on a new install, emerge breaks because of selinux. in addition, selinux it self is broken. id -Z complains that the kernel must be enabled with Selinux. but the kernel is enabled. in addition, all the policies have been installed and the entire filesystem has been relabeled. attached is the file with all the output and examples Reproducible: Always Steps to Reproduce: 1.new install with selinux enabled kernel from working selinux system. 2.set policy to targeted, install policies, rebuild sysvinit, reboot, relabel filesystem 3. emerge broken and selinux is broken. Actual Results: emerge broken and selinux is broken.id -Z shows selinux is not enabled in the kernel, everything else such as getenforce does.
Created attachment 289137 [details] all the output and examples in file. could not cut and paste so best i could from command line.
Also forgot to include that FEATURES="-selinux" does not fix the emerge breakage.
Did you follow the following? If not, how did you deviate: http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=1
All breakage might be related to the issue you have that "id -Z" sais you are not running on a SELinux enabled kernel. Verify that selinuxfs is mounted (should currently be at /selinux). What is the output of "dmesg"?
/selinux was verified as mounted in /proc/mounts. sysvinit does this automatically now.
(In reply to comment #5) > /selinux was verified as mounted in /proc/mounts. sysvinit does this > automatically now. Ah! Can you provide a link for documentation since this is important for our init scripts, fstab etc.
(In reply to comment #6) > (In reply to comment #5) > > /selinux was verified as mounted in /proc/mounts. sysvinit does this > > automatically now. > > Ah! Can you provide a link for documentation since this is important for our > init scripts, fstab etc. i'm using sys5init-2.88-r3. there is no link or documentation, but swift looked int the code of init and found the function call where it mounts /selinux.
Yup, the patched sysvinit tool calls "selinux_init_loadpolicy", part of libselinux, which does, amongst other things: /* * Check for the existence of SELinux via selinuxfs, and * mount it if present for use in the calls below. */ if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) {
(In reply to comment #8) > Yup, the patched sysvinit tool calls "selinux_init_loadpolicy", part of > libselinux, which does, amongst other things: > > /* > * Check for the existence of SELinux via selinuxfs, and > * mount it if present for use in the calls below. > */ > if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != > EBUSY) { Okay but I think this is poor design in sysinit if there is no way of turning it off.
It's poor design in libselinux... init just calls the function.
Do you still have this issue, even with the recent stabilization of all selinux-related (newer) packages?
