View previous topic :: View next topic |
Author |
Message |
KintaroBC n00b
Joined: 15 Feb 2014 Posts: 63 Location: Australia
|
Posted: Sun Jul 18, 2021 4:49 pm Post subject: SELinux can't read /etc/selinux/config |
|
|
I have been trying to get an SELinux system running and I have a strange problem. I installed the no multilib hardened stage3 and then followed the installation tutorial on the wiki, to switch to an SELinux profile.
Yet SELinux will not start when the system boots despite it clearly being enabled in the kernel and /etc/selinux/config - and I think I have found the problem.
A listing of /etc/selinux shows an issue with the label for SELinux's config file...
Code: |
# ls -lZ /etc/selinux/
total 16
-rw-r--r-- 1 root root ? 631 Jul 18 16:25 config
-rw-r--r--. 1 root root system_u:object_r:selinux_config_t 2622 Jul 18 14:51 semanage.conf
drwxr-xr-x. 4 root root system_u:object_r:selinux_config_t 4096 Jul 18 16:26 strict
drwxr-xr-x. 4 root root system_u:object_r:selinux_config_t 4096 Jul 18 15:15 targeted
|
As you can see instead of a SELinux context there is a '?' in it's place. I think this is the problem with SELinux starting on boot. I tried running 'restorecon /etc/selinux/config but despite that the issue remains and that config file has no label.
I have also tried hitting it manually with chcon and I get a mysterious error and the file still has no label.
Code: |
# chcon -u system_u -r system_r -t selinux_config_t /etc/selinux/config
chcon: can't apply partial context to unlabeled file '/etc/selinux/config'
|
And as a result SELinux isn't started properly...
Code: |
# id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
|
|
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Sun Jul 18, 2021 4:57 pm Post subject: |
|
|
You have to relabel filesystem
Quote: |
Next relabel all devices and openrc related files. This will apply the correct security contexts (labels) onto the necessary files. We start by bind-mounting / onto /mnt/gentoo. This will allow us to relabel the mount points themselves rather than the mounted file systems that are already mounted on the main file system.
root #mkdir /mnt/gentoo
root #mount -o bind / /mnt/gentoo
In the following command, substitute strict in the next command with targeted (or other policy store name) depending on the SELINUXTYPE value. If your system has more active mountpoints than the usual set of /dev,/home,/proc,/run,/sys,/tmp, list them too.
root #setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/{dev,home,proc,run,sys,tmp}
root #umount /mnt/gentoo
If the system uses a swapfile rather than a swap partition, label it accordingly:
root #semanage fcontext -a -t swapfile_t "/swapfile"
root #restorecon /swapfile
Now relabel the entire file system. The next command will apply the correct security context onto the files on the entire file system, based on the security context information provided by the SELinux policy modules installed.
root #rlpkg -a -r
If a SELinux policy module for a package is installed after that particular package, then rlpkg needs to be run for that package to make sure that the security contexts for its files are set correctly. For instance, if sec-policy/selinux-screen would be installed manually (due to a missing dependency) after installing app-misc/screen:
root #rlpkg screen
|
Quote: |
/etc/selinux/strict/contexts/files/file_contexts
|
replace strict with "targeted" if you use targeted policy.
...from the Wiki
Also you need kerel parameter
security=selinux _________________
|
|
Back to top |
|
|
KintaroBC n00b
Joined: 15 Feb 2014 Posts: 63 Location: Australia
|
Posted: Sun Jul 18, 2021 6:41 pm Post subject: |
|
|
I fixed the issue by going back to the non-SELinux profile, removing selinux-base and selinux-base-policy, and reinstalling. I also was able to determine from my shell history what I missed.
It actually wasn't the relabeling of the filesystem that I had skipped, in fact if you look at my OP the other files and directories in /etc/selinux had their labels.
I failed to set POLICY_TYPES in /etc/portage/make.conf which caused SELinux to be broken. It would be nice if POLICY_TYPES being set was required for the ebuild for selinux-base to go ahead.
And while I fixed it, doing everything again is not a good way of fixing anything. So I still wonder other ways this problem could be fixed that would have saved me time. I think I could really learn something here about SELinux. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|