SELinux and Shorewall with IPSets

Mr Dash Four mr.dash.four at googlemail.com
Wed Jun 30 19:36:46 UTC 2010 

> You would need to edit the source, and rebuild modified selinux-policy
> packages. The port declaration is located in
> policy/modules/kernel/corenetwork.te.in.
>   

Building the RPMs went OK, though the image build failed miserably!

I am getting the following errors when trying to install my 
(custom-built) selinux-policy and selinux-policy-targeted rpms:

=============Errors when executing rpm -ivh selinux-policy*.rpm on the 
image======================
libsemanage.semanage_install_active: setfiles returned error code 1. 
(Permission denied).
libsemanage.semanage_install_active: Could not copy 
/etc/selinux/targeted/modules/active/policy.kern to 
/etc/selinux/targeted/policy/policy.24. (No such file or directory).
semodule:  Failed!
libsemanage.semanage_read_policydb: Could not open kernel policy 
/etc/selinux/targeted/modules/active/policy.kern for reading. (No such 
file or directory).
/usr/sbin/semanage: Could not test MLS enabled status
===============================================================================

Looking at my syslog I am getting the following:


============syslog====================================
Jun 30 20:06:36 xp1 kernel: type=1401 audit(1277924796.734:30578): 
security_compute_sid:  invalid context 
unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for 
scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=process
Jun 30 20:07:05 xp1 kernel: type=1401 audit(1277924825.706:30579): 
security_compute_sid:  invalid context 
unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for 
scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=process
Jun 30 20:07:05 xp1 kernel: type=1401 audit(1277924825.740:30580): 
security_compute_sid:  invalid context 
unconfined_u:system_r:setfiles_mac_t:s0-s0:c0.c1023 for 
scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=process
=====================================================

I presume my currently running SELinux does not like something when I 
try to install SELinux on the image. I presume it is something to do 
with the fact that its own 'selinux-policy' somehow differs from the one 
I built from source.

When I actually log on the image itself (with qemu) and try running 
"semanage port -l | grep ssh" I am getting this:

======================================
libsemanage.semanage_read_policydb: Could not open kernel policy 
/etc/selinux/targeted/modules/active/policy.kern for reading. (No such 
file or directory).
/usr/sbin/semanage: Could not test MLS enabled status
======================================


The interesting thing is that my "semanage fcontext" command to change 
ipset SELinux attributes have been executed - these attributes are changed.

More information about the selinux mailing list