# SELinux rlpkg -a -r Operation not permitted [solved]

## mitschel

Im pretty new to the selinux topic. So I followd the Gentoo SELinux Handbook to install and test.

But the command rlpkg -r -a says unable to relabel 

```

.

.

.

/usr/portage/metadata/cache/dev-python/pythondialog-2.7: Operation not supported

/usr/sbin/setfiles:  unable to relabel /usr/portage/metadata/cache/dev-python/pythondialog-2.7 to system_u:object_r:portage_ebuild_t

/usr/portage/metadata/cache/dev-python/twisted-words-0.4.0: Operation not supported

/usr/sbin/setfiles:  unable to relabel /usr/portage/metadata/cache/dev-python/twisted-words-0.4.0 to system_u:object_r:portage_ebuild_t

/usr/portage/metadata/cache/dev-python/pyparted-1.8.9: Operation not supported

/usr/sbin/setfiles:  unable to relabel /usr/portage/metadata/cache/dev-python/pyparted-1.8.9 to system_u:object_r:portage_ebuild_t

/usr/portage/metadata/cache/dev-python/pastedeploy-1.3.1: Operation not supported

/usr/sbin/setfiles:  unable to relabel /usr/portage/metadata/cache/dev-python/pastedeploy-1.3.1 to system_u:object_r:portage_ebuild_t

/usr/portage/metadata/cache/dev-python/tg-widgets-lightbox-2.0: Operation not supported

/usr/sbin/setfiles:  unable to relabel /usr/portage/metadata/cache/dev-python/tg-widgets-lightbox-2.0 to system_u:object_r:portage_ebuild_t

/usr/portage/metadata/cache/dev-python/python-yadis-1.1.0: Operation not supported

/usr/sbin/setfiles:  unable to relabel /usr/portage/metadata/cache/dev-python/python-yadis-1.1.0 to system_u:object_r:portage_ebuild_t

.

.

.

/usr/sbin/setfiles:  unable to relabel /usr/lib/python2.4/bsddb/test/test_dbtables.py to system_u:object_r:lib_t

/usr/lib/python2.4/bsddb/test/test_misc.pyc: Operation not supported

/usr/sbin/setfiles:  unable to relabel /usr/lib/python2.4/bsddb/test/test_misc.pyc to system_u:object_r:lib_t

/usr/lib/python2.4/bsddb/test/test_dbtables.pyc: Operation not supported

/usr/sbin/setfiles:  unable to relabel /usr/lib/python2.4/bsddb/test/test_dbtables.pyc to system_u:object_r:lib_t

/usr/lib/python2.4/bsddb/test/test_basics.py: Operation not supported

/usr/sbin/setfiles:  unable to relabel /usr/lib/python2.4/bsddb/test/test_basics.py to system_u:object_r:lib_t

/usr/lib/python2.4/bsddb/test/test_all.pyc: Operation not supported

/usr/sbin/setfiles:  unable to relabel /usr/lib/python2.4/bsddb/test/test_all.pyc to system_u:object_r:lib_t

/usr/lib/python2.4/bsddb/test/test_lock.pyo: Operation not supported

/usr/sbin/setfiles:  unable to relabel /usr/lib/python2.4/bsddb/test/test_lock.pyo to system_u:object_r:lib_t

/usr/lib/python2.4/bsddb/test/test_dbtables.pyo: Operation not supported

/usr/sbin/setfiles:  unable to relabel /usr/lib/python2.4/bsddb/test/test_dbtables.pyo to system_u:object_r:lib_t

/usr/lib/python2.4/bsddb/test/test_thread.pyc: Operation not supported

/usr/sbin/setfiles:  unable to relabel /usr/lib/python2.4/bsddb/test/test_thread.pyc to system_u:object_r:lib_t

.

.

.

/tmp: Operation not supported

/usr/sbin/setfiles:  unable to relabel /tmp to system_u:object_r:tmp_t

matchpathcon_filespec_eval:  hash table stats: 217921 elements, 61181/65536 buckets used, longest chain length 8

/usr/sbin/setfiles:  Done.Scanning for shared libraries with text relocations...

Not relabeling /lib/udev/edd_id because it is unlabeled_t.

Not relabeling /lib/udev/create_floppy_devices because it is unlabeled_t.

Not relabeling /lib/udev/usb_id because it is unlabeled_t.

Not relabeling /lib/udev/cdrom_id because it is unlabeled_t.

Not relabeling /lib/udev/scsi_id because it is unlabeled_t.

Not relabeling /lib/udev/vol_id because it is unlabeled_t.

Not relabeling /lib/udev/ata_id because it is unlabeled_t.

Not relabeling /usr/lib/gettext/urlget because it is unlabeled_t.

8 libraries with text relocations, 8 not relabeled.

Some files were not relabeled!  This is not necessarily bad,

but may indicate a labeling problem, since what is detected as

a library is not already labeled with a library type.

If you just relabeled the entire filesystem, please report

this in the #gentoo-hardened IRC channel, the

gentoo-hardened mail list, or Gentoo bugzilla.

Scanning for PIE binaries with text relocations...

PIE executable /sbin/udevadm has text relocations!

PIE executable /sbin/udevd has text relocations!

PIE executable /usr/bin/xgettext has text relocations!

PIE executable /usr/bin/msginit has text relocations!

PIE executable /usr/bin/msggrep has text relocations!

PIE executable /usr/bin/recode-sr-latin has text relocations!

PIE executable /usr/bin/gettext has text relocations!

PIE executable /usr/bin/msgfmt has text relocations!

PIE executable /usr/bin/pcretest has text relocations!

PIE executable /usr/bin/msgmerge has text relocations!

PIE executable /usr/bin/envsubst has text relocations!

PIE executable /usr/bin/ngettext has text relocations!

PIE executable /usr/bin/msgunfmt has text relocations!

PIE executable /usr/bin/msguniq has text relocations!

14 binaries with text relocations detected.

