# SELinux relabeling error (rlpkg -a -r) [PARTIALLY SOLVED]

## quad

Hi,

Seeking help about an error I have going through the SELinux installation guide.

I'm following the online guide to install SELinux, but run into a issue at section 3.e where I have the following error:

```
$ sudo rlpkg -r -a

Relabeling filesystem types: ext2 ext3 jfs xfs

/usr/sbin/setfiles:  labeling files under /

/usr/sbin/setfiles:  labeling files under /boot

/usr/sbin/setfiles:  labeling files under /tmp

/usr/sbin/setfiles:  labeling files under /var

/usr/sbin/setfiles:  Done.

Error writing to stat pipe, child exiting.

Scanning for shared libraries with text relocations...

Traceback (most recent call last):

  File "/usr/sbin/rlpkg", line 312, in ?

    main()

  File "/usr/sbin/rlpkg", line 301, in main

    rc += relabel_textrel_shlib(verbose)

  File "/usr/sbin/rlpkg", line 164, in relabel_textrel_shlib

    if ctx[2] in textrel_ok_relabelfrom:

IndexError: list index out of range
```

The only other thing I did differently than in the guide is to 

```
touch /etc/selinux/strict/contexts/file_contexts
```

 before merging updated packages (section 3.c). Otherwise I kept receiving an error message stating that file_contexts was not found and the merge stopped.

Context information:

```
$ emerge --info

Portage 2.1.3.19 (selinux/2007.0/x86/hardened, gcc-3.4.6, glibc-2.6.1-r0, 2.6.22-hardened-r8 i686)

=================================================================

System uname: 2.6.22-hardened-r8 i686 Intel(R) Celeron(R) CPU 2.53GHz

Timestamp of tree: Thu, 29 Nov 2007 21:29:01 +0000

app-shells/bash:     3.2_p17

dev-java/java-config: 1.3.7, 2.0.33-r1

dev-lang/python:     2.4.4-r6

dev-python/pycrypto: 2.0.1-r6

sys-apps/baselayout: 1.12.9-r2

sys-apps/sandbox:    1.2.18.1-r2

sys-devel/autoconf:  2.13, 2.61-r1

sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10

sys-devel/binutils:  2.18-r1

sys-devel/gcc-config: 1.3.16

sys-devel/libtool:   1.5.24

virtual/os-headers:  2.6.22-r2

ACCEPT_KEYWORDS="x86"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-march=i686 -O2 -pipe"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"

CXXFLAGS="-march=i686 -O2 -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="distlocks loadpolicy metadata-transfer sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch"

GENTOO_MIRRORS="        http://gentoo.mirrors.tds.net/gentoo/   http://gentoo.osuosl.org/       http://gentoo.arcticnetwork.ca/         ftp://distro.ibiblio.org/pub/linux/distributions/gentoo/ "

MAKEOPTS=""

PKGDIR="/usr/portage/packages"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="/usr/local/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="berkdb bitmap-fonts cli cracklib crypt cups dri extensions firefox fortran gdbm gpm hardened iconv ipv6 isdnlog midi mudflap ncurses nls nptl nptlonly openmp pam pcre perl pic pppd python readline reflection selinux session spl ssl tcpd truetype-fonts type1-fonts unicode x86 xattr xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
```

Last edited by quad on Tue Dec 04, 2007 9:52 pm; edited 1 time in total

----------

## nixnut

Moved from Installing Gentoo to Networking & Security.

----------

## quad

Hi, I'm still stuck with the same error. Does anyone have any idea of what causes the issue? I've just tried to rsync my tree and rebuild policycoreutils and selinux-base-policy, but it still fails on the same operation. I've noticed that this operation is actually the --textrels phase when -a is used (in this case), or if I explicitly specify --textrels instead (it scans shared libs for text relocations and relabel them).

Here is what the latest execution yielded:

```
$ sudo rlpkg -r -a

Relabeling filesystem types: ext2 ext3 jfs xfs

/usr/sbin/setfiles:  labeling files under /

matchpathcon_filespec_eval:  hash table stats: 499990 elements, 58513/65536 buckets used, longest chain length 32

/usr/sbin/setfiles:  labeling files under /boot

matchpathcon_filespec_eval:  hash table stats: 37 elements, 37/65536 buckets used, longest chain length 1

/usr/sbin/setfiles:  labeling files under /tmp

matchpathcon_filespec_eval:  hash table stats: 1926 elements, 1926/65536 buckets used, longest chain length 1

/usr/sbin/setfiles:  labeling files under /var

matchpathcon_filespec_eval:  hash table stats: 61904 elements, 30538/65536 buckets used, longest chain length 5

/usr/sbin/setfiles:  Done.

Error writing to stat pipe, child exiting.

Scanning for shared libraries with text relocations...

Traceback (most recent call last):

  File "/usr/sbin/rlpkg", line 312, in ?

    main()

  File "/usr/sbin/rlpkg", line 301, in main

    rc += relabel_textrel_shlib(verbose)

  File "/usr/sbin/rlpkg", line 164, in relabel_textrel_shlib

    if ctx[2] in textrel_ok_relabelfrom:

IndexError: list index out of range
```

The thing is that I've not built this machine originally and I've been assigned to update and secure it.

