# se packages

## idella4

For the second time, does any-one understand selinux?  I've followed the guides from the wiki.  When I boot into my gentoo guest in selinux enforcing mode it's a total disaster.

On boot, I get consistent logging of fundamental inconsistencies.

```

[    8.748466] Freeing unused kernel memory: 416k freed

[    9.259915] SELinux:  class kernel_service not defined in policy

[    9.260004] SELinux:  class tun_socket not defined in policy

[    9.260004] SELinux:  permission open in class sock_file not defined in policy

[    9.260004] SELinux:  permission module_request in class system not defined in policy

[    9.260004] SELinux:  permission nlmsg_tty_audit in class netlink_audit_socket not defined in policy

[    9.260004] SELinux: the above unknown classes and permissions will be denied

[    9.773803] type=1403 audit(1282852506.915:2): policy loaded auid=4294967295 ses=4294967295

 * Mounting /proc ...

[   10.132044] type=1400 audit(1282852253.501:3): avc:  denied  { write } for  pid=729 comm="mount" name="/" dev=proc ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:proc_t tclass=dir

 [ ok ]

 * Mounting xenfs ...

[   10.346099] type=1400 audit(1282852253.715:4): avc:  denied  { mounton } for  pid=734 comm="mount" path="/proc/xen" dev=proc ino=4026531930 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:proc_xen_t tclass=dir

[   10.347005] type=1400 audit(1282852253.715:5): avc:  denied  { mount } for  pid=734 comm="mount" name="/" dev=xenfs ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem

[   10.754049] type=1400 audit(1282852254.123:6): avc:  denied  { write } for  pid=734 comm="mount" name="/" dev=xenfs ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=dir

 [ ok ]

[   10.979637] type=1400 audit(1282852254.348:7): avc:  denied  { write } for  pid=741 comm="mount" name="/" dev=tmpfs ino=1385 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:tmpfs_t tclass=dir

```

On managing to boot in, I thought this isn't too important, but it must be.  The above cited classes and files are not present in the manufactures selinuxfs. This audit structure is obviously significant and need be set right.

I tried posting in  centos seeing centos uses selinux, but the moderator seemed clueless re the fundmentals of the kernel and the selinuxfs.  I return here.

Like xen the kernel has a setting for the maximum selinux version.  I have no idea abvout selinux versions, but there is m mis-match.  In the gentoo guest, the policy version that is created on labeling the system is policy.24  This is listed in /etc/selinux.  The maximum version that the latest gentoo hardened kernel accepts is 23.

 *Quote:*   

> 
> 
>   │ │    (1)   NSA SELinux checkreqprot default value                             │ │   
> 
>   │ │    [*]   NSA SELinux maximum supported policy format version                │ │   
> ...

 

It's default value was 19 which it seems is around fedora4 or 8 period.  On entering the actual system version, it is programmed to reject it.

 *Quote:*   

> 
> 
> ─────────────────────────────────────────┐                       
> 
>                       │ You have made an invalid entry.         │                       
> ...

 

Can someone help straighten this out?  There is no point elaborating on what goes awry once booted into this state since this fundamental setting is corrupt, suffice to say it's a joke.  It appears that the gentoo packages of selinux are out of sync with the kernel.  The kernel is 2.6.34-r2, very up to date, yet it seems it's the kernel that is a version behind the packages.

The wiki guide is also a few years old now.  Although its content  appears still to apply, it cites kernels and versions of some years ago.  The other thing that is curious is the profile.

```

gentoo_pristine linux # eselect profile list

Available profile symlink targets:

  [1]   default/linux/x86/10.0

  [2]   default/linux/x86/10.0/desktop

  [3]   default/linux/x86/10.0/desktop/gnome

  [4]   default/linux/x86/10.0/desktop/kde

  [5]   default/linux/x86/10.0/developer

  [6]   default/linux/x86/10.0/server

  [7]   hardened/linux/x86/10.0

  [8]   selinux/2007.0/x86

  [9]   selinux/2007.0/x86/hardened *

  [10]  selinux/v2refpolicy/x86

  [11]  selinux/v2refpolicy/x86/desktop

```

Why is gentoo setting 2007 for selinux and selinux-hardened?

----------

## Hu

 *idella4 wrote:*   

> For the second time, does any-one understand selinux?

 My experience has been that SELinux is one of the smaller niches.  People who know how to control it are rare, but very good if you can find them.

 *idella4 wrote:*   

> I have no idea abvout selinux versions, but there is m mis-match.  In the gentoo guest, the policy version that is created on labeling the system is policy.24  This is listed in /etc/selinux.  The maximum version that the latest gentoo hardened kernel accepts is 23.

