# Different small problems with the impementation of SELinux

## Jimini

Hey there,

I am currently implementing SELinux on one of my Gentoo systems and experiencing some smaller problems:

1. "neverallow" rules

When building modules using audit2allow, some rules are generated that lead to a compiler error, for example:

```
allow zabbix_agent_t fixed_disk_device_t:blk_file { read ioctl open };
```

or

```
allow kernel_t proc_kmsg_t:file { read open };
```

or 

```
allow kernel_t shadow_t:file { read open };
```

The error looks like the following:

 *Quote:*   

> Neverallow found that matches avrule at line 93 of /var/lib/selinux/strict/tmp/modules/100/storage/cil
> 
> Binary policy creation failed at line 3 of /var/lib/selinux/strict/tmp/modules/400/test/cil
> 
> Failed to generate binary
> ...

 

Since /var/lib/selinux/strict/active/modules/100/storage/cil contains the line

 *Quote:*   

> (neverallow storage_typeattr_1 fixed_disk_device_t (blk_file (read)))

 

the compiler throws an error. 

I am now unsure how to deal with this rules.

2. When executing audit2allow -li /var/log/audit.log, I get the following errors:

 *Quote:*   

> libsepol.context_from_record: invalid security context: "system_u:system_r:gcc_config_t"
> 
> libsepol.context_from_record: could not create context structure
> 
> libsepol.context_from_string: could not create context structure
> ...

 

I assume, that this has to do with the next problem.

3. My syslog logs "SELinux: Context system_u:system_r:gcc_config_t would be invalid if enforcing" from time to time. This seems to happen independently from the occurring of the previous problem.

I have been searching the web for two weeks now, also a SELinux book could not help me to shed a light on this so far. Hence, any help would be really appreciated.

Best regards,

Jimini

----------

## Jimini

Since I recently again got some of these errors, I googled - and found this thread. So I solved the problem with the neverallow rules by identifying processes, which violate against these conditions.

The other problems remain unsolved, so far.

Best Regards,

Jimini

----------

