Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

SELinux can't read /etc/selinux/config
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
KintaroBC
n00b
n00b


Joined: 15 Feb 2014
Posts: 63
Location: Australia
PostPosted: Sun Jul 18, 2021 4:49 pm    Post subject: SELinux can't read /etc/selinux/config Reply with quote
I have been trying to get an SELinux system running and I have a strange problem. I installed the no multilib hardened stage3 and then followed the installation tutorial on the wiki, to switch to an SELinux profile.

Yet SELinux will not start when the system boots despite it clearly being enabled in the kernel and /etc/selinux/config - and I think I have found the problem.

A listing of /etc/selinux shows an issue with the label for SELinux's config file...
Code:

# ls -lZ /etc/selinux/
total 16
-rw-r--r--  1 root root ?                                   631 Jul 18 16:25 config
-rw-r--r--. 1 root root system_u:object_r:selinux_config_t 2622 Jul 18 14:51 semanage.conf
drwxr-xr-x. 4 root root system_u:object_r:selinux_config_t 4096 Jul 18 16:26 strict
drwxr-xr-x. 4 root root system_u:object_r:selinux_config_t 4096 Jul 18 15:15 targeted


As you can see instead of a SELinux context there is a '?' in it's place. I think this is the problem with SELinux starting on boot. I tried running 'restorecon /etc/selinux/config but despite that the issue remains and that config file has no label.

I have also tried hitting it manually with chcon and I get a mysterious error and the file still has no label.

Code:

# chcon -u system_u -r system_r -t selinux_config_t /etc/selinux/config
chcon: can't apply partial context to unlabeled file '/etc/selinux/config'


And as a result SELinux isn't started properly...

Code:

# id -Z
id: --context (-Z) works only on an SELinux-enabled kernel
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3879
PostPosted: Sun Jul 18, 2021 4:57 pm    Post subject: Reply with quote
You have to relabel filesystem
Quote:

Next relabel all devices and openrc related files. This will apply the correct security contexts (labels) onto the necessary files. We start by bind-mounting / onto /mnt/gentoo. This will allow us to relabel the mount points themselves rather than the mounted file systems that are already mounted on the main file system.

root #mkdir /mnt/gentoo
root #mount -o bind / /mnt/gentoo
In the following command, substitute strict in the next command with targeted (or other policy store name) depending on the SELINUXTYPE value. If your system has more active mountpoints than the usual set of /dev,/home,/proc,/run,/sys,/tmp, list them too.

root #setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/{dev,home,proc,run,sys,tmp}
root #umount /mnt/gentoo
If the system uses a swapfile rather than a swap partition, label it accordingly:

root #semanage fcontext -a -t swapfile_t "/swapfile"
root #restorecon /swapfile
Now relabel the entire file system. The next command will apply the correct security context onto the files on the entire file system, based on the security context information provided by the SELinux policy modules installed.

root #rlpkg -a -r
If a SELinux policy module for a package is installed after that particular package, then rlpkg needs to be run for that package to make sure that the security contexts for its files are set correctly. For instance, if sec-policy/selinux-screen would be installed manually (due to a missing dependency) after installing app-misc/screen:

root #rlpkg screen


Quote:

/etc/selinux/strict/contexts/files/file_contexts

replace strict with "targeted" if you use targeted policy.
...from the Wiki
Also you need kerel parameter

security=selinux
_________________
:)
Back to top
View user's profile Send private message
KintaroBC
n00b
n00b


Joined: 15 Feb 2014
Posts: 63
Location: Australia
PostPosted: Sun Jul 18, 2021 6:41 pm    Post subject: Reply with quote
I fixed the issue by going back to the non-SELinux profile, removing selinux-base and selinux-base-policy, and reinstalling. I also was able to determine from my shell history what I missed.

It actually wasn't the relabeling of the filesystem that I had skipped, in fact if you look at my OP the other files and directories in /etc/selinux had their labels.

I failed to set POLICY_TYPES in /etc/portage/make.conf which caused SELinux to be broken. It would be nice if POLICY_TYPES being set was required for the ebuild for selinux-base to go ahead.

And while I fixed it, doing everything again is not a good way of fixing anything. So I still wonder other ways this problem could be fixed that would have saved me time. I think I could really learn something here about SELinux.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy