Yesterday I've upgraded my SELinux policy & tools on my FC13 machine to bring it up to date with what is distributed with FC15 and later on did a similar upgrade to the kernel as well (.38 - the latest released for FC15), but SELinux is experiencing a few issues with the kernel. Here is what I've upgraded:
old: policycoreutils-python-2.0.83-33.8 policycoreutils-2.0.83-33.8 selinux-policy-3.7.19-101 selinux-policy-targeted-3.7.19-101 libsemanage-2.0.45-1 libsemanage-devel-2.0.45-1 libsemanage-static-2.0.45-1 libsemanage-python-2.0.45-1 libselinux-python-2.0.94-2 libselinux-2.0.94-2 libselinux-devel-2.0.94-2 libselinux-utils-2.0.94-2 libsepol-2.0.41-3 libsepol-devel-2.0.41-3 libsepol-static-2.0.41-3
new: policycoreutils-python-2.0.86-7 policycoreutils-2.0.86-7 policycoreutils-gui-2.0.86-7 policycoreutils-newrole-2.0.86-7 policycoreutils-restorecond-2.0.86-7 selinux-policy-3.9.16-26 selinux-policy-targeted-3.9.16-26 libsemanage-2.0.46-4 libsemanage-devel-2.0.46-4 libsemanage-static-2.0.46-4 libsemanage-python-2.0.46-4 libselinux-python-2.0.99-4 libselinux-2.0.99-4 libselinux-devel-2.0.99-4 libselinux-utils-2.0.99-4 libsepol-2.0.42-2 libsepol-devel-2.0.42-2 libsepol-static-2.0.42-2
Most of the new SELinux policy & tools above have been compiled from source - successfully - using the source rpm and just running rpmbuild with no changes to the .spec file. Everything installed OK, though when I recompiled and upgraded the kernel, it does boot up and works OK, though I have this in my syslog from SELinux:
kernel: dracut: Loading SELinux policy kernel: type=1404 audit(1308450301.855:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 kernel: SELinux: Permission audit_access in class file not defined in policy. kernel: SELinux: Permission audit_access in class dir not defined in policy. kernel: SELinux: Permission execmod in class dir not defined in policy. kernel: SELinux: Permission audit_access in class lnk_file not defined in policy. kernel: SELinux: Permission open in class lnk_file not defined in policy. kernel: SELinux: Permission execmod in class lnk_file not defined in policy. kernel: SELinux: Permission audit_access in class chr_file not defined in policy. kernel: SELinux: Permission audit_access in class blk_file not defined in policy. kernel: SELinux: Permission execmod in class blk_file not defined in policy. kernel: SELinux: Permission audit_access in class sock_file not defined in policy. kernel: SELinux: Permission execmod in class sock_file not defined in policy. kernel: SELinux: Permission audit_access in class fifo_file not defined in policy. kernel: SELinux: Permission execmod in class fifo_file not defined in policy. kernel: SELinux: Permission syslog in class capability2 not defined in policy. kernel: SELinux: the above unknown classes and permissions will be allowed kernel: type=1403 audit(1308450302.288:3): policy loaded auid=4294967295 ses=4294967295
What could be the reason for this?
I remember getting similar messages when I attempted to upgrade the kernel a couple of months ago from .34 to .37 - I had similar "not defined in policy" messages then from what I remember, though they were just a couple and certainly not the amount I am getting above. Is there any way I could rectify this *without* doing a full upgrade to FC15?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/19/2011 07:21 PM, Mr Dash Four wrote:
Yesterday I've upgraded my SELinux policy & tools on my FC13 machine to bring it up to date with what is distributed with FC15 and later on did a similar upgrade to the kernel as well (.38 - the latest released for FC15), but SELinux is experiencing a few issues with the kernel. Here is what I've upgraded:
old: policycoreutils-python-2.0.83-33.8 policycoreutils-2.0.83-33.8 selinux-policy-3.7.19-101 selinux-policy-targeted-3.7.19-101 libsemanage-2.0.45-1 libsemanage-devel-2.0.45-1 libsemanage-static-2.0.45-1 libsemanage-python-2.0.45-1 libselinux-python-2.0.94-2 libselinux-2.0.94-2 libselinux-devel-2.0.94-2 libselinux-utils-2.0.94-2 libsepol-2.0.41-3 libsepol-devel-2.0.41-3 libsepol-static-2.0.41-3
new: policycoreutils-python-2.0.86-7 policycoreutils-2.0.86-7 policycoreutils-gui-2.0.86-7 policycoreutils-newrole-2.0.86-7 policycoreutils-restorecond-2.0.86-7 selinux-policy-3.9.16-26 selinux-policy-targeted-3.9.16-26 libsemanage-2.0.46-4 libsemanage-devel-2.0.46-4 libsemanage-static-2.0.46-4 libsemanage-python-2.0.46-4 libselinux-python-2.0.99-4 libselinux-2.0.99-4 libselinux-devel-2.0.99-4 libselinux-utils-2.0.99-4 libsepol-2.0.42-2 libsepol-devel-2.0.42-2 libsepol-static-2.0.42-2
Most of the new SELinux policy & tools above have been compiled from source - successfully - using the source rpm and just running rpmbuild with no changes to the .spec file. Everything installed OK, though when I recompiled and upgraded the kernel, it does boot up and works OK, though I have this in my syslog from SELinux:
kernel: dracut: Loading SELinux policy kernel: type=1404 audit(1308450301.855:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 kernel: SELinux: Permission audit_access in class file not defined in policy. kernel: SELinux: Permission audit_access in class dir not defined in policy. kernel: SELinux: Permission execmod in class dir not defined in policy. kernel: SELinux: Permission audit_access in class lnk_file not defined in policy. kernel: SELinux: Permission open in class lnk_file not defined in policy. kernel: SELinux: Permission execmod in class lnk_file not defined in policy. kernel: SELinux: Permission audit_access in class chr_file not defined in policy. kernel: SELinux: Permission audit_access in class blk_file not defined in policy. kernel: SELinux: Permission execmod in class blk_file not defined in policy. kernel: SELinux: Permission audit_access in class sock_file not defined in policy. kernel: SELinux: Permission execmod in class sock_file not defined in policy. kernel: SELinux: Permission audit_access in class fifo_file not defined in policy. kernel: SELinux: Permission execmod in class fifo_file not defined in policy. kernel: SELinux: Permission syslog in class capability2 not defined in policy. kernel: SELinux: the above unknown classes and permissions will be allowed kernel: type=1403 audit(1308450302.288:3): policy loaded auid=4294967295 ses=4294967295
What could be the reason for this?
