Setting filesystem labels for SELinux fails
Hello,
After compiling the policy modules and re-compiling my core packages (Gentoo 32bit) I wanted to relabel the filesystem (via rlpkg -a -r) but I get these error messages: > Relabeling filesystem types: btrfs ext2 ext3 ext4 jfs xfs /usr/sbin/setfiles set context /->system_u:object_r:root_t failed:'Operation not supported' > /usr/sbin/setfiles set context /boot->system_u:object_r:boot_t failed:'Operation not supported' > /usr/sbin/setfiles set context /home->system_u:object_r:home_root_t failed:'Operation not supported' > /usr/sbin/setfiles set context /srv->system_u:object_r:var_t failed:'Operation not supported' > /usr/sbin/setfiles set context /tmp->system_u:object_r:tmp_t failed:'Operation not supported' /usr/sbin/setfiles set context /usr->system_u:object_r:usr_t failed:'Operation not supported' > /usr/sbin/setfiles set context /var->system_u:object_r:var_t failed:'Operation not supported' > Scanning for shared libraries with text relocations... > 0 libraries with text relocations, 0 not relabeled. Scanning for PIE binaries with text relocations... > 0 binaries with text relocations detected. partitions are /boot, /home, /srv, /tmp, /usr and /var - stored on /dev/md1-7, which are formatted using ext4. How can I fix this? Regards |
Setting filesystem labels for SELinux fails
On Sat, Mar 17, 2012 at 10:28:59PM +0100, Tom Petri wrote:
> After compiling the policy modules and re-compiling my core packages > (Gentoo 32bit) I wanted to relabel the filesystem (via rlpkg -a -r) > but I get these error messages: > > > Relabeling filesystem types: btrfs ext2 ext3 ext4 jfs xfs /usr/sbin/setfiles set context /->system_u:object_r:root_t failed:'Operation not supported' > > /usr/sbin/setfiles set context /boot->system_u:object_r:boot_t failed:'Operation not supported' > > /usr/sbin/setfiles set context /home->system_u:object_r:home_root_t failed:'Operation not supported' > > /usr/sbin/setfiles set context /srv->system_u:object_r:var_t failed:'Operation not supported' > > /usr/sbin/setfiles set context /tmp->system_u:object_r:tmp_t failed:'Operation not supported' /usr/sbin/setfiles set context /usr->system_u:object_r:usr_t failed:'Operation not supported' > > /usr/sbin/setfiles set context /var->system_u:object_r:var_t failed:'Operation not supported' > > Scanning for shared libraries with text relocations... > > 0 libraries with text relocations, 0 not relabeled. Scanning for PIE binaries with text relocations... > > 0 binaries with text relocations detected. > > partitions are /boot, /home, /srv, /tmp, /usr and /var - stored on > /dev/md1-7, which are formatted using ext4. Do you have build in support for extended attributes in the kernel (for these file systems)? Wkr, Sven Vermeulen |
Setting filesystem labels for SELinux fails
Yes, extended attributes along with security labels are activated.
# attr -s test -V test /var && attr -r test /var Attribute "test" set to a 4 byte value for /var: test I should probably tell how I proceeded during the installation: 1. created the filesystems (as usual) 2. got a hardened stage3 tarball and portage 3. portage sync, re-emerge portage, created a hardened-sources kernel, booted up. 4. emerge policys (checkpolicy, policycoreutils, selinux-base-policy [-selinux]) 5. emerge -uDN world 6. reboot and tried rlpkg -a -r Cheers On Sun, Mar 18, 2012 at 9:55 AM, Sven Vermeulen <swift@gentoo.org> wrote: > On Sat, Mar 17, 2012 at 10:28:59PM +0100, Tom Petri wrote: >> After compiling the policy modules and re-compiling my core packages >> (Gentoo 32bit) I wanted to relabel the filesystem (via rlpkg -a -r) >> but I get these error messages: >> >> > Relabeling filesystem types: btrfs ext2 ext3 ext4 jfs xfs /usr/sbin/setfiles set context /->system_u:object_r:root_t failed:'Operation not supported' >> > /usr/sbin/setfiles set context /boot->system_u:object_r:boot_t failed:'Operation not supported' >> > /usr/sbin/setfiles set context /home->system_u:object_r:home_root_t failed:'Operation not supported' >> > /usr/sbin/setfiles set context /srv->system_u:object_r:var_t failed:'Operation not supported' >> > /usr/sbin/setfiles set context /tmp->system_u:object_r:tmp_t failed:'Operation not supported' /usr/sbin/setfiles set context /usr->system_u:object_r:usr_t failed:'Operation not supported' >> > /usr/sbin/setfiles set context /var->system_u:object_r:var_t failed:'Operation not supported' >> > Scanning for shared libraries with text relocations... >> > 0 libraries with text relocations, 0 not relabeled. Scanning for PIE binaries with text relocations... >> > 0 binaries with text relocations detected. >> >> partitions are /boot, /home, /srv, /tmp, /usr and /var - stored on >> /dev/md1-7, which are formatted using ext4. > > Do you have build in support for extended attributes in the kernel (for > these file systems)? > > Wkr, > * * * *Sven Vermeulen > |
Setting filesystem labels for SELinux fails
