Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 401589 - semanage doesn't work after updating to sec-policy/selinux-base-policy-2.20110726-r12 (from overlay)
Summary: semanage doesn't work after updating to sec-policy/selinux-base-policy-2.2011...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
Depends on:
Reported: 2012-01-30 22:22 UTC by Amadeusz Sławiński
Modified: 2012-03-31 13:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Amadeusz Sławiński 2012-01-30 22:22:50 UTC
After system update when testing fix for other bugs I had to remove some rules and I noticed that semanage doesn't work in enforcing mode.

/usr/sbin/semanage: 'eselect python show' printed unrecognized value ''
however when running manually I get this
#> eselect python show

running semanage with enforcing
Jan 30 23:01:07 localhost kernel: [ 2561.342555] type=1400 audit(1327960867.829:310): avc:  denied  { search } for  pid=16762 comm="python" name="env.d" dev="dm-0" ino=7414361 scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:etc_runtime_t tclass=dir
Jan 30 23:01:07 localhost kernel: [ 2561.473270] type=1400 audit(1327960867.959:311): avc:  denied  { search } for  pid=16762 comm="semanage" name="distfiles" dev="dm-0" ino=14084114 scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:portage_ebuild_t tclass=dir
Jan 30 23:01:07 localhost kernel: [ 2561.505878] type=1400 audit(1327960867.993:312): avc:  denied  { search } for  pid=16763 comm="eselect" name="portage" dev="dm-0" ino=14066311 scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:portage_ebuild_t tclass=dir
Jan 30 23:01:08 localhost kernel: [ 2561.519414] type=1400 audit(1327960868.006:313): avc:  denied  { search } for  pid=16765 comm="eselect" name="distfiles" dev="dm-0" ino=14084114 scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:portage_ebuild_t tclass=dir
Jan 30 23:01:08 localhost kernel: [ 2561.533742] type=1400 audit(1327960868.019:314): avc:  denied  { search } for  pid=16767 comm="eselect" name="env.d" dev="dm-0" ino=7414361 scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:etc_runtime_t tclass=dir

and without

Jan 30 23:01:52 localhost kernel: [ 2606.418767] type=1400 audit(1327960912.993:316): avc:  denied  { getattr } for  pid=16773 comm="eselect" path="/usr/portage/distfiles" dev="dm-0" ino=14084114 scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:portage_ebuild_t tclass=dir

ls -Z /usr/sbin/semanage
system_u:object_r:semanage_exec_t /usr/sbin/semanage

Reproducible: Always

Steps to Reproduce:
1. try running semanage
Actual Results:  
/usr/sbin/semanage: 'eselect python show' printed unrecognized value ''

Expected Results:  
normal output

Portage (hardened/linux/amd64/selinux, gcc-4.5.3, glibc-2.14.1-r2, 3.2.2-hardened-r1 x86_64)
System uname: Linux-3.2.2-hardened-r1-x86_64-Intel-R-_Core-TM-_i3_CPU_M_350_@_2.27GHz-with-gentoo-2.1
Timestamp of tree: Mon, 30 Jan 2012 19:30:01 +0000
app-shells/bash:          4.2_p20
dev-lang/python:          2.7.2-r3, 3.2.2
dev-util/cmake:           2.8.6-r4
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.1
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.9.6-r3, 1.11.2-r1
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.5.3-r2, 4.7.0_alpha20120114::hardened-dev
sys-devel/gcc-config:     1.5-r2
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.2 (virtual/os-headers)
sys-libs/glibc:           2.14.1-r2
Repositories: gentoo hardened-dev my_local_overlay
ACCEPT_KEYWORDS="amd64 ~amd64"
CFLAGS="-march=native -O2 -pipe"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox selinux sesandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTDIR_OVERLAY="/var/lib/layman/hardened-development /usr/local/portage"
USE="X acpi alsa amd64 bash-completion berkdb bzip2 cli cracklib crypt cxx dbus dri gdbm gif gpm hardened iconv jpeg justify mmx modules mudflap multilib ncurses nls nptl nptlonly open_perms opengl openmp pam pax_kernel pcre png pppd readline selinux session sse sse2 ssl ssse3 sysfs system-sqlite tcpd tiff truetype udev unicode urandom usb v4l vim-syntax xinerama xorg zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby19" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2012-01-30 22:27:53 UTC
test ~ # semanage boolean -l
SELinux boolean                          Description

