Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved]SELinux Unable to open policy.29
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Garumental
n00b
n00b


Joined: 06 Feb 2014
Posts: 4
Location: Western Sweden

PostPosted: Thu Feb 06, 2014 7:55 am    Post subject: [Solved]SELinux Unable to open policy.29 Reply with quote

I am experimenting with SELinux on a hardened linux installation and I have a few problems but the most recent is this one:

semanage login -l
ERROR: policydb version 29 does not match my version range 15-28
ERROR: Unable to open policy //etc/selinux/strict/policy/policy.29.
Traceback (most recent call last):
File "/usr/lib/python-exec/python2.7/semanage", line 27, in <module>
import seobject
File "/usr/lib64/python2.7/site-packages/seobject.py", line 27, in <module>
import sepolicy
File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 732, in <module>
raise e
ValueError: Failed to read //etc/selinux/strict/policy/policy.29 policy file

This started after I did an update of the system with emerge -auvND world.

sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: strict
Current mode: permissive
Mode from config file: permissive
Policy MLS status: disabled
Policy deny_unknown status: denied
Max kernel policy version: 28

Linux CrapTop 3.11.7-hardened

seinfo

Statistics for policy file: /etc/selinux/strict/policy/policy.28
Policy Version & Type: v.28 (binary, non-mls)

Classes: 81 Permissions: 240
Sensitivities: 0 Categories: 0
Types: 1437 Attributes: 199
Users: 6 Roles: 6
Booleans: 66 Cond. Expr.: 60
Allow: 18215 Neverallow: 0
Auditallow: 1 Dontaudit: 3161
Type_trans: 1013 Type_change: 9
Type_member: 6 Role allow: 7
Role_trans: 1 Range_trans: 0
Constraints: 90 Validatetrans: 0
Initial SIDs: 27 Fs_use: 23
Genfscon: 84 Portcon: 449
Netifcon: 0 Nodecon: 0
Permissives: 1 Polcap: 2

I see that my hardened kernel 3.11.7 only support up to policy 28 but my system still pulled in 29.
I am very new to SELinux and still haven't been able to configure it so I can't set it in enforcing mode without losing functionality but that's a later problem. First I need help and hints on how to solve this. Should I mask some package or have I missed some configuration?

I didn't know what information to supply to easier debug but I pasted some SELinux related outputs.


Last edited by Garumental on Thu Feb 06, 2014 8:37 pm; edited 1 time in total
Back to top
View user's profile Send private message
landdie
n00b
n00b


Joined: 10 Sep 2013
Posts: 26
Location: Southern Sweden

PostPosted: Thu Feb 06, 2014 10:50 am    Post subject: Reply with quote

Hmmmmmmmm. Same problem here. Might well have started after my world update some days back but only just noticed whilst trying to sort some unusual denials which started popping up in my logs!
Code:
ERROR: policydb version 29 does not match my version range 15-28
ERROR: Unable to open policy //etc/selinux/strict/policy/policy.29.
Traceback (most recent call last):
  File "/usr/lib/python-exec/python2.7/semanage", line 27, in <module>
    import seobject
  File "/usr/lib64/python2.7/site-packages/seobject.py", line 27, in <module>
    import sepolicy
  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 732, in <module>
    raise e
ValueError: Failed to read //etc/selinux/strict/policy/policy.29 policy file

Don't know if it's related but can't log in as root either. Which I also only just noticed!
Back to top
View user's profile Send private message
landdie
n00b
n00b


Joined: 10 Sep 2013
Posts: 26
Location: Southern Sweden

PostPosted: Thu Feb 06, 2014 3:38 pm    Post subject: One work around! Reply with quote

Well as I'm no selinux aficionado I would not like to say if this is a workaround or a trasher but it fixed the problem for me.

I changed the name of /etc/selinux/strict/policy/policy.29 to apolicy.29-bak the 'a' at the beginning of the name was necessary to stop the file getting parsed!