On Sun, Mar 18, 2012 at 10:36:53AM +0100, Tom Petri wrote:
> Yes, extended attributes along with security labels are activated. > > # attr -s test -V test /var && attr -r test /var > Attribute "test" set to a 4 byte value for /var: test > > I should probably tell how I proceeded during the installation: > 1. created the filesystems (as usual) > 2. got a hardened stage3 tarball and portage > 3. portage sync, re-emerge portage, created a hardened-sources kernel, > booted up. > 4. emerge policys (checkpolicy, policycoreutils, selinux-base-policy [-selinux]) > 5. emerge -uDN world > 6. reboot and tried rlpkg -a -r Did the setfiles commands (mentioned in the installation instructions before the "rlpkg -a -r") succeed, or did they give the same error? Wkr, Sven Vermeulen |
Setting filesystem labels for SELinux fails
On Sun, Mar 18, 2012 at 11:36 AM, Sven Vermeulen <swift@gentoo.org> wrote:
> On Sun, Mar 18, 2012 at 10:36:53AM +0100, Tom Petri wrote: >> Yes, extended attributes along with security labels are activated. >> >> # attr -s test -V test /var && attr -r test /var >> Attribute "test" set to a 4 byte value for /var: test >> >> I should probably tell how I proceeded during the installation: >> 1. created the filesystems (as usual) >> 2. got a hardened stage3 tarball and portage >> 3. portage sync, re-emerge portage, created a hardened-sources kernel, >> booted up. >> 4. emerge policys (checkpolicy, policycoreutils, selinux-base-policy [-selinux]) >> 5. emerge -uDN world >> 6. reboot and tried rlpkg -a -r > > Did the setfiles commands (mentioned in the installation instructions before > the "rlpkg -a -r") succeed, or did they give the same error? > > Wkr, > * * * *Sven Vermeulen > > > Yes, I got the same errors then: # setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev setfiles set context /mnt/gentoo/dev->system_u:object_r:device_t failed:'Operation not supported' # setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib setfiles set context /mnt/gentoo/lib->system_u:object_r:lib_t failed:'Operation not supported' |
Setting filesystem labels for SELinux fails
On Sun, Mar 18, 2012 at 12:27 PM, Tom Petri <tom.petri@googlemail.com> wrote:
> On Sun, Mar 18, 2012 at 11:36 AM, Sven Vermeulen <swift@gentoo.org> wrote: >> On Sun, Mar 18, 2012 at 10:36:53AM +0100, Tom Petri wrote: >>> Yes, extended attributes along with security labels are activated. >>> >>> # attr -s test -V test /var && attr -r test /var >>> Attribute "test" set to a 4 byte value for /var: test >>> >>> I should probably tell how I proceeded during the installation: >>> 1. created the filesystems (as usual) >>> 2. got a hardened stage3 tarball and portage >>> 3. portage sync, re-emerge portage, created a hardened-sources kernel, >>> booted up. >>> 4. emerge policys (checkpolicy, policycoreutils, selinux-base-policy [-selinux]) >>> 5. emerge -uDN world >>> 6. reboot and tried rlpkg -a -r >> >> Did the setfiles commands (mentioned in the installation instructions before >> the "rlpkg -a -r") succeed, or did they give the same error? >> >> Wkr, >> * * * *Sven Vermeulen >> >> >> > Yes, I got the same errors then: > # setfiles -r /mnt/gentoo > /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev > setfiles set context /mnt/gentoo/dev->system_u:object_r:device_t > failed:'Operation not supported' > # setfiles -r /mnt/gentoo > /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib > setfiles set context /mnt/gentoo/lib->system_u:object_r:lib_t > failed:'Operation not supported' I just did a fresh gentoo install (configuration) and proceeded with the instructions from the gentoo hardened documentation. After compiling re-emerging world the system doesn't get up. I'm able to ping it but udev seems to have problems as /dev/console and the tty's aren't found: /etc/init.d/sshd[1205]: ERROR: sshd failed to start /etc/init.d/urandom[1219]: ERROR: urandom failed to start init: open(/dev/console): No such file or directory agetty[1233]: /dev/tty2: not a character device agetty[1232]: /dev/tty1: not a character device My mdadm RAID is recognized properly, in case it matters. I did everything the instructions say, however I'm always getting new errors. Is there a viable solution to this? Thanks in advance! |
