Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Is my Selinux working properly?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
vcmota
n00b
n00b


Joined: 19 Jun 2017
Posts: 47

PostPosted: Tue Jul 18, 2017 1:14 am    Post subject: [SOLVED] Is my Selinux working properly? Reply with quote

It may be a silly error, maybe no error at all, I dont know... I have followed all steps in the Selinux installation guide, starting from the fact that I have a hardened kernel installed:

Code:
vinicius@mossadegh ~ $ uname -r
4.8.17-hardened-r2


and during its configuration I setup all the kernel options regarding selinux as mandated by the gentoo documentation. But in the final steps of the configuration I get the following errors:


Code:

vinicius@mossadegh ~ $ su -
Password:
mossadegh ~ # setsebool -P global_ssp on
mossadegh ~ # semanage login -a -s staff_u vinicius
libsemanage.dbase_llist_query: could not query record value
OSError: [Errno 0] Error
mossadegh ~ # semanage login -a -s staff_u vinicius
libsemanage.dbase_llist_query: could not query record value
OSError: [Errno 0] Error
mossadegh ~ # restorecon -R -F /home/vinicius
mossadegh ~ # semanage user -m -R "staff_r sysadm_r system_r" root
ValueError: SELinux user root is not defined
mossadegh ~ # semanage user -m -R "staff_r sysadm_r system_r" root^C
mossadegh ~ # semanage user -m -R "staff_r sysadm_r system_r" staff_u
ValueError: SELinux user staff_u is not defined


Now, when I emerge any given app, during the emerging process I get the message

Code:
Failed to set new SELinux execution context. Is your current SELinux context allowed to run Portage?


while during the installation the message is
Code:
Setting SELinux security labels
without any apparent errors.

I believe my profile is correct

Code:
mossadegh ~ # eselect profile list
Available profile symlink targets:
  [1]   default/linux/amd64/13.0
  [2]   default/linux/amd64/13.0/selinux
  [3]   default/linux/amd64/13.0/desktop
  [4]   default/linux/amd64/13.0/desktop/gnome
  [5]   default/linux/amd64/13.0/desktop/gnome/systemd
  [6]   default/linux/amd64/13.0/desktop/plasma
  [7]   default/linux/amd64/13.0/desktop/plasma/systemd
  [8]   default/linux/amd64/13.0/developer
  [9]   default/linux/amd64/13.0/no-multilib
  [10]  default/linux/amd64/13.0/systemd
  [11]  default/linux/amd64/13.0/x32
  [12]  hardened/linux/amd64
  [13]  hardened/linux/amd64/selinux *
  [14]  hardened/linux/amd64/no-multilib
  [15]  hardened/linux/amd64/no-multilib/selinux
  [16]  hardened/linux/amd64/x32
  [17]  hardened/linux/musl/amd64
  [18]  hardened/linux/musl/amd64/x32
  [19]  default/linux/uclibc/amd64
  [20]  hardened/linux/uclibc/amd64


I also believe there is nothing unusual with the config file:

Code:
mossadegh ~ # cat /etc/selinux/config
# This file controls the state of SELinux on the system on boot.

# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive

# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security
#                  (mls, but only one sensitivity level)
SELINUXTYPE=strict