```

So I have completly unlabeled ext3 filesystem.

```

drwxr-xr-x+  2 root root system_u:object_r:unlabeled_t  4096 Dec 19 14:03 bin

drwxr-xr-x+  3 root root system_u:object_r:unlabeled_t  4096 Dec 20 04:00 boot

drwxr-xr-x+ 12 root root system_u:object_r:device_t    13620 Dec 20 06:42 dev

drwxr-xr-x+ 33 root root system_u:object_r:unlabeled_t  4096 Dec 20 07:27 etc

drwxr-xr-x+  3 root root system_u:object_r:unlabeled_t  4096 Dec 19 19:47 home

drwxr-xr-x+  8 root root system_u:object_r:unlabeled_t  4096 Dec 19 18:02 lib

drwxr-xr-x+  3 root root system_u:object_r:unlabeled_t  4096 Dec 19 04:40 mnt

drwxr-xr-x+  2 root root system_u:object_r:unlabeled_t  4096 Apr 25  2008 opt

dr-xr-xr-x+ 57 root root system_u:object_r:proc_t          0 Dec 20 06:41 proc

drwx------+  4 root root system_u:object_r:unlabeled_t  4096 Dec 19 19:39 root

drwxr-xr-x+  2 root root system_u:object_r:unlabeled_t  4096 Dec 20 01:36 sbin

drwxr-xr-x+  7 root root system_u:object_r:security_t      0 Dec 20 06:41 selinux

drwxr-xr-x+ 11 root root system_u:object_r:sysfs_t         0 Dec 20 06:41 sys

drwxrwxrwt+  5 root root system_u:object_r:unlabeled_t  4096 Dec 20 07:47 tmp

drwxr-xr-x+ 13 root root system_u:object_r:unlabeled_t  4096 Dec 20 07:47 usr

drwxr-xr-x+ 12 root root system_u:object_r:unlabeled_t  4096 Apr 25  2008 var

```

As far as I understand this hole thing, there is something wrong.

Can somebody help me?

```

emerge --info

Portage 2.1.4.5 (selinux/2007.0/x86/hardened, gcc-3.4.6, glibc-2.6.1-r0, 2.6.25-hardened-r10 i686)

=================================================================

System uname: 2.6.25-hardened-r10 i686 Intel(R) Pentium(R) III Mobile CPU 750MHz

Timestamp of tree: Sat, 20 Dec 2008 01:03:01 +0000

distcc 3.0 i686-pc-linux-gnu [disabled]

app-shells/bash:     3.2_p33

dev-lang/python:     2.4.4-r6, 2.5.2-r7

dev-python/pycrypto: 2.0.1-r6

sys-apps/baselayout: 1.12.11.1

sys-apps/sandbox:    1.2.18.1-r2

sys-devel/autoconf:  2.61-r2

sys-devel/automake:  1.10.1-r1

sys-devel/binutils:  2.18-r3

sys-devel/gcc-config: 1.4.0-r4

sys-devel/libtool:   1.5.26

virtual/os-headers:  2.6.23-r3

ACCEPT_KEYWORDS="x86"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-O3 -march=pentium3 -fomit-frame-pointer -pipe"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/terminfo /etc/udev/rules.d"

CXXFLAGS="-O3 -march=pentium3 -fomit-frame-pointer -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="buildpkg distlocks loadpolicy metadata-transfer sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch"

GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"

MAKEOPTS="-j2"

PKGDIR="/usr/portage/packages"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/tmp"

PORTDIR="/usr/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="berkdb crypt hardened mmx ncurses pam perl pic python readline selinux snmp ssl tcpd x86 xml" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1   emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m       maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt intel  mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage       siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware         voodoo"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

```

Last edited by mitschel on Sat Dec 20, 2008 8:11 am; edited 1 time in total

----------

## Hu

SELinux needs some extra functionality enabled in the filesystem.  Did you enable EXT3_FS_SECURITY?  What is the output of zgrep EXT /proc/config.gz?

----------

## mitschel

That did the trick. Thank you!

----------