Setting filesystem labels for SELinux fails
On Tue, Mar 20, 2012 at 8:32 PM, Tom Petri <tom.petri@googlemail.com> wrote:
> On Sun, Mar 18, 2012 at 12:27 PM, Tom Petri <tom.petri@googlemail.com> wrote: >> On Sun, Mar 18, 2012 at 11:36 AM, Sven Vermeulen <swift@gentoo.org> wrote: >>> On Sun, Mar 18, 2012 at 10:36:53AM +0100, Tom Petri wrote: >>>> Yes, extended attributes along with security labels are activated. >>>> >>>> # attr -s test -V test /var && attr -r test /var >>>> Attribute "test" set to a 4 byte value for /var: test >>>> >>>> I should probably tell how I proceeded during the installation: >>>> 1. created the filesystems (as usual) >>>> 2. got a hardened stage3 tarball and portage >>>> 3. portage sync, re-emerge portage, created a hardened-sources kernel, >>>> booted up. >>>> 4. emerge policys (checkpolicy, policycoreutils, selinux-base-policy [-selinux]) >>>> 5. emerge -uDN world >>>> 6. reboot and tried rlpkg -a -r >>> >>> Did the setfiles commands (mentioned in the installation instructions before >>> the "rlpkg -a -r") succeed, or did they give the same error? >>> >>> Wkr, >>> * * * *Sven Vermeulen >>> >>> >>> >> Yes, I got the same errors then: >> # setfiles -r /mnt/gentoo >> /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/dev >> setfiles set context /mnt/gentoo/dev->system_u:object_r:device_t >> failed:'Operation not supported' >> # setfiles -r /mnt/gentoo >> /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/lib >> setfiles set context /mnt/gentoo/lib->system_u:object_r:lib_t >> failed:'Operation not supported' > I just did a fresh gentoo install (configuration) and proceeded with > the instructions from the gentoo hardened documentation. > After compiling re-emerging world the system doesn't get up. I'm able > to ping it but udev seems to have problems as /dev/console and the > tty's aren't found: > > /etc/init.d/sshd[1205]: ERROR: sshd failed to start > /etc/init.d/urandom[1219]: ERROR: urandom failed to start > init: open(/dev/console): No such file or directory > agetty[1233]: /dev/tty2: not a character device > agetty[1232]: /dev/tty1: not a character device > > My mdadm RAID is recognized properly, in case it matters. > > I did everything the instructions say, however I'm always getting new > errors. Is there a viable solution to this? Thanks in advance! The udev from the hardened documentation seems to be the problem (udev /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel ,nosuid,relatime,size=10m,mode=755 0 0). The systems boots without this entry, however `sestatus` says "disabled". |
Setting filesystem labels for SELinux fails
On Wed, Mar 21, 2012 at 04:40:32PM +0100, Tom Petri wrote:
> > I just did a fresh gentoo install (configuration) and proceeded with > > the instructions from the gentoo hardened documentation. > > After compiling re-emerging world the system doesn't get up. I'm able > > to ping it but udev seems to have problems as /dev/console and the > > tty's aren't found: > > > > /etc/init.d/sshd[1205]: ERROR: sshd failed to start > > /etc/init.d/urandom[1219]: ERROR: urandom failed to start > > init: open(/dev/console): No such file or directory > > agetty[1233]: /dev/tty2: not a character device > > agetty[1232]: /dev/tty1: not a character device > > > > My mdadm RAID is recognized properly, in case it matters. You aren't by any chance using an initramfs, are you? > The udev from the hardened documentation seems to be the problem (udev > /dev tmpfs rw,rootcontext=system_u:object_r:device_t,seclabel ,nosuid,relatime,size=10m,mode=755 > 0 0). > > The systems boots without this entry, however `sestatus` says "disabled". Is SELinux indeed disabled, or does it only "look" like so? An easy way to test is when you run in strict policy (or mcs/mls without unconfined domains) and you're in the sysadm_t domain. Then try reading /etc/shadow: hpl ~ # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel),11(floppy),20(dialout),26(tape),27(v ideo) context=staff_u:sysadm_r:sysadm_t hpl ~ # cat /etc/shadow cat: /etc/shadow: Permission denied Wkr, Sven Vermeulen |
| All times are GMT. The time now is 03:40 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.