By the way, this may be relevant:
Code:
mossadegh ~ # emerge --info
 !!! SYNC setting found in make.conf.
     This setting is Deprecated and no longer used.  Please ensure your 'sync-type' and 'sync-uri' are set correctly in /etc/portage/repos.conf/gentoo.conf
 Portage 2.3.6 (python 3.4.5-final-0, hardened/linux/amd64/selinux, gcc-5.4.0, glibc-2.23-r4, 4.8.17-hardened-r2 x86_64)
 =================================================================
 System uname: Linux-4.8.17-hardened-r2-x86_64-Intel-R-_Core-TM-_i7-3612QM_CPU_@_2.10GHz-with-gentoo-2.3
 KiB Mem:     8032808 total,   3215948 free
 KiB Swap:          0 total,         0 free
 Timestamp of repository gentoo: Thu, 13 Jul 2017 22:00:01 +0000
 sh bash 4.3_p48-r1
 ld GNU ld (Gentoo 2.28 p1.2) 2.28
 app-shells/bash:          4.3_p48-r1::gentoo
 dev-lang/perl:            5.24.1-r2::gentoo
 dev-lang/python:          2.7.12::gentoo, 3.4.5::gentoo
 dev-util/cmake:           3.7.2::gentoo
 dev-util/pkgconfig:       0.28-r2::gentoo
 sys-apps/baselayout:      2.3::gentoo
 sys-apps/openrc:          0.26.3::gentoo
 sys-apps/sandbox:         2.10-r3::gentoo
 sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo
 sys-devel/automake:       1.11.6-r1::gentoo, 1.15-r2::gentoo
 sys-devel/binutils:       2.28-r2::gentoo
 sys-devel/gcc:            5.4.0-r3::gentoo
 sys-devel/gcc-config:     1.7.3::gentoo
 sys-devel/libtool:        2.4.6-r3::gentoo
 sys-devel/make:           4.2.1::gentoo
 sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers)
 sys-libs/glibc:           2.23-r4::gentoo
 Repositories:

 gentoo
     location: /usr/portage
     sync-type: rsync
     sync-uri: rsync://rsync.gentoo.org/gentoo-portage
     priority: -1000

 ACCEPT_KEYWORDS="amd64"
 ACCEPT_LICENSE="* -@EULA"
 CBUILD="x86_64-pc-linux-gnu"
 CFLAGS="-march=native -O2 -pipe"
 CHOST="x86_64-pc-linux-gnu"
 CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/gnupg/qualified.txt"
 CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
 CXXFLAGS="-march=native -O2 -pipe"
 DISTDIR="/usr/portage/distfiles"
 FCFLAGS="-O2 -pipe"
 FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
 FFLAGS="-O2 -pipe"
 GENTOO_MIRRORS="http://gentoo.c3sl.ufpr.br/ rsync://gentoo.c3sl.ufpr.br/gentoo/ ftp://gentoo.c3sl.ufpr.br/gentoo/ ftp://ftp.las.ic.unicamp.br/pub/gentoo/ http://www.las.ic.unicamp.br/pub/gentoo/"
 LDFLAGS="-Wl,-O1 -Wl,--as-needed"
 MAKEOPTS="-j5"
 PKGDIR="/usr/portage/packages"
 PORTAGE_CONFIGROOT="/"
 PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
 PORTAGE_TMPDIR="/var/tmp"
 USE="acl alsa amd64 berkdb bindist bzip2 cli consolekit cracklib crypt cxx dbus dri fortran gdbm hardened iconv ipv6 justify modules multilib ncurses neworkmanager nls nptl open_perms openmp pam pax_kernel pcre peer_perms pie pulseaudio readline seccomp selinux session ssl ssp tcpd ubac udev unconfined unicode urandom xattr xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx sse sse2 mmxext" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_4" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby21 ruby22" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
 Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON



So, what is the veredict, is my Selinux properly working? Thank you all for your attention!


Last edited by vcmota on Wed Jul 19, 2017 10:29 pm; edited 1 time in total
Back to top
View user's profile Send private message
vcmota
n00b
n00b


Joined: 19 Jun 2017
Posts: 47

PostPosted: Wed Dec 06, 2017 9:25 pm    Post subject: Reply with quote

After so much time this will sounds like a message from the other side but here it goes anyway. Regarding the alleged error in selinux configuration I really don't know what have caused it, but since then I have a novel gentoo install in the same machine (I screw up that first install beyond redemption, too many noob bad calls I would say) and the message simply did not showed up. The configuration was performed beautifully, without any warning or error message of any kind. So it is very likely that I did something wrong during either the installation or the configuration process, maybe in both... Regarding the emerge message It was actually a very silly error after all: that message always show up in permissive mode when a user other than the administrator (from the point of view of selinux) is trying to run emerge. All I had to do was change the role of root via "newrole -r sysadm_r", and the message just disappeared.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum