SELinux relabeling error (rlpkg -a -r) [PARTIALLY SOLVED]

Message

quad · Post by **quad** » Fri Nov 30, 2007 3:44 pm

Hi,

Seeking help about an error I have going through the SELinux installation guide.

I'm following the online guide to install SELinux, but run into a issue at section 3.e where I have the following error:

Code: Select all

$ sudo rlpkg -r -a
Relabeling filesystem types: ext2 ext3 jfs xfs
/usr/sbin/setfiles:  labeling files under /
/usr/sbin/setfiles:  labeling files under /boot
/usr/sbin/setfiles:  labeling files under /tmp
/usr/sbin/setfiles:  labeling files under /var
/usr/sbin/setfiles:  Done.
Error writing to stat pipe, child exiting.
Scanning for shared libraries with text relocations...
Traceback (most recent call last):
  File "/usr/sbin/rlpkg", line 312, in ?
    main()
  File "/usr/sbin/rlpkg", line 301, in main
    rc += relabel_textrel_shlib(verbose)
  File "/usr/sbin/rlpkg", line 164, in relabel_textrel_shlib
    if ctx[2] in textrel_ok_relabelfrom:
IndexError: list index out of range

The only other thing I did differently than in the guide is to

Code: Select all

touch /etc/selinux/strict/contexts/file_contexts

before merging updated packages (section 3.c). Otherwise I kept receiving an error message stating that file_contexts was not found and the merge stopped.

Context information:

Code: Select all

$ emerge --info
Portage 2.1.3.19 (selinux/2007.0/x86/hardened, gcc-3.4.6, glibc-2.6.1-r0, 2.6.22-hardened-r8 i686)
=================================================================
System uname: 2.6.22-hardened-r8 i686 Intel(R) Celeron(R) CPU 2.53GHz
Timestamp of tree: Thu, 29 Nov 2007 21:29:01 +0000
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=i686 -O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=i686 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks loadpolicy metadata-transfer sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="        http://gentoo.mirrors.tds.net/gentoo/   http://gentoo.osuosl.org/       http://gentoo.arcticnetwork.ca/         ftp://distro.ibiblio.org/pub/linux/distributions/gentoo/ "
MAKEOPTS=""
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="berkdb bitmap-fonts cli cracklib crypt cups dri extensions firefox fortran gdbm gpm hardened iconv ipv6 isdnlog midi mudflap ncurses nls nptl nptlonly openmp pam pcre perl pic pppd python readline reflection selinux session spl ssl tcpd truetype-fonts type1-fonts unicode x86 xattr xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

nixnut · Post by **nixnut** » Fri Nov 30, 2007 6:27 pm

Moved from Installing Gentoo to Networking & Security.

quad · Post by **quad** » Tue Dec 04, 2007 7:32 pm

Hi, I'm still stuck with the same error. Does anyone have any idea of what causes the issue? I've just tried to rsync my tree and rebuild policycoreutils and selinux-base-policy, but it still fails on the same operation. I've noticed that this operation is actually the --textrels phase when -a is used (in this case), or if I explicitly specify --textrels instead (it scans shared libs for text relocations and relabel them).

Here is what the latest execution yielded:

Code: Select all

$ sudo rlpkg -r -a
Relabeling filesystem types: ext2 ext3 jfs xfs
/usr/sbin/setfiles:  labeling files under /
matchpathcon_filespec_eval:  hash table stats: 499990 elements, 58513/65536 buckets used, longest chain length 32
/usr/sbin/setfiles:  labeling files under /boot
matchpathcon_filespec_eval:  hash table stats: 37 elements, 37/65536 buckets used, longest chain length 1
/usr/sbin/setfiles:  labeling files under /tmp
matchpathcon_filespec_eval:  hash table stats: 1926 elements, 1926/65536 buckets used, longest chain length 1
/usr/sbin/setfiles:  labeling files under /var
matchpathcon_filespec_eval:  hash table stats: 61904 elements, 30538/65536 buckets used, longest chain length 5
/usr/sbin/setfiles:  Done.
Error writing to stat pipe, child exiting.
Scanning for shared libraries with text relocations...
Traceback (most recent call last):
  File "/usr/sbin/rlpkg", line 312, in ?
    main()
  File "/usr/sbin/rlpkg", line 301, in main
    rc += relabel_textrel_shlib(verbose)
  File "/usr/sbin/rlpkg", line 164, in relabel_textrel_shlib
    if ctx[2] in textrel_ok_relabelfrom:
IndexError: list index out of range

The thing is that I've not built this machine originally and I've been assigned to update and secure it.

