# SELinux and context errors [solved]

## andrewd18

Just finished setting up a Gentoo Hardened box, using SELinux. Not sure if I have GRSecurity or PaX running... this is my first Hardened system, and I feel like I'm in way over my head. SELinux was running okay for a while... but something happened, I guess, after I ran emerge selinux-apache. Said something about how the policy wasn't loaded. Did a make load in /etc/security/selinux/src/policy, and it looked like it worked.

Well, now, whenever I try to emerge something now, I get this:

```
/usr/sbin/setfiles: invalid context system_u:object_r:httpd:user_context_t on line number 530

/usr/sbin/setfiles: invalid context system_u:object_r:httpd:sys_context_t on line number 531

/usr/sbin/setfiles: invalid context system_u:object_r:httpd:sys_context_t on line number 532

/usr/sbin/setfiles: invalid context system_u:object_r:httpd:sys_context_t on line number 533

/usr/sbin/setfiles: invalid context system_u:object_r:httpd:sys_context_t on line number 534

/usr/sbin/setfiles: invalid context system_u:object_r:httpd:sys_context_t on line number 535

/usr/sbin/setfiles: invalid context system_u:object_r:httpd:sys_script_exec_t on line number 536

/usr/sbin/setfiles: invalid context system_u:object_r:httpd:sys_script_exec_t on line number 537

/usr/sbin/setfiles: invalid context system_u:object_r:httpd:sys_script_exec_t on line number 538

/usr/sbin/setfiles: invalid context system_u:object_r:httpd:sys_context_t on line number 539
```

I googled around and it looked like going to /etc/security/selinux/src/policy and doing a make clean && make && make load might fix it, so I did that, but it gives me other errors when trying to re-make it. I can pull those up if you want.

Everything seems to be working okay, despite this, but I can't emerge anything. And I still don't have mod_php installed yet...

I'm sure I'll eventually figure out all this SELinux stuff, but I'm still all confuzored...

~~ Andrew D.

----------

## andrewd18

I did some work on it tonight... turned out to be a BUNCH of things.

1) Did not do an etc-update after updating selinux-base-policy. Turns out there were 82 config files to be updated, and portage never told me.

2) The Makefile in /etc/security/selinux/src/policy was fscked up. Had a bunch of parameters for things like setpolicy that setpolicy doesn't have, and thus it would error out. I still haven't fixed them all... make install doesn't work yet (it's trying to read a directory, and complains that it's getting an empty file...), but I did a make policy and make load after editing out the bad options, and it seems to be working now.

I hope this helps someone... SELinux needs more documentation.

~~ Andrew D.

----------

## dashnu

I just installed SELinux also. I found everything to go pretty smooth. I could recommend you put in your make.conf

```
FEATURES="loadpolicy"
```

Then all the provided policies will autoload each emerge.

I got tons of avc errors and I know once I take this puppy out of permissive mode nothing will run, got any tips on that  :Wink: 

See ya

----------

## anfpunk

dashnu:  Get the O'Reilly SeLinux book.  It'll help you out so you can get out of permissive mode.  Once I get everything working how I want I'm going to try to get my desktop running in enforced.  You can find the book for about $25 on Amazon.

----------

## andrewd18

Yeah, found out about "loadpolicy" after the mess had happened.  :Smile: 

I think I'm going to pick up that book, even though I'm out of trouble and the machine is acting wonderfully now. Seems like a good investment... my other O'Reilly books have been indispensable.

~~ Andrew D.

----------

## dashnu

Guys  :Sad:   have you had any luck in getting out of permissive mode? I will order that book today but jesus.. I have so many avc errors it is not even funny. As soon as I switch to enforced mode pretty much nothing works.. I tried to rlpkg most of the troublesome pkgs with no luck..  Also are you using udev and did I fsck up by using udev..  a lot of my issues seem to be coming from it.

TIA..

SElinux confused d00d

----------

## andrewd18

As far as I know, UDEV and SELinux pretty much hate each other. I would have LOVED to use UDEV, but for now I'm using devfsd, which sucks, but doesn't give me avc errors.

I only get one or two avc errors, and that's on bootup. After I get those resolved, I'll try out enforcing.

