gentoo-hardened November 2010 archive
Main Archive Page > Month Archives  > gentoo-hardened archives
gentoo-hardened: [gentoo-hardened] SELinux (targeted policy) and

[gentoo-hardened] SELinux (targeted policy) and invalid context

From: luc nac <lucnac_at_nospam>
Date: Mon Nov 15 2010 - 00:44:40 GMT
To: gentoo-hardened@lists.gentoo.org

Thanks to all of you who have been interested in my previous message.
I'm encountering much more problems than expected and I can't find a
forum where to discuss about SELinux in Gentoo. I didn't find much
help in this one http://forums.gentoo.org/viewforum-f-18.html . If
this is not the right place to ask help, please tell me!

Now I'm trying to install the targeted policy but I can't succeed.
Trying to relabel the filesystem I obtain an error:
localhost ~ # rlpkg -a -r
Relabeling filesystem types: ext2 ext3 jfs xfs
/etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 21
has invalid context user_u:object_r:user_tmp_t
/etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 32
has invalid context root:object_r:user_tmp_t
Scanning for shared libraries with text relocations...
0 libraries with text relocations, 0 not relabeled.
Scanning for PIE binaries with text relocations...
0 binaries with text relocations detected.

The same error appears trying to emerge any package.

Commenting this line:
/tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t
in /etc/selinux/targeted/contexts/files/homedir_template
and then launching the genhomedircon command, successive rlpk (and
emerge) succeed until next reboot.
I think that this is a bad solution!

In SELinux FAQ http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=3
(section 3.f. Setfiles error messages ) it's written that "If /selinux
is mounted, then most likely there is new policy that has not yet been
loaded; therefore, the contexts have not yet become valid."

I emerged a lot of modules, much more than needed considering that
this is a Gentoo stage 3 system.

localhost ~ # equery list selinux-
[ Searching for package 'selinux-' in all categories among: ]
 * installed packages
[I--] [ ] sec-policy/selinux-apache-20070928 (0)
[I--] [ ] sec-policy/selinux-arpwatch-20070928 (0)
[I--] [ ] sec-policy/selinux-base-policy-20070928 (0)
[I--] [ ] sec-policy/selinux-bind-20070928 (0)
[I--] [ ] sec-policy/selinux-dbus-20070928 (0)
[I--] [ ] sec-policy/selinux-desktop-20070928 (0)
[I--] [ ] sec-policy/selinux-dhcp-20070928 (0)
[I--] [ ] sec-policy/selinux-dnsmasq-20070928 (0)
[I--] [ ] sec-policy/selinux-games-20070928 (0)
[I--] [ ] sec-policy/selinux-gnupg-20070928 (0)
[I--] [ ] sec-policy/selinux-gpm-20070928 (0)
[I--] [ ] sec-policy/selinux-logrotate-20070928 (0)
[I--] [ ] sec-policy/selinux-nfs-20070928 (0)
[I--] [ ] sec-policy/selinux-openldap-20070928 (0)
[I--] [ ] sec-policy/selinux-portmap-20070928 (0)
[I--] [ ] sec-policy/selinux-samba-20070928 (0)
[I--] [ ] sec-policy/selinux-sudo-20070928 (0)
[I--] [ ] sec-policy/selinux-tcpd-20070928 (0)
[I--] [ ] sec-policy/selinux-tftpd-20070928 (0)

localhost ~ # semodule -l
apache 1.8.0
arpwatch 1.4.0
bind 1.5.0
dbus 1.7.0
dhcp 1.4.0
dnsmasq 1.4.0
games 1.4.0
gpg 1.4.0
gpm 1.3.0
java 1.6.0
ldap 1.5.0
logrotate 1.6.0
mono 1.3.0
mozilla 1.4.0
mplayer 1.3.0
portmap 1.5.0
rpc 1.6.0
samba 1.6.0
sudo 1.2.0
tftp 1.5.0
wine 1.4.0
xfs 1.2.0
xserver 1.6.0

localhost ~ # cat /etc/selinux/targeted/contexts/files/homedir_template
HOME_DIR/.+ system_u:object_r:ROLE_home_t
HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t
HOME_ROOT/lost\+found/.* <<none>>
HOME_DIR -d system_u:object_r:ROLE_home_dir_t
HOME_ROOT -d system_u:object_r:home_root_t
/tmp/gconfd-USER -d system_u:object_r:ROLE_tmp_t
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t