Then I renamed /etc/selinux/strict/modules/active/policy.kern to apolicy.kern-bak note this is a symlink to /etc/selinux/strict/policy/policy.29

I then made a new symlink called policy.kern to /etc/selinux/strict/policy/policy.28

Then
Code:
/etc/init.d/selinux_gentoo restart


So far all seems to work fine but I'm am absolutely certain this is not the right solution.:)

I'm wondering if this is a python 2.7 thing maybe it's time to start using python 3.3? My last info was that SELinux management utilities only work with python 2.7 but maybe that's changed! Had problems with python once before, see
Code:
  eselect news read 9
I happened to do a world update at the exact wrong moment took hours to sort so I'm not about to try 3.3 for fun! :)

Hopefully someone who knows what they are on about will point us in the right direction!
Back to top
View user's profile Send private message
Garumental
n00b
n00b


Joined: 06 Feb 2014
Posts: 4
Location: Western Sweden

PostPosted: Thu Feb 06, 2014 8:33 pm    Post subject: Re: One work around! Reply with quote

This works for me too. I did the same thing with the symlinks to point to 28 a few days ago but didn't think of renaming the policy29 so I didn't get it working but now it works thanks to the renaming. Like you said it is very weird that users have to dig down in this. Sure it's gentoo so stuff like this isn't super new to us but this error don't seem to have any logic to it. How come it pulls in a new policy when my kernel doesn't support it and I'm not getting a new kernel on system updates. It's seems it's a bit out of sync.

I would use python 3* any day if I wasn't using a few tor apps that are as up to date as my grandmother :P

landdie wrote:
Well as I'm no selinux aficionado I would not like to say if this is a workaround or a trasher but it fixed the problem for me.

I changed the name of /etc/selinux/strict/policy/policy.29 to apolicy.29-bak the 'a' at the beginning of the name was necessary to stop the file getting parsed!

Then I renamed /etc/selinux/strict/modules/active/policy.kern to apolicy.kern-bak note this is a symlink to /etc/selinux/strict/policy/policy.29

I then made a new symlink called policy.kern to /etc/selinux/strict/policy/policy.28

Then
Code:
/etc/init.d/selinux_gentoo restart


So far all seems to work fine but I'm am absolutely certain this is not the right solution.:)

I'm wondering if this is a python 2.7 thing maybe it's time to start using python 3.3? My last info was that SELinux management utilities only work with python 2.7 but maybe that's changed! Had problems with python once before, see
Code:
  eselect news read 9
I happened to do a world update at the exact wrong moment took hours to sort so I'm not about to try 3.3 for fun! :)

Hopefully someone who knows what they are on about will point us in the right direction!
Back to top
View user's profile Send private message
N8Fear
Tux's lil' helper
Tux's lil' helper


Joined: 15 Apr 2013
Posts: 140
Location: Berlin (Germany)

PostPosted: Thu Feb 06, 2014 10:31 pm    Post subject: Reply with quote

Check CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE in your kernel config and adjust it if needed. I think that should really fix it...
Back to top
View user's profile Send private message
landdie
n00b
n00b


Joined: 10 Sep 2013
Posts: 26
Location: Southern Sweden

PostPosted: Sat Feb 08, 2014 6:36 pm    Post subject: Reply with quote

N8Fear wrote:
Check CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE in your kernel config and adjust it if needed. I think that should really fix it...

Already been there. Only an option to set up to policy.23 I've been running policy.28 with no maximum policy set with no problems until now! :)
Back to top
View user's profile Send private message
landdie
n00b
n00b


Joined: 10 Sep 2013
Posts: 26
Location: Southern Sweden

PostPosted: Sat Feb 08, 2014 7:34 pm    Post subject: Reply with quote

Well the way to sort this was in the end long winded but effective!

First I did
Code:
emerge --sync

Next I added python3.3 to make.conf. Not sure if this was needed, probably not!
Code:
PYTHON_TARGETS="python2_7 python3_2 python3_3"

Then I did
Code:
emerge --newuse sys-libs/libsemanage

Next I ran
Code:
python-updater

Then I did
Code:
emerge -1 checkpolicy policycoreutils

Next
Code:
emerge -uDN world

Then I did
Code:
emerge --depclean

Next I ran
Code:
revdep-rebuild

Then I did
Code:
emerge --newuse selinux-base selinux-base-policy
which I had tried before without success in solving the problem.

Next I did
Code:
emerge --newuse setools sepolgen checkpolicy

Finally I did
Code:
rlpkg -a -r

Now everything works fine the symlink to policy.29 is still in /etc/selinux/strict/modules/active/
but
Code:
 cat /selinux/policyvers; echo
gives me 28

So have no idea why policy.29 gets pulled in. It's still there with a nice new fresh todays date but it's not getting used and my funky workaround is no longer necessary which feels like a good thing! :)
Back to top
View user's profile Send private message
aunxx
n00b
n00b


Joined: 03 Jan 2012
Posts: 6

PostPosted: Thu Feb 20, 2014 2:44 pm    Post subject: Reply with quote

Hi.

Thank you for this. The working step for me was this one.

Code:
 emerge -av setools sepolgen checkpolicy


And tried on the next machine gave me

Code:
 emerge -av setools


as all that was required to fix this error.

:)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum