# [Solved]SELinux Unable to open policy.29

## Garumental

I am experimenting with SELinux on a hardened linux installation and I have a few problems but the most recent is this one: 

semanage login -l

ERROR: policydb version 29 does not match my version range 15-28

ERROR: Unable to open policy //etc/selinux/strict/policy/policy.29.

Traceback (most recent call last):

  File "/usr/lib/python-exec/python2.7/semanage", line 27, in <module>

    import seobject

  File "/usr/lib64/python2.7/site-packages/seobject.py", line 27, in <module>

    import sepolicy

  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 732, in <module>

    raise e

ValueError: Failed to read //etc/selinux/strict/policy/policy.29 policy file

This started after I did an update of the system with emerge -auvND world.

sestatus

SELinux status:                 enabled

SELinuxfs mount:                /sys/fs/selinux

SELinux root directory:         /etc/selinux

Loaded policy name:             strict

Current mode:                   permissive

Mode from config file:          permissive

Policy MLS status:              disabled

Policy deny_unknown status:     denied

Max kernel policy version:      28

Linux CrapTop 3.11.7-hardened

seinfo

Statistics for policy file: /etc/selinux/strict/policy/policy.28

Policy Version & Type: v.28 (binary, non-mls)

   Classes:            81    Permissions:       240

   Sensitivities:       0    Categories:          0

   Types:            1437    Attributes:        199

   Users:               6    Roles:               6

   Booleans:           66    Cond. Expr.:        60

   Allow:           18215    Neverallow:          0

   Auditallow:          1    Dontaudit:        3161

   Type_trans:       1013    Type_change:         9

   Type_member:         6    Role allow:          7

   Role_trans:          1    Range_trans:         0

   Constraints:        90    Validatetrans:       0

   Initial SIDs:       27    Fs_use:             23

   Genfscon:           84    Portcon:           449

   Netifcon:            0    Nodecon:             0

   Permissives:         1    Polcap:              2

I see that my hardened kernel 3.11.7 only support up to policy 28 but my system still pulled in 29.

I am very new to SELinux and still haven't been able to configure it so I can't set it in enforcing mode without losing functionality but that's a later problem. First I need help and hints on how to solve this. Should I mask some package or have I missed some configuration?

I didn't know what information to supply to easier debug but I pasted some SELinux related outputs.Last edited by Garumental on Thu Feb 06, 2014 8:37 pm; edited 1 time in total

----------

## landdie

Hmmmmmmmm. Same problem here. Might well have started after my world update some days back but only just noticed whilst trying to sort some unusual denials which started popping up in my logs!

```
ERROR: policydb version 29 does not match my version range 15-28

ERROR: Unable to open policy //etc/selinux/strict/policy/policy.29.

Traceback (most recent call last):

  File "/usr/lib/python-exec/python2.7/semanage", line 27, in <module>

    import seobject

  File "/usr/lib64/python2.7/site-packages/seobject.py", line 27, in <module>

    import sepolicy

  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 732, in <module>

    raise e

ValueError: Failed to read //etc/selinux/strict/policy/policy.29 policy file

```

Don't know if it's related but can't log in as root either. Which I also only just noticed!

----------

## landdie

Well as I'm no selinux aficionado I would not like to say if this is a workaround or a trasher but it fixed the problem for me. 

I changed the name of /etc/selinux/strict/policy/policy.29  to apolicy.29-bak the 'a' at the beginning of the name was necessary to stop the file getting parsed!

Then I renamed /etc/selinux/strict/modules/active/policy.kern  to apolicy.kern-bak  note this is a symlink to  /etc/selinux/strict/policy/policy.29

I then made a new symlink called policy.kern to  /etc/selinux/strict/policy/policy.28

Then 

```
/etc/init.d/selinux_gentoo restart
```

So far all seems to work fine but I'm am absolutely certain this is not the right solution. :Smile: 

I'm wondering if this is a python 2.7 thing maybe it's time to start using python 3.3? My last info was that SELinux management utilities only work with python 2.7 but maybe that's changed! Had problems with python once before, see 

```
  eselect news read 9
```

 I happened to do a world update at the exact wrong moment took hours to sort so I'm  not about to try 3.3 for fun!  :Smile: 

Hopefully someone who knows what they are on about will point us in the right direction!

----------

## Garumental

This works for me too. I did the same thing with the symlinks to point to 28 a few days ago but didn't think of renaming the policy29 so I didn't get it working but now it works thanks to the renaming. Like you said it is very weird that users have to dig down in this. Sure it's gentoo so stuff like this isn't super new to us but this error don't seem to have any logic to it. How come it pulls in a new policy when my kernel doesn't support it and I'm not getting a new kernel on system updates. It's seems it's a bit out of sync.

I would use python 3* any day if I wasn't using a few tor apps that are as up to date as my grandmother  :Razz: 

 *landdie wrote:*   

> Well as I'm no selinux aficionado I would not like to say if this is a workaround or a trasher but it fixed the problem for me. 
> 
> I changed the name of /etc/selinux/strict/policy/policy.29  to apolicy.29-bak the 'a' at the beginning of the name was necessary to stop the file getting parsed!
> 
> Then I renamed /etc/selinux/strict/modules/active/policy.kern  to apolicy.kern-bak  note this is a symlink to  /etc/selinux/strict/policy/policy.29
> ...

 

----------

## N8Fear

Check CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE in your kernel config and adjust it if needed. I think that should really fix it...

----------

## landdie

 *N8Fear wrote:*   

> Check CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE in your kernel config and adjust it if needed. I think that should really fix it...

 

Already been there. Only an option to set up to policy.23 I've been running policy.28 with no maximum policy set with no problems until now!  :Smile: 

----------

## landdie

Well the way to sort this was in the end long winded but effective!

First I did 

```
emerge --sync
```

Next I added python3.3 to make.conf. Not sure if this was needed, probably not!  

```
PYTHON_TARGETS="python2_7 python3_2 python3_3"
```

Then I did

```
emerge --newuse sys-libs/libsemanage
```

Next I ran 

```
python-updater
```

Then I did 

```
emerge -1 checkpolicy policycoreutils
```

Next 

```
emerge -uDN world
```

Then I did 

```
emerge --depclean
```

Next I ran

```
revdep-rebuild
```

Then I did 

```
emerge --newuse selinux-base selinux-base-policy 
```

which I had tried before without success in solving the problem.

Next I did

```
emerge --newuse setools sepolgen checkpolicy
```

Finally I did 

```
rlpkg -a -r
```

Now everything works fine the symlink to policy.29 is still in  /etc/selinux/strict/modules/active/

but 

```
 cat /selinux/policyvers; echo
```

 gives me 28

So have no idea why policy.29 gets pulled in. It's still there with a nice new fresh todays date but it's not getting used and my funky workaround is no longer necessary which feels like a good thing!  :Smile: 

----------

## aunxx

Hi.

Thank you for this. The working step for me was this one.

```
 emerge -av setools sepolgen checkpolicy
```

And tried on the next machine gave me

```
 emerge -av setools
```

as all that was required to fix this error.

 :Smile: 

----------

