Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Several problems installing Selinux Hardened Gentoo
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
wichtounet
Tux's lil' helper
Tux's lil' helper


Joined: 17 Mar 2012
Posts: 116

PostPosted: Fri Jul 05, 2013 7:19 am    Post subject: Several problems installing Selinux Hardened Gentoo Reply with quote

Hi,

I'm trying to install a gentoo server with selinux for the first time and I run into several problems :(

I followed the selinux handbook and I'm to the point where I have to do that:

Quote:
setsebool -P global_ssp on


Unfortunately, this didn't work:

Quote:
libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/strict/modules/tmp/base.pp. (No such file or directory).
Could not change policy booleans


I've found on other posts, that I should reisntall selinux-base-policy, but I can't:

Quote:
wichtounet@piccolo ~ $ sudo emerge selinux-base-policy
Calculating dependencies... done!

>>> Verifying ebuild manifests
>>> Running pre-merge checks for sec-policy/selinux-base-policy-2.20130424-r1

>>> Emerging (1 of 1) sec-policy/selinux-base-policy-2.20130424-r1
* refpolicy-2.20130424.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ]
* patchbundle-selinux-base-policy-2.20130424-r1.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ]
[Errno 22] Invalid argument:
/usr/bin/sandbox "/usr/lib64/portage/bin/ebuild.sh" unpack
Traceback (most recent call last):
File "/usr/lib64/portage/pym/portage/process.py", line 276, in spawn
env, gid, groups, uid, umask, pre_exec, close_fds)
File "/usr/lib64/portage/pym/portage/process.py", line 423, in _exec
pre_exec()
File "/usr/lib64/portage/pym/portage/_selinux.py", line 119, in _pre_exec
setexec(self._con)
File "/usr/lib64/portage/pym/portage/_selinux.py", line 80, in setexec
if selinux.setexeccon(ctx) < 0:
OSError: [Errno 22] Invalid argument
* The ebuild phase 'unpack' has exited unexpectedly. This type of behavior
* is known to be triggered by things such as failed variable assignments
* (bug #190128) or bad substitution errors (bug #200313). Normally, before
* exiting, bash should have displayed an error message above. If bash did
* not produce an error message above, it's possible that the ebuild has
* called `exit` when it should have called `die` instead. This behavior
* may also be triggered by a corrupt bash binary or a hardware problem
* such as memory or cpu malfunction. If the problem is not reproducible or
* it appears to occur randomly, then it is likely to be triggered by a
* hardware problem. If you suspect a hardware problem then you should try
* some basic hardware diagnostics such as memtest. Please do not report
* this as a bug unless it is consistently reproducible and you are sure
* that your bash binary and hardware are functioning properly.

>>> Failed to emerge sec-policy/selinux-base-policy-2.20130424-r1, Log file:

>>> '/var/tmp/portage/sec-policy/selinux-base-policy-2.20130424-r1/temp/build.log'


Again, I found that I should use newrole to grant administrative privilige, but the command does not work:

Quote:
newrole -r sysadm_r
system_u:sysadm_r:sysadm_t is not a valid context


And finally, I've also seen that when log through SSH, I got the following message:

Quote:
Unable to get valid context for wichtounet


I thought I followed closely the handbook, but it seems that all I did was to break everything...

What can I do to fix these problems ?

Thanks a lot for any help, I'm really lost here.
Back to top
View user's profile Send private message
wichtounet
Tux's lil' helper
Tux's lil' helper


Joined: 17 Mar 2012
Posts: 116

PostPosted: Fri Jul 05, 2013 9:12 am    Post subject: Reply with quote

I finally got emerge to work with rebooting with selinux disabled (in /etc/selinux/config).

Unfortunately, I'm still not able to install selinux-base-policy:

Quote:
>>> Installing (1 of 1) sec-policy/selinux-base-policy-2.20130424-r1
* Inserting the following modules, with base, into the strict module store: application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil ssh staff storage su sysadm sysnetwork udev userdomain usermanage unprivuser xdg
libsemanage.semanage_install_active: Could not copy /etc/selinux/strict/modules/active/policy.kern to /etc/selinux/strict/policy/policy.28. (No such file or directory).
libsemanage.semanage_install_active: Could not copy /etc/selinux/strict/modules/active/policy.kern to /etc/selinux/strict/policy/policy.28. (No such file or directory).
semodule: Failed!
* ERROR: sec-policy/selinux-base-policy-2.20130424-r1 failed (postinst phase):
* Failed to load in base and modules application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil ssh staff storage su sysadm sysnetwork udev userdomain usermanage unprivuser xdg in the strict policy store


I've almost nothing in /etc/selinux/strict/, is that normal ?

How can I get this policy.kern file ?
Back to top
View user's profile Send private message
wichtounet
Tux's lil' helper
Tux's lil' helper


Joined: 17 Mar 2012
Posts: 116

PostPosted: Fri Jul 05, 2013 10:12 am    Post subject: Reply with quote

Nevermind this post, I chose another way.
Back to top
View user's profile Send private message
Thistled
Guru
Guru


Joined: 06 Jan 2011
Posts: 548
Location: Scotland

PostPosted: Tue Jul 09, 2013 12:41 pm    Post subject: Reply with quote

I am having a similar problem.

I can't switch to the targeted policy.
When I try to I get....
Code:
semodule -b base.pp -i $(ls *.pp | grep -v base | grep -v unconfined)
libsepol.print_missing_requirements: apache's global requirements were not met: type/attribute gds_db_port_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

I tried to change to the targeted policy from...
Code:
/usr/share/selinux/targeted/

Any idea why "Link packages failed"?
_________________
Whatever you do, do it properly!
Back to top
View user's profile Send private message
Thistled
Guru
Guru


Joined: 06 Jan 2011
Posts: 548
Location: Scotland

PostPosted: Wed Jul 10, 2013 4:13 pm    Post subject: Reply with quote

Ok, so I finally got the targeted base policy to install by removing the offending policies.
Code:
semodule -b base.pp -i $(ls *.pp | grep -v base | grep -v unconfined)
libsepol.print_missing_requirements: apache's global requirements were not met: type/attribute gds_db_port_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

I was unable to unload the modules using the
Code:
semodule -r foo

command, and had to
Code:
emerge --unmerge sec-pol foo

The following sec-pols were unmerged
Code:
apache
ftp
rpc

After which I was able to finally install the base policy for targeted.
Now as a result of removing the rpc policy I am expecting some problems with nfs, as rpc policy provides something to do with nfs_port_t or d I think.

Anyhow, now the targeted policy is loaded, and I am now stuck with a login which is asking for a security context.
Will hopefully find out the cause of this later.
Oh, incidentally, I am also asked to enter a security context when I log in as root.
When I use
Code:
newrole -r sysadm_r

I am told system_u:sysadm_r:sysadm_t is not a valid context.

Any solutions welcome.
:?
_________________
Whatever you do, do it properly!
Back to top
View user's profile Send private message
Thistled
Guru
Guru


Joined: 06 Jan 2011
Posts: 548
Location: Scotland

PostPosted: Wed Jul 10, 2013 7:44 pm    Post subject: Reply with quote

Oh yeah, and it also renders portage useless.
All packages always fail with
Code:
The ebuild phase 'unpack' has exited unexpectedly. Blah Blah. etc etc

But I am sure portage will work again once I have got on top of this mess.
_________________
Whatever you do, do it properly!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum