcre png readline selinux session sse sse2 sse4_1 sse4_2 ssl ssse3 tcpd threads tiff udev unicode urandom usb v4l vim-syntax xattr xcb xft xinerama zlib zsh-completion" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_GB pl" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" QEMU_SOFTMMU_TARGETS="x86_64 ppc" RUBY_TARGETS="ruby20" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 1 Amadeusz Sławiński 2013-12-05 18:47:17 UTC 
http://thread.gmane.org/gmane.comp.security.selinux/19916
So after reversing patch in above link it still breaks

After looking some more into this it seems that if I use semanage from before following commit it works ok (with patch from mailing list applied)

http://userspace.selinuxproject.org/trac/changeset/c1f763e2933cc6bd4e89e7bbd603ae1de08d081c

no patches = breakage
patch from ml = breakage
semanage from before commit = breakage
patch from ml with semanage from before commit = works
Comment 2 Amadeusz Sławiński 2013-12-05 18:55:27 UTC 
From new semanage code:

    parser.add_argument('-L', '--level', default='s0', help=_('Default SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only)'))
def parser_add_range(parser, name):                                             
    parser.add_argument('-r', '--range', default="s0",                            
                             help=_('''         

Seems like setting those defaults is wrong idea. It should probably check if it can do mls before setting it.
If I change them to default='' it works ok.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2013-12-10 15:06:41 UTC 
policycoreutils 2.2.5 is now in the tree, can you check if everything works as expected now? I did a few tests here (strict policy) and it seems to work now.
Comment 4 Amadeusz Sławiński 2013-12-11 19:25:35 UTC 
I've run few commands and it seems working ok.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2014-01-20 20:18:32 UTC 
Stable in tree