SELinux fails to work because of these missing files /etc/selinux/strict/contexts/files/file_contexts /var/lib/selinux/strict/active/* Reproducible: Always Steps to Reproduce: 1. Download/deploy stage3 tarball 2. Attempt to use selinux Actual Results: context/policy files missing, preventing selinux from working Expected Results: selinux install works
Please state precisely which stage3 you used and which command you used to extract it.
I used `stage3-amd64-openrc-20230122T154655Z.tar.xz` and extracted with `tar xpvf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner` I'm not sure if these files should be in the stage tarball, but changing to the selinux profile results in these being missing. I ran eselect profile set 4 to set the profile (default/linux/amd64/17.1/hardened/selinux (stable)) I added `POLICY_TYPES="strict"` to my make.conf I ran the following commands: FEATURES="-selinux" emerge -1 selinux-base FEATURES="-selinux -sesandbox" emerge -1 selinux-base FEATURES="-selinux -sesandbox" emerge -1 selinux-base-policy all of these failed with errors about missing file contexts I was unable to run the last emerge -uDN @world because of this, once the selinux features were being used, portage seemed to fail. Additionally, setting "selinux=disabled" in the /etc/selinux/config file didn't seem to be respected, and it would boot into permissive mode, the only way I was able to make the system work properly was by recompiling the kernel without SELinux.
(In reply to zen from comment #2) > I used `stage3-amd64-openrc-20230122T154655Z.tar.xz` and extracted with `tar > xpvf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner` > It's expected that vanilla stage3s do not have SELinux labels. > I'm not sure if these files should be in the stage tarball, but changing to > the selinux profile results in these being missing. > > I ran eselect profile set 4 to set the profile > (default/linux/amd64/17.1/hardened/selinux (stable)) > What happens if you follow https://wiki.gentoo.org/wiki/SELinux/Installation and compare your steps to that?
That is what i was following originally. I'm trying to run through this again. Relevant make.conf: POLICY_TYPES="strict" USE="btrfs open_perms peer_perms ubac -ipv6 -cups" Ran: FEATURES="-selinux" emerge -1 selinux-base No error FEATURES="-selinux -sesandbox" emerge -1 selinux-base No error FEATURES="-selinux -sesandbox" emerge -1 selinux-base-policy no error I ran emerge -uDN @world with no errors, but there was only one package update. I ran the following and got this error: mount -o bind / /mnt/gentoo setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/{dev,home,proc,run,sys,tmp} /etc/selinux/strict/contexts/files/file_contexts: No such file or directory Everything seems to be the same, I don't think I'm missing anything in the wiki and I'm pretty familiar with this process. The file_contexts file seems to be missing and I don't know where it's generally generated.
That's what I get with a selinux stage3 in fish shell. Except for the ".keep" file the "policy" folder is empty and "./etc/selinux/strict/contexts/files/file_contexts" is missing. ❯ cd $(mktemp -d) ❯ curl -fsSL -O https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64-hardened-selinux-openrc/stage3-amd64-hardened-selinux-openrc-20230122T154655Z.tar.xz ❯ curl -fsSL -O https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64-hardened-selinux-openrc/stage3-amd64-hardened-selinux-openrc-20230122T154655Z.tar.xz.asc ❯ gpg --verify stage3-amd64-hardened-selinux-openrc-20230122T154655Z.tar.xz.asc stage3-amd64-hardened-selinux-openrc-20230122T154655Z.tar.xz gpg: Signature made Mo 23 Jan 2023 14:41:09 CET gpg: using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <MASKED>" [marginal] gpg: option --sender given but no matching User ID found gpg: WARNING: The key's User ID is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910 Subkey fingerprint: 534E 4209 AB49 EEE1 C19D 9616 2C44 695D B9F6 043D ❯ sudo -i tar -C /tmp/tmp.9UTiYuxNzn/ -xf /tmp/tmp.9UTiYuxNzn/stage3-amd64-hardened-selinux-openrc-20230122T154655Z.tar.xz ❯ echo $status 0 ❯ find ./etc/selinux/strict/contexts/files ./etc/selinux/strict/policy ./etc/selinux/strict/contexts/files ./etc/selinux/strict/contexts/files/file_contexts.subs_dist ./etc/selinux/strict/contexts/files/media ./etc/selinux/strict/contexts/files/file_contexts.local ./etc/selinux/strict/contexts/files/file_contexts.local.bin ./etc/selinux/strict/policy ./etc/selinux/strict/policy/.keep_sec-policy_selinux-base-0
emerging selinux-dbus then reemerging selinux-base-policy corrects this
Same issue(s). This also translate in failing to load modules, cf. https://forums.gentoo.org/viewtopic-t-1169494.html Following advice from #gentoo-hardened, I needed to both install selinux-dbus but also selinux-policykit. This said, I'm still not able to boot in enforcing due to various issues with systemd-* binaries (systemd-cryptsetup, systemd-tmpfiles, systemd-resolved, systemd-timesyncd, etc.)