 As far as I know, you should not set the maximum supported policy format version.  As noted in the help text for that option, it is a compatibility option meant to allow using new kernels with old userland that reacted badly to versions newer than it knew.  As of Fedora Core 5, their init was smart enough not to have a problem.  Since the Fedora family retired FC5 long ago, I think it is safe to believe that Gentoo init is new enough to do the right thing.  :Wink:   If you must set this value, compute the appropriate maximum as described in the help text for the numeric entry field.

 *idella4 wrote:*   

> The kernel is 2.6.34-r2, very up to date, yet it seems it's the kernel that is a version behind the packages.

 Kernel 2.6.35 has been out long enough that there are four stable kernels in its series, and 2.6.34 is not receiving any further stable updates, according to the announcements from Greg Kroah-Hartman, as reposted by Linux Weekly News.

 *idella4 wrote:*   

> 
> 
> ```
> gentoo_pristine linux # eselect profile list
> 
> ...

 The SELinux team does not roll over profiles as often as other areas.  You elected to use the older 2007 SELinux profile instead of the newer v2refpolicy profile.

----------

## idella4

Hu,

hi again.

 *Quote:*   

> 
> 
> Kernel 2.6.35 has been out long enough that there are four stable kernels in
> 
> 

 

I was brief enough in my description no to include that the kernel 2.6.34 I am using is the hardened kernel.  Yes there is kernel 35, but the gentoo hardened latest is 34.  However, from the comments you made, this is not a core issue.

 *Quote:*   

> 
> 
>  If you must set this value, compute the appropriate maximum as described in the help text for the numeric entry field.
> 
> 

 

I did that and acquired 24-15 and 24.

 *Quote:*   

> 
> 
> It is safe to believe that Gentoo init is new enough to do the right thing.
> 
> 

 

ok, so the kernel setting shouldn't be a hazard.  Turn the max kernel version off.

 *Quote:*   

> 
> 
>  You elected to use the older 2007 SELinux profile instead of the newer v2refpolicy profile.
> 
> 

 

Excuse my ignorance, but I neglected that option because I have no idea what it is.  It is not intuitive, but does this excuse the 2007 selinux profile not working?   Can you outline? Unless I find it myself, cite the gentoo readme on it.  This use of selinux is more or less a learning exercise to know gentoo and linux better.  I can learn selinux much more effectively on an selinux system that actually works.  This is a gentoo guest on xen that resulted from following another post to which you also replied, but then you reply to most.

It seems worth trying since the profile I've selected has lead to an awful state.

All the above aside, I really want to see these classes and files cited get sorted.  They refer to audit mostly.

All audit kernel options have been turned on and it appears that the gap does not relate to them.

see other post re virt-viewer in portage & programming.

----------

## Hu

 *idella4 wrote:*   

> Excuse my ignorance, but I neglected that option because I have no idea what it is.  It is not intuitive, but does this excuse the 2007 selinux profile not working?

 It is newer than the 2007 policy.  I think it appeared within the last 18 months, but I cannot tell you much about what is different.  It may or may not work better for you.

 *idella4 wrote:*   

> All the above aside, I really want to see these classes and files cited get sorted.  They refer to audit mostly.

 Sorry, but I cannot help here.  I said above that SELinux is a niche.  Sadly, it is not a niche in which I am qualified to operate.

----------

## idella4

Hu,

well, it looks like I'm going to join those few of the niche.  Having got this far I want to figure it .

I went back to the guide.  I skipped pages 1&2 and built it on the said profile.

Page 1 instructed to use the newer profile.  

Hopefully that will lead to a better state.

The system is not unusable in enfored mode, but it does brake things by not having emerge and portage setup with sensible permission settings.

I can understand user not allowed to use emerge, but cannot make sense of root using emerge and the system refusing permission to complete a clean install of any package.

This will take some time to figure, but an explanation of the basic kernel elements would be helpful.

The gentoo wiki has some useful hints but the one that is needed is not there.

Converting to the new profile should help.  On the new profile, updating world selects only selinux specific packages, the one it updates appear to be selinux packages of  the 2007 2008 period.

I think I created an out of sync system by updating a 2007 vm to current. If I'd left it as it was it might have beem in sync.

Shall see.

Well that wasn't hard.  The problem was the profile.  The old profile enforced some outdated packages.  

Updating them suddenly allowed these gaps to be filled.  The classes are now in place.  Also changed the kernel, but that is secondary.

I just have to figure out how to get the user to do anything.  That has broken the back of it.  More re-compiling of the system.  Looks like just applying selinux tools to set rules??!

----------

