Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] SELinux -> Relabel /dev don't work
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
InteRadek
n00b
n00b


Joined: 26 Jan 2011
Posts: 4
Location: Poland

PostPosted: Wed Jan 26, 2011 1:16 pm    Post subject: [SOLVED] SELinux -> Relabel /dev don't work Reply with quote

When I relabel /dev according to the Handbook:

Code:
# mkdir /mnt/gentoo
# mount -o bind / /mnt/gentoo
# setfiles -r /mnt/gentoo /etc/selinux/{strict,targeted}/contexts/files/file_contexts /mnt/gentoo/dev
# umount /mnt/gentoo


after mount dev is relabeled properly at /mnt/gentoo/dev , but remains unlabeled_t at / , so after umount /mnt/gentoo it is unlabeled. After second mount /mnt/gentoo/dev is still properly labeled with device_t.

At boot I get a lot of messages:
Code:
restorecon set context /dev/xxx->system_u:object_r:device_t failed:'Operation not supported'
udev-work[xxxx]: setfilecon /dev/xxx failed: Operation not supported


Is there any other way to relabel /dev ?


Another strange thing is line:
Code:
FEATURES variable contains unknown value(s): loadpolicy

at any use of emerge.


Last edited by InteRadek on Thu Jan 27, 2011 12:23 pm; edited 1 time in total
Back to top
View user's profile Send private message
InteRadek
n00b
n00b


Joined: 26 Jan 2011
Posts: 4
Location: Poland

PostPosted: Wed Jan 26, 2011 10:16 pm    Post subject: Reply with quote

It seems, that only Gentoo doesn't see /dev labeling. After mounting EXT3 partition in OpenSUSE, /dev partition in labeled properly.

emerge --info
Quote:
Portage 2.1.9.25 (selinux/2007.0/amd64, gcc-4.4.4, glibc-2.11.2-r3, 2.6.36-gentoo-r5 x86_64)
=================================================================
System uname: Linux-2.6.36-gentoo-r5-x86_64-Intel-R-_Core-TM-_i3_CPU_M_350_@_2.27GHz-with-gentoo-1.12.14
Timestamp of tree: Mon, 17 Jan 2011 12:15:01 +0000
app-shells/bash: 4.1_p7
dev-lang/python: 2.6.6-r1, 3.1.2-r4
sys-apps/baselayout: 1.12.14-r1
sys-apps/sandbox: 2.4
sys-devel/autoconf: 2.65-r1
sys-devel/automake: 1.11.1
sys-devel/binutils: 2.20.1-r1
sys-devel/gcc: 4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool: 2.2.10
sys-devel/make: 3.81-r2
virtual/os-headers: 2.6.30-r1 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=nocona -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages loadpolicy news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.mirror.dkm.cz/pub/gentoo/"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync1.cz.gentoo.org/gentoo-portage"
USE="amd64 berkdb cli cracklib crypt cxx dri fortran iconv ipv6 modules mudflap ncurses nls openmp pam pcre perl pppd python readline selinux session ssl tcpd xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Back to top
View user's profile Send private message
tcbounce
Tux's lil' helper
Tux's lil' helper


Joined: 18 Nov 2003
Posts: 85
Location: South Korea

PostPosted: Thu Jan 27, 2011 7:12 am    Post subject: Reply with quote

I see the same regarding gentoo and the loadpolicy feature being no longer available.

It appears the targeted profile doesn't work in Gentoo. I'm using newer ebuilds for selinux. The reference policy is ancient on Gentoo.
I'm using the latest reference policy from treosys which are *meant* to maintain it to support gentoo.

Fedora seems to do selinux best but I'm a gentoo nutter since way back. I'm going to get into this more as I gear up my selinux for production.

I suggest you add the hardeded-development overlay using layman -a hardened-development and start working at least with that.
There is another private overlay you can add manually too which has some improvements.

It's work in progress for me too. Keep sharing your thoughts :)
Back to top
View user's profile Send private message
InteRadek
n00b
n00b


Joined: 26 Jan 2011
Posts: 4
Location: Poland

PostPosted: Thu Jan 27, 2011 12:22 pm    Post subject: Reply with quote

Finally I found a solution by comparing kernel config with my other computer, which has SELinux working for about a year.

Problem was in "Device Drivers ---> Generic Driver Options ---> Maintain a devtmpfs filesystem to mount at /dev":

Code:
CONFIG_DEVTMPFS=y


after changing to:

Code:
CONFIG_DEVTPMFS is not set


problem is gone. [SOLVED]
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum