Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
selinux is disabled - won't enable - dmesg clean
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
totony
n00b
n00b


Joined: 03 Dec 2014
Posts: 40

PostPosted: Wed Dec 03, 2014 10:39 pm    Post subject: selinux is disabled - won't enable - dmesg clean Reply with quote

Hi,

I tried to install selinux multiple times on my laptop, and failed every time.
I run a custom kernel and have SELINUX_* and SECURITY_LABELS enabled for ext4, my partition is ext4, but selinux won't enable.

The errors I have been able to see (my dmesg is clean and there is nothing is /var/log/audit/audit.log):
Code:
emerge selinux-base-policy
>>> Setting SELinux security labels
* Inseting the following modules, with base, into the strict module store:  application, authlogin, [...]
libsemanage.semanage_write_policydb: Could not open kernel policy /etc/selinux/strict/modules/tmp/policy.kern for writing (Is a directory).
semodule: Failed!
* ERROR: sec-policy/selinux-base-policy-2.20140311-r6::gentoo gailed (postinst phase)
*   Failed to load in base and modules application authlogin [...]
* Call stack: ebuild.sh line 93: called pkg_postinst
* environment, line 1726: called dir
* semodule -s ${i} -b base.pp ${COMMAND} || die

When I try semodule -s ${i} -b base.pp ${COMMAND} manually, there are multiple errors depending on the module added, but mostly errors about roles not being there. I tried reinstalling coreutilspolicy but to no avail.

Code:
rlpkg -ar
Running /usr/sbin/setfiles -F /etc/selinux/strict/contexts/files/file_contexts /
/usr/sbin/setfiles set context /->kernel failed: 'Operation not supported'
[...]

Code:
dmesg | grep selinux:
SELinux: Initializing.
SELinux: Starting in permissibe mode
SELinux: Registering netfilter hooks


Anyone know how I could make this work? Most commands I try return "SELinux is disabled".

In other words, how can I troubleshoot selinux?

Thanks,
totony

P.S.: I try downloading hardened-sources and building the recommanded kernel, but the same thing happen (even the "kernel operation not supported of rlpkg"). Tried it with the default settings.
Back to top
View user's profile Send private message
hololeap
n00b
n00b


Joined: 05 Oct 2013
Posts: 29

PostPosted: Fri Dec 05, 2014 10:34 am    Post subject: Reply with quote

Some basic questions:
  1. Are you using a SELinux profile?
  2. Have you enabled the recommended kernel options for SELinux?
Back to top
View user's profile Send private message
totony
n00b
n00b


Joined: 03 Dec 2014
Posts: 40

PostPosted: Fri Dec 05, 2014 8:23 pm    Post subject: Reply with quote

Thank you for replying, I followed the instructions in the SELinux installation page. The profile I use is default/linux/amd64/13.0/selinux with USE="xattr"

I enabled the options (I even tried the gentoo hardened kernel's default options). The only thing that differs is I don't have all the filesystem supports, I only have ext4 (which is my partition's type). Also, I didn't find the
"Under "General setup"
[*] Prompt for development and/or incomplete code/drivers"
Back to top
View user's profile Send private message
totony
n00b
n00b


Joined: 03 Dec 2014
Posts: 40

PostPosted: Sat Dec 13, 2014 5:39 pm    Post subject: Reply with quote

Still interested in a solution (bump)
Back to top
View user's profile Send private message
N8Fear
Tux's lil' helper
Tux's lil' helper


Joined: 15 Apr 2013
Posts: 140
Location: Berlin (Germany)

PostPosted: Sat Dec 13, 2014 7:43 pm    Post subject: Reply with quote

Do you have the selinux fs mounted somewhere (I think nowadays it's not in /selinux anymore, but somewhere under /sys)?
Back to top
View user's profile Send private message
totony
n00b
n00b


Joined: 03 Dec 2014
Posts: 40

PostPosted: Sat Dec 13, 2014 9:12 pm    Post subject: Reply with quote

Yes, it's mounted: selinuxfs on /selinux type selinuxfs (rw)
Back to top
View user's profile Send private message
totony
n00b
n00b


Joined: 03 Dec 2014
Posts: 40

PostPosted: Sun Dec 14, 2014 9:16 pm    Post subject: Reply with quote

update: the "Could not open kernel policy /etc/selinux/strict/modules/tmp/policy.kern" happens for:
su.pp
storage.pp
userdomain.pp
application.pp

in /usr/share"selinux/strict/*.pp
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum