Summary: | (selinux) unable to load new policies since upgrading to policycoreutils 1.16 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Jacob Chacko <j2chacko> |
Component: | Hardened | Assignee: | Chris PeBenito (RETIRED) <pebenito> |
Status: | RESOLVED INVALID | ||
Severity: | blocker | ||
Priority: | High | ||
Version: | 2004.2 | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Jacob Chacko
2004-11-05 19:12:33 UTC
output from emerge info: kayak root # emerge info Portage 2.0.51-r2 (selinux/2004.1/x86, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.4.27-hardened-r2 i686) ================================================================= System uname: 2.4.27-hardened-r2 i686 Pentium II (Klamath) Gentoo Base System version 1.4.16 Autoconf: sys-devel/autoconf-2.59-r5 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.14.90.0.8-r1 Headers: sys-kernel/linux-headers-2.4.21-r1 Libtools: sys-devel/libtool-1.5.2-r5 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O3 -march=i686 -fomit-frame-pointer -fforce-addr" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -march=i686 -fomit-frame-pointer -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.osuosl.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X arts berkdb crypt cups esd fam foomaticdb gif gpm hardened imagemagick imlib java junit kde ncurses nls opengl other_var1 other_var2 pam perl pic pie png postgres ppds python qt readline samba selinux ssl tcpd tiff usb x86 xml2 zlib" kayak root # this is an expected warning. can you verify that the policy isnt loaded by looking at dmesg before and after attempting to load the policy After dmesg here is the output. As you can see i don't have enforcing on, so all the avc errors. Thanks for your response. avc: denied { read } for pid=20540 exe=/usr/bin/checkpolicy name=ld.so.cache dev=09:01 ino=84859 scontext=root:sysadm_r:checkpolicy_t tcontext=root:object_r:etc_t tclass=file avc: denied { getattr } for pid=20540 exe=/usr/bin/checkpolicy name=ld.so.cache dev=09:01 ino=84859 scontext=root:sysadm_r:checkpolicy_t tcontext=root:object_r:etc_t tclass=file avc: denied { ioctl } for pid=20576 exe=/usr/bin/checkpolicy path=/etc/security/selinux/src/policy.conf dev=09:01 ino=51010 scontext=root:sysadm_r:checkpolicy_t tcontext=root:object_r:etc_t tclass=file avc: denied { write } for pid=20576 exe=/usr/bin/checkpolicy name=policy.15 dev=09:01 ino=52138 scontext=root:sysadm_r:checkpolicy_t tcontext=root:object_r:etc_t tclass=file avc: denied { read } for pid=20608 exe=/usr/sbin/load_policy name=ld.so.cache dev=09:01 ino=84859 scontext=root:sysadm_r:load_policy_t tcontext=root:object_r:etc_t tclass=file avc: denied { getattr } for pid=20608 exe=/usr/sbin/load_policy name=ld.so.cache dev=09:01 ino=84859 scontext=root:sysadm_r:load_policy_t tcontext=root:object_r:etc_t tclass=file avc: granted { load_policy } for pid=20608 exe=/usr/sbin/load_policy scontext=root:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security security: 4 users, 5 roles, 446 types security: 51 classes, 31065 rules As evidenced by the last message in dmesg, the policy actually does get loaded. The message from load_policy is actually just a warning, which is poorly worded. Its a nonfatal warning since you have a version 15 policy, which doesn't have booleans. Checkpolicy 1.18 will be quieting this message. For your denials, a relabel should fix it. Several of the files seem to me mislabeled. |