SELinux and Shorewall with IPSets

Mr Dash Four mr.dash.four at googlemail.com
Wed Jun 30 20:35:59 UTC 2010 

>> When I actually log on the image itself (with qemu) and try running
>> "semanage port -l | grep ssh" I am getting this:
>>
>> ======================================
>> libsemanage.semanage_read_policydb: Could not open kernel policy
>> /etc/selinux/targeted/modules/active/policy.kern for reading. (No such
>> file or directory).
>> /usr/sbin/semanage: Could not test MLS enabled status
>> ======================================
>>     
>
> I have seen and heard about this a couple of times before but i was
> never able to produce this myself.
>
> I have no clue about that missing file or directory message
> (/etc/selinux/targeted/modules/active/policy.kern)
>   
I will have a wild stab at it...This might be able to reproduce the error...

If you have the time you can build a small test image using the livecd 
tools. You need to have the livecd-tools packages installed though. You 
also need qemu as well. Create and save this test kickstart file:

===========test-sel.ks========================
auth --useshadow  --passalgo=md5
bootloader --location=mbr --timeout=5
firewall --disabled
install
logging --level=info
part / --size 1024 --fstype=ext3
repo --cost=1 --name=fedora                    
--mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=$basearch
repo --cost=2 --name=updates                   
--mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f13&arch=$basearch
#repo --cost=3 --name=livna                     
--baseurl=http://rpm.livna.org/repo/13/$basearch/
repo --cost=4 --name=rpmfusion-free            
--mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-13&arch=$basearch
repo --cost=5 --name=rpmfusion-free-updates    
--mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-updates-released-13&arch=$basearch
repo --cost=6 --name=rpmfusion-nonfree         
--mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=nonfree-fedora-13&arch=$basearch
repo --cost=7 --name=rpmfusion-nonfree-updates 
--mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=nonfree-fedora-updates-released-13&arch=$basearch

# login: root; pwd: root_test
rootpw --plaintext root_test
selinux --enforcing
skipx
text

%packages --nobase --excludedocs

#vital tools
kernel
bash
#selinux-policy
#selinux-policy-targeted
policycoreutils
libsemanage
checkpolicy
policycoreutils-python

#essential tools
rsyslog
vim-minimal


%post --nochroot

# selinux-policy-*.rpm = custom-built policies (must exist!)
rpm -ivh --root $INSTALL_ROOT ~/selinux-policy-*.rpm
%end

%post
/sbin/restorecon -rip /
%end
==========================================

Then, make sure you have the (customised) selinux-policy files and from 
the command line execute the following:

livecd-creator -c test-sel.ks -f test-image

It will download the necessary packages and build the image 
(test-image.iso). Check for the above errors when it comes to install 
the selinux-policy files (I am assuming that on the machine you are 
building the image your SELinux is in enforced mode and using the 
targeted policy). Also check your syslog.

When the image is built, you can log in to the new system with qemu:

qemu -m 512 test-image.iso

Login as root with password "root_test" as specified in the above 
kicktart file. Once there, try to execute semanage and see what happens...

More information about the selinux mailing list