~~ Andrew D.

----------

## dashnu

oh great.. What services do you run on the box.. I run the following

NTPD

VPN

DHCP

DNS

IPTABLES

SQUID

afaik all of these have policys

I am in a world of hurt.. I guess I will run in permissive mode for a while.

----------

## andrewd18

I run:

ntpd

apache2

mod_php

mediawiki

openssh

All of 'em work fine now that I've got the FEATURES="loadpolicy" option in my make.conf. Had a few issues when I tried installing MYSQL, but that turned out to be something really odd. Ended up emerge -C mysql, removing all the config files, re-emerging, and then re-hand-configuring it.

~~ Andrew D.

----------

## dashnu

lost....     *Quote:*   

> Devfs is no longer usable in SELinux

 

http://www.gentoo.org/proj/en/hardened/selinux/selinux-sparc64-handbook.xml?part=2&chap=2&style=printable

some guy in #gentoo-hardened

 *Quote:*   

> devfs cannot be used, and udev can be used, but it's not 
> 
>               really ready yet, the best option for now is a static dev

 

err i am going to try this gentoo=nodevfs and see what happens.

----------

## andrewd18

LOL, whatever. All I know is, my system isn't running udev, so I thought the only alternative was devfs. (Maybe it's devpts?)

But he's right, UDEV just ain't ready.

~~ Andrew D.

----------

## dashnu

will you do a couple things for me PLEASE... I am gonna break this fucking server in about ten minutes.

Post your /etc/conf.d/rc

post the output of emerge -p devfsd udev

Post the output of sestatus -v (what policy what kernel ?)

what profile are you linked to..   ls -l /etc/make.profile

There is NO fucking support for selinux, drives a sane man crazy...

Thanks very much.

edit**   and you grub or lilo config

----------

## andrewd18

Sure, no problem.  :Smile: 

```
# /etc/conf.d/rc: Global config file for the Gentoo RC System

# $Header: /var/cvsroot/gentoo-src/rc-scripts/etc/conf.d/rc,v 1.20.2.7 2005/05/17 00:12:03 vapier Exp $

# This is the number of tty's used in most of the rc-scripts (like

# consolefont, numlock, etc ...)

RC_TTY_NUMBER=11

# Set to "yes" if you want the rc system to try and start services

# in parallel for a slight speed improvement.

RC_PARALLEL_STARTUP="no"

# RC_NET_STRICT_CHECKING allows some flexibility with the 'net' service.

# The following values are allowed:

#  none  - The 'net' service is always considered up.

#  no    - This basically means that at least one net.* service besides net.lo

#          must be up.  This can be used by notebook users that have a wifi and

#          a static nic, and only wants one up at any given time to have the

#          'net' service seen as up.

#  lo    - This is the same as the 'no' option, but net.lo is also counted.

#          This should be useful to people that do not care about any specific

#          interface being up at boot.

#  yes   - For this ALL network interfaces MUST be up for the 'net' service to

#          be considered up.

RC_NET_STRICT_CHECKING="no"

# RC_VOLUME_ORDER allows you to specify, or even remove the volume setup

# for various volume managers (MD, EVMS2, LVM, DM, etc).  Note that the are

# stopped in reverse order.

RC_VOLUME_ORDER="raid evms lvm dm"

# RC_USE_FSTAB allows you to override the default mount options for the

# standard /proc, /sys, /dev, and /dev/pts mount points.  Note that this

# is the new way for selecting ramfs/tmpfs/etc... for udev mounting.

RC_USE_FSTAB="no"

# RC_FORCE_AUTO tries its best to prevent user interaction during the boot and

# shutdown process.  For example, fsck will automatically be run or volumes

# remounted to create proper directory trees.  This feature can be dangerous

# and is meant ONLY for headless machines where getting a physical console

# hooked up is a huge pita.

RC_FORCE_AUTO="no"

# Use this variable to control the /dev management behavior.

#  auto   - let the scripts figure out what's best at boot

#  devfs  - use devfs (requires sys-fs/devfsd)

#  udev   - use udev (requires sys-fs/udev)

#  static - let the user manage /dev

RC_DEVICES="auto"

# UDEV OPTION:

# Set to "yes" if you want to save /dev to a tarball on shutdown

# and restore it on startup.  This is useful if you have a lot of

# custom device nodes that udev does not handle/know about.

RC_DEVICE_TARBALL="yes"

#

# Controlling start-stop-daemon behavior

#

# NOTE: most of these are not in use yet!!

#

# Set to "yes" if stop-daemon() should always retry killing the

# service if it fails the first time.

RC_RETRY_KILL="yes"

# Set the amount of seconds stop-daemon() should wait between

# retries.  $RC_RETRY_KILL should be set to "yes".

RC_RETRY_TIMEOUT=1

# Set the amount of times stop-daemon() should try to kill

# a service before giving up.  $RC_RETRY_KILL should be set to "yes".

RC_RETRY_COUNT=5

# Set to "yes" if stop-daemon() should fail if the service

# is marked as started, but not actually running on stop.

RC_FAIL_ON_ZOMBIE="no"

#

# Internal configuration variables

#

# NB:  These are for advanced users, and you should really

#      know what you are doing before changing them!

#

# rc-scripts dep-cache directory

#

# NOTE:  Do not remove the next line, as its needed by the baselayout ebuild!

#

#  svcdir="/var/lib/init.d"

svcdir="/var/lib/init.d"

# Should we mount $svcdir in a ram disk for some speed increase

# for slower machines, or for the more extreme setups ?

svcmount="no"

# FS type that should be used for $svcdir.  Note that you need

# $svcmount above set to "yes" for this to work ...  Currently

# tmpfs, ramfs, and ramdisk are supported (tmpfs is the default).

svcfstype="tmpfs"

# Size of $svcdir in KB.  Note that ramfs doesn't support this

# due to kernel limitations.

svcsize=2048

