SELinux and Shorewall with IPSets

Dominick Grift domg472 at gmail.com
Wed Jun 30 19:46:10 UTC 2010 

On 06/30/2010 09:36 PM, Mr Dash Four wrote:
> 
>> You would need to edit the source, and rebuild modified selinux-policy
>> packages. The port declaration is located in
>> policy/modules/kernel/corenetwork.te.in.
>>   
> 
> Building the RPMs went OK, though the image build failed miserably!
> 
> I am getting the following errors when trying to install my
> (custom-built) selinux-policy and selinux-policy-targeted rpms:
> 
> =============Errors when executing rpm -ivh selinux-policy*.rpm on the
> image======================
> libsemanage.semanage_install_active: setfiles returned error code 1.
> (Permission denied).
> libsemanage.semanage_install_active: Could not copy
> /etc/selinux/targeted/modules/active/policy.kern to
> /etc/selinux/targeted/policy/policy.24. (No such file or directory).
> semodule:  Failed!
> libsemanage.semanage_read_policydb: Could not open kernel policy
> /etc/selinux/targeted/modules/active/policy.kern for reading. (No such
> file or directory).
> /usr/sbin/semanage: Could not test MLS enabled status
> ===============================================================================
> 
> 
> Looking at my syslog I am getting the following:
> 
> 
> ============syslog====================================
> Jun 30 20:06:36 xp1 kernel: type=1401 audit(1277924796.734:30578):
> security_compute_sid:  invalid context
> unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for
> scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=process
> Jun 30 20:07:05 xp1 kernel: type=1401 audit(1277924825.706:30579):
> security_compute_sid:  invalid context
> unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for
> scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=process
> Jun 30 20:07:05 xp1 kernel: type=1401 audit(1277924825.740:30580):
> security_compute_sid:  invalid context
> unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for
> scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=process
> =====================================================
> 
> I presume my currently running SELinux does not like something when I
> try to install SELinux on the image. I presume it is something to do
> with the fact that its own 'selinux-policy' somehow differs from the one
> I built from source.
> 
> When I actually log on the image itself (with qemu) and try running
> "semanage port -l | grep ssh" I am getting this:
> 
> ======================================
> libsemanage.semanage_read_policydb: Could not open kernel policy
> /etc/selinux/targeted/modules/active/policy.kern for reading. (No such
> file or directory).
> /usr/sbin/semanage: Could not test MLS enabled status
> ======================================
> 
> 
> The interesting thing is that my "semanage fcontext" command to change
> ipset SELinux attributes have been executed - these attributes are changed.

hmm... i am not sure about this but maybe:

role system_r types setfiles_mac_t;

helps here..

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100630/fc92645d/attachment.bin

More information about the selinux mailing list