Update

I think it's a bug in rlpkg since it assumes there will be at least three elements in the ctx array:

```
   147  def relabel_textrel_shlib(verbose):

   148          print "Scanning for shared libraries with text relocations..."

   149

   150          childout = os.popen(string.join(SCANELF+textrel_shlib_paths))

   151

   152          notok = 0

   153          textrel_libs = 0

   154          for line in childout.readlines():

   155                  filename = line.split()[1]

   156                  textrel_libs += 1

   157

   158                  (ret,context) = selinux.getfilecon(filename)

   159                  if ret < 0:

   160                          print "Error getting context of "+filename

   161                  else:

   162                          ctx = string.split(context,":")

   163

   164                          if ctx[2] in textrel_ok_relabelfrom:
```

But running manually the command that the script executes does not seem to result in a 3+ element array:

```
$ python

Python 2.4.4 (#1, Nov 26 2007, 20:11:10)

[GCC 3.4.5 (Gentoo 3.4.5-r1, ssp-3.4.5-1.0, pie-8.7.9)] on linux2

Type "help", "copyright", "credits" or "license" for more information.

>>> import selinux

>>> selinux.getfilecon('/usr/lib/dri/i915tex_dri.so')

[10, 'unlabeled']

>>>
```

In this particular case, it might well be because this file is not relabeled yet (I'm in the process of updating all packages). So what I tried next is to relabel the specific packages manually. But first I needed to figure out what they were so I followed the script logic and ran:

```
$ sudo scanelf -tqR -E ET_DYN /lib /usr/lib /opt
```

(As executed by the rlpkg script.)

I then used equery to find out which packages the files displayed by the above command belonged to, e.g.:

```
$ equery b /usr/lib/dri/i915tex_dri.so
```

Then, the actual relabel command I've tried:

```
$ sudo rlpkg -r mesa sun-jdk
```

which were the only packages to relabel -- but it failed as expected. I discovered that this command in turn executed /sbin/restorecon -f - -F. Running this command manually showed that it exited immediately without any output. Obviously this was the problem. A quick Google search later revealed that this tool silently exits when SELinux is not active.

```
$ sestatus

SELinux status:                 disabled

$ python

Python 2.4.4 (#1, Nov 26 2007, 20:11:10)

[GCC 3.4.5 (Gentoo 3.4.5-r1, ssp-3.4.5-1.0, pie-8.7.9)] on linux2

Type "help", "copyright", "credits" or "license" for more information.

>>> import selinux

>>> (selinux.is_selinux_enabled(), selinux.enabled)

(0, False)

>>>
```

Indeed.

So the bottom line is, rlpkg fails when SELinux is not active. I think it should be fixed to check whether SELinux is active first then act accordingly. Also, I believe that mentioning this potential problem in the handbook could be something to consider.

While I still haven't totally solved the problem yet, I hope this post will save someone else a few headaches hehe.

----------

## McEnroe

Well, you did same me some headache, thank you for that.

I have exactly the same problem. You helped a lot, but there is still something I don't understand:

How to actually enable SELinux?

----------

## Hu

SELinux must be compiled into your kernel.  Typically, it is configured to start at boot, but you might have disabled it.  What is the output of zgrep SELINUX /proc/config.gz?

----------

## McEnroe

```
CONFIG_SECURITY_SELINUX=y

# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set

# CONFIG_SECURITY_SELINUX_DISABLE is not set

# CONFIG_SECURITY_SELINUX_DEVELOP is not set

# CONFIG_SECURITY_SELINUX_AVC_STATS is not set

CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1

# CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT is not set

# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
```

----------

## Hu

That appears correct.  How do you know SELinux is not enabled?  Are you performing actions that should be denied by policy, but the action succeeds?  Is the /selinux mount point empty?

----------

## McEnroe

```
ls /selinux      

access        class                 create            load    policyvers

avc           commit_pending_bools  disable           member  relabel

booleans      compat_net            enforce           mls     user

checkreqprot  context               initial_contexts  nul
```

The only thing where it seems to work is if put the config file into enforcing mode...

Work is relative since it just outputs a kernel panik that something attemped to kill init...

----------

## Hu

Could you be more specific?  Any event which kills init is either a bug or a serious misconfiguration.  In either case, it needs to be fixed.

----------

## Sparky Bluefang

I encountered this same problem. "sestatus" kept telling me that it was disabled.

I noticed that in the handbook (http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=3#doc_chap2) stated that only the SELINUXTYPE=targeted mode is supported in Desktops. After changing that value and rebooting, SELinux started properly and allowed me to run rlpkg with out problem.

Though I switched back to a non-SELinux install because I was running in to problems with avc: denied errors when running commands like mount and modprobe during boot.[/list]

----------

## Hu

 *Sparky Bluefang wrote:*   

> 
> 
> Though I switched back to a non-SELinux install because I was running in to problems with avc: denied errors when running commands like mount and modprobe during boot.[/list]

 

That typically indicates that there is a labeling error, or that some portion of the policy is missing.  To fix this, boot with SELinux enabled, but permissive.  That will still cause avc messages, but in permissive mode, the actions are not actually denied.  That will give you an unconfined environment from which you can examine the labels for correctness, check that all relevant policy is loaded, and perform any necessary relabeling.  If you still have problems, post the exact text of the avc message and the output of equery list sec-policy/.

----------