```

I must be using /dev/pts, because neither devfsd or udev are installed.

```
HP ~ # emerge -p devfsd udev

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild  N    ] sys-fs/devfsd-1.3.25-r8

[ebuild  N    ] sys-fs/udev-056

```

sestatus -v

```
HP ~ # sestatus -v

SELinux status:         enabled

SELinuxfs mount:        /selinux

Current mode:           permissive

Policy version:         18

Policy booleans:

secure_mode             inactive

ssh_sysadm_login        inactive

user_ping               inactive

Process contexts:

Current context:        root:staff_r:staff_t

Init context:           system_u:system_r:init_t

/sbin/agetty            system_u:system_r:getty_t

/usr/sbin/sshd          system_u:system_r:sshd_t

File contexts:

Controlling term:       root:object_r:staff_devpts_t

/sbin/init              system_u:object_r:init_exec_t

/sbin/agetty            system_u:object_r:getty_exec_t

/bin/login              system_u:object_r:login_exec_t

/sbin/rc                system_u:object_r:initrc_exec_t

/sbin/runscript.sh      system_u:object_r:initrc_exec_t

/usr/sbin/sshd          system_u:object_r:sshd_exec_t

/sbin/unix_chkpwd       system_u:object_r:chkpwd_exec_t

/etc/passwd             system_u:object_r:etc_t

/etc/shadow             system_u:object_r:shadow_t

/bin/sh                 system_u:object_r:bin_t -> system_u:object_r:shell_exec_t

/bin/bash               system_u:object_r:shell_exec_t

/bin/sash               system_u:object_r:shell_exec_t

/usr/bin/newrole        system_u:object_r:newrole_exec_t

/usr/X11R6/bin/xdm      system_u:object_r:bin_t

/lib/libc.so.6          system_u:object_r:lib_t -> system_u:object_r:shlib_t

/lib/ld-linux.so.2      system_u:object_r:lib_t -> system_u:object_r:ld_so_t

```

Make.profile... looks like I'm a little old... maybe I should update to 2005.1...  *edit*  Just read on the gentoo hardened mail (thank you Google) that nobody should be using the 2005.1 hardened profile yet.

```
HP ~ # ls -l /etc/make.profile

lrwxrwxrwx  1 root root 51 May 29 06:37 /etc/make.profile -> ../usr/portage/profiles/selinux/2004.1/x86/hardened

```

~~ Andrew D.

----------