httpd_enable_homedirs          -> off   httpd_enable_homedirs
mmap_low_allowed               -> off   mmap_low_allowed
allow_smbd_anon_write          -> off   allow_smbd_anon_write
gentoo_try_dontaudit           -> on    gentoo_try_dontaudit
allow_ptrace                   -> off   allow_ptrace
rsync_export_all_ro            -> off   rsync_export_all_ro
httpd_dbus_avahi               -> off   httpd_dbus_avahi
gentoo_nginx_can_network_connect -> off   gentoo_nginx_can_network_connect
allow_saslauthd_read_shadow    -> off   allow_saslauthd_read_shadow
allow_httpd_sys_script_anon_write -> off   allow_httpd_sys_script_anon_write
allow_ypbind                   -> off   allow_ypbind
gentoo_nginx_enable_smtp_server -> off   gentoo_nginx_enable_smtp_server
allow_user_postgresql_connect  -> off   allow_user_postgresql_connect
spamassassin_can_network       -> off   spamassassin_can_network
allow_httpd_anon_write         -> off   allow_httpd_anon_write
httpd_can_network_relay        -> off   httpd_can_network_relay
gpg_agent_env_file             -> off   gpg_agent_env_file
gentoo_nginx_enable_http_server -> off   gentoo_nginx_enable_http_server
httpd_can_sendmail             -> off   httpd_can_sendmail
global_ssp                     -> on    global_ssp
allow_httpd_user_script_anon_write -> off   allow_httpd_user_script_anon_write
allow_httpd_nagios_script_anon_write -> off   allow_httpd_nagios_script_anon_write
mail_read_content              -> off   mail_read_content
gentoo_nginx_can_network_connect_http -> off   gentoo_nginx_can_network_connect_http
samba_run_unconfined           -> off   samba_run_unconfined
allow_user_mysql_connect       -> off   allow_user_mysql_connect
secure_mode_insmod             -> off   secure_mode_insmod
use_nfs_home_dirs              -> off   use_nfs_home_dirs
init_upstart                   -> off   init_upstart
secure_mode_policyload         -> off   secure_mode_policyload
allow_execheap                 -> off   allow_execheap
httpd_use_gpg                  -> off   httpd_use_gpg
samba_domain_controller        -> off   samba_domain_controller
ssh_sysadm_login               -> off   ssh_sysadm_login
httpd_enable_ftp_server        -> off   httpd_enable_ftp_server
sepgsql_unconfined_dbadm       -> on    sepgsql_unconfined_dbadm
httpd_enable_cgi               -> off   httpd_enable_cgi
use_samba_home_dirs            -> off   use_samba_home_dirs
allow_polyinstantiation        -> off   allow_polyinstantiation
httpd_use_cifs                 -> off   httpd_use_cifs
allow_execmod                  -> off   allow_execmod
httpd_use_nfs                  -> off   httpd_use_nfs
user_direct_mouse              -> off   user_direct_mouse
httpd_unified                  -> off   httpd_unified
portage_use_nfs                -> on    portage_use_nfs
allow_gssd_read_tmp            -> on    allow_gssd_read_tmp
allow_rsync_anon_write         -> off   allow_rsync_anon_write
gentoo_nginx_enable_pop3_server -> off   gentoo_nginx_enable_pop3_server
puppet_manage_all_files        -> on    puppet_manage_all_files
entropyd_use_audio             -> on    entropyd_use_audio
spamd_enable_home_dirs         -> on    spamd_enable_home_dirs
named_write_master_zones       -> off   named_write_master_zones
sepgsql_enable_users_ddl       -> on    sepgsql_enable_users_ddl
allow_execmem                  -> off   allow_execmem
httpd_ssi_exec                 -> off   httpd_ssi_exec
samba_export_all_rw            -> off   samba_export_all_rw
user_tcp_server                -> off   user_tcp_server
allow_mount_anyfile            -> off   allow_mount_anyfile
gentoo_wait_requests           -> on    gentoo_wait_requests
allow_ssh_keysign              -> off   allow_ssh_keysign
user_ping                      -> off   user_ping
fcron_crond                    -> off   fcron_crond
console_login                  -> on    console_login
gentoo_nginx_enable_imap_server -> off   gentoo_nginx_enable_imap_server
nfs_export_all_rw              -> off   nfs_export_all_rw
allow_kerberos                 -> on    allow_kerberos
user_rw_noexattrfile           -> off   user_rw_noexattrfile
user_ttyfile_stat              -> off   user_ttyfile_stat
secure_mode                    -> off   secure_mode
httpd_can_network_connect_db   -> off   httpd_can_network_connect_db
allow_httpd_mod_auth_pam       -> off   allow_httpd_mod_auth_pam
clamd_use_jit                  -> off   clamd_use_jit
httpd_can_network_connect      -> off   httpd_can_network_connect
samba_enable_home_dirs         -> off   samba_enable_home_dirs
samba_export_all_ro            -> off   samba_export_all_ro
samba_share_fusefs             -> off   samba_share_fusefs
user_dmesg                     -> on    user_dmesg
allow_nfsd_anon_write          -> off   allow_nfsd_anon_write
allow_execstack                -> off   allow_execstack
httpd_tty_comm                 -> off   httpd_tty_comm
httpd_builtin_scripting        -> off   httpd_builtin_scripting
samba_create_home_dirs         -> off   samba_create_home_dirs
nfs_export_all_ro              -> off   nfs_export_all_ro
cron_can_relabel               -> off   cron_can_relabel
samba_share_nfs                -> off   samba_share_nfs
test ~ # getenforce 
Comment 2 Amadeusz Sławiński 2012-01-30 23:10:18 UTC
> semanage boolean -l
/usr/sbin/semanage: 'eselect python show' printed unrecognized value ''
> getenforce

also had run rlpkg -a -r and python-updater
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-02-06 20:46:33 UTC
Confirmed; change is because /etc/env.d is now marked as etc_runtime_t (its content is changeable by eselect so I found it better to mark it as such).
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-02-06 21:01:05 UTC
Will be corrected in r13
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-02-20 18:01:22 UTC
In hardened-dev overlay
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-02-23 18:22:08 UTC
In main tree, ~arch'ed
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2012-03-31 13:00:17 UTC