Update

I think it's a bug in rlpkg since it assumes there will be at least three elements in the ctx array:

Code: Select all

   147  def relabel_textrel_shlib(verbose):
   148          print "Scanning for shared libraries with text relocations..."
   149
   150          childout = os.popen(string.join(SCANELF+textrel_shlib_paths))
   151
   152          notok = 0
   153          textrel_libs = 0
   154          for line in childout.readlines():
   155                  filename = line.split()[1]
   156                  textrel_libs += 1
   157
   158                  (ret,context) = selinux.getfilecon(filename)
   159                  if ret < 0:
   160                          print "Error getting context of "+filename
   161                  else:
   162                          ctx = string.split(context,":")
   163
   164                          if ctx[2] in textrel_ok_relabelfrom:

But running manually the command that the script executes does not seem to result in a 3+ element array:

Code: Select all

$ python
Python 2.4.4 (#1, Nov 26 2007, 20:11:10)
[GCC 3.4.5 (Gentoo 3.4.5-r1, ssp-3.4.5-1.0, pie-8.7.9)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import selinux
>>> selinux.getfilecon('/usr/lib/dri/i915tex_dri.so')
[10, 'unlabeled']
>>>

In this particular case, it might well be because this file is not relabeled yet (I'm in the process of updating all packages). So what I tried next is to relabel the specific packages manually. But first I needed to figure out what they were so I followed the script logic and ran:

Code: Select all

$ sudo scanelf -tqR -E ET_DYN /lib /usr/lib /opt

(As executed by the rlpkg script.)
I then used equery to find out which packages the files displayed by the above command belonged to, e.g.:

Code: Select all

$ equery b /usr/lib/dri/i915tex_dri.so

Then, the actual relabel command I've tried:

Code: Select all

$ sudo rlpkg -r mesa sun-jdk

which were the only packages to relabel -- but it failed as expected. I discovered that this command in turn executed /sbin/restorecon -f - -F. Running this command manually showed that it exited immediately without any output. Obviously this was the problem. A quick Google search later revealed that this tool silently exits when SELinux is not active.

Code: Select all

$ sestatus
SELinux status:                 disabled
$ python
Python 2.4.4 (#1, Nov 26 2007, 20:11:10)
[GCC 3.4.5 (Gentoo 3.4.5-r1, ssp-3.4.5-1.0, pie-8.7.9)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import selinux
>>> (selinux.is_selinux_enabled(), selinux.enabled)
(0, False)
>>>

Indeed.

So the bottom line is, rlpkg fails when SELinux is not active. I think it should be fixed to check whether SELinux is active first then act accordingly. Also, I believe that mentioning this potential problem in the handbook could be something to consider.

While I still haven't totally solved the problem yet, I hope this post will save someone else a few headaches hehe.

McEnroe · Post by **McEnroe** » Sun Dec 16, 2007 5:36 am

Well, you did same me some headache, thank you for that.

I have exactly the same problem. You helped a lot, but there is still something I don't understand:

How to actually enable SELinux?

Post by Hu » Sun Dec 16, 2007 6:26 pm

SELinux must be compiled into your kernel. Typically, it is configured to start at boot, but you might have disabled it. What is the output of zgrep SELINUX /proc/config.gz?

McEnroe · Post by **McEnroe** » Sun Dec 16, 2007 9:04 pm

Code: Select all

CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# CONFIG_SECURITY_SELINUX_DISABLE is not set
# CONFIG_SECURITY_SELINUX_DEVELOP is not set
# CONFIG_SECURITY_SELINUX_AVC_STATS is not set
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT is not set
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set

Post by Hu » Mon Dec 17, 2007 2:17 am

That appears correct. How do you know SELinux is not enabled? Are you performing actions that should be denied by policy, but the action succeeds? Is the /selinux mount point empty?

McEnroe · Post by **McEnroe** » Tue Dec 18, 2007 5:09 am

Code: Select all

ls /selinux      
access        class                 create            load    policyvers
avc           commit_pending_bools  disable           member  relabel
booleans      compat_net            enforce           mls     user
checkreqprot  context               initial_contexts  nul

The only thing where it seems to work is if put the config file into enforcing mode...
Work is relative since it just outputs a kernel panik that something attemped to kill init...

Post by Hu » Wed Dec 19, 2007 4:15 am

Could you be more specific? Any event which kills init is either a bug or a serious misconfiguration. In either case, it needs to be fixed.

Sparky Bluefang · Post by **Sparky Bluefang** » Sat Apr 26, 2008 9:34 am

I encountered this same problem. "sestatus" kept telling me that it was disabled.

I noticed that in the handbook (http://www.gentoo.org/proj/en/hardened/ ... #doc_chap2) stated that only the SELINUXTYPE=targeted mode is supported in Desktops. After changing that value and rebooting, SELinux started properly and allowed me to run rlpkg with out problem.

Though I switched back to a non-SELinux install because I was running in to problems with avc: denied errors when running commands like mount and modprobe during boot.[/list]

Post by Hu » Sat Apr 26, 2008 3:34 pm

Sparky Bluefang wrote: Though I switched back to a non-SELinux install because I was running in to problems with avc: denied errors when running commands like mount and modprobe during boot.[/list]

That typically indicates that there is a labeling error, or that some portion of the policy is missing. To fix this, boot with SELinux enabled, but permissive. That will still cause avc messages, but in permissive mode, the actions are not actually denied. That will give you an unconfined environment from which you can examine the labels for correctness, check that all relevant policy is loaded, and perform any necessary relabeling. If you still have problems, post the exact text of the avc message and the output of equery list sec-policy/.