I remember getting similar messages when I attempted to upgrade the kernel a couple of months ago from .34 to .37 - I had similar "not defined in policy" messages then from what I remember, though they were just a couple and certainly not the amount I am getting above. Is there any way I could rectify this *without* doing a full upgrade to FC15? -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Lines like
Permission audit_access in class file not defined in policy.
Mean the kernel understands what an audit_access means but the policy does not mention it.
Looks like you are loading a policy that is older then the kernel. I would make sure your FC15 policy is compiled and installed correctly.
Looks like you are loading a policy that is older then the kernel. I would make sure your FC15 policy is compiled and installed correctly.
Interesting! I downloaded, compiled and installed the latest FC15 policy - from a source rpm - so, I am unclear as to how is that possible? I did look briefly at the source to check whether some of the permissions mentioned were defined and they were indeed there.
Should I recompile and install the policy again or is there another way of looking whether the policy was installed properly (sesearch maybe?)?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/20/2011 07:32 AM, Mr Dash Four wrote:
Looks like you are loading a policy that is older then the kernel. I would make sure your FC15 policy is compiled and installed correctly.
Interesting! I downloaded, compiled and installed the latest FC15 policy
- from a source rpm - so, I am unclear as to how is that possible? I did
look briefly at the source to check whether some of the permissions mentioned were defined and they were indeed there.
Should I recompile and install the policy again or is there another way of looking whether the policy was installed properly (sesearch maybe?)?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
See if you can use sesearch/seinfo to search for the access that the kernel is not using.
I have no idea why your build would be different, You might want to grab the real package and see if you see the same problem.
See if you can use sesearch/seinfo to search for the access that the kernel is not using.
Right, thanks, I'll do that!
I have no idea why your build would be different, You might want to grab the real package and see if you see the same problem.
That was the first thing I tried - it didn't work as that rpm has python 2.7 dependencies (FC13 comes with 2.6.4, I think) and in order to upgrade python2 I would need to upgrade almost everything on that machine, so that for me, at least at this stage, is a no-go. I got away with it, because I installed all python3 packages instead (there were very little dependencies involved) and compiled most of the SELinux tools (from source rpm) that way.
See if you can use sesearch/seinfo to search for the access that the kernel is not using.
Right, thanks, I'll do that!
sesearch did *not* work - I've had a fatal error (something about "invalid dom used" or something) - that was simply because I was using the old version of setools (the one coming with FC13). I then thought, rather naively as it turned out, that I would be able to recompile the setools set of packages as easily as I did the rest during the weekend. How wrong was I!
I've spent about 5 hours applying the most dirty and hideous hacks I haven't used since my university days, but in the end *all* setools packages were forced into submission and asked, not-so-politely, to use and link to python3 instead of the version I have on my FC13 system (2.6.4), thus bypassing the python 2.7 requirement for compilation and build.
After I installed the relevant setools-* packages, I executed sesearch again. It ran OK this time, but returned no matches - unsurprising, given that the kernel was complaining of lack of these in the policy.
Then I decided to recompile the policy again - from source - and during the build I realised the cause of these kernel errors: I installed my libsemanage packages *after* I have built and installed the new SELinux policy, which means that the selinux-policy-* packages were build and installed using my old libsemanage packages (the one coming with FC13).
I also remembered that I had a weird error when I tried to install selinux-policy-targeted (something about libsemanage.semanage_link_sandbox: Link packages failed - No such file or directory), though I did not pay attention to it at the time as the package was installed "correctly".
When I recompiled and installed the policy again (though I had to bump the version number from 26 to 27 to prevent rpm screaming at me) using the new version of all conceivable SELinux packages, bar the gui ones, all went well, during installation of selinux-policy-targeted I even had my system relabelled (that was missing with the previous run - probably because of the error I've got) and at the end everything was completed without any errors.
When I subsequently rebooted and checked my syslog again - the kernel errors were gone! Problem solved!
Now I have the rather unpleasant task of upgrading my own customised policy from the FC13 to FC15 version. Are there any changes from FC13 to FC15 in terms of the language syntax or anything else I need to be aware of before I start?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/20/2011 07:27 PM, Mr Dash Four wrote:
See if you can use sesearch/seinfo to search for the access that the kernel is not using.
Right, thanks, I'll do that!
sesearch did *not* work - I've had a fatal error (something about "invalid dom used" or something) - that was simply because I was using the old version of setools (the one coming with FC13). I then thought, rather naively as it turned out, that I would be able to recompile the setools set of packages as easily as I did the rest during the weekend. How wrong was I!
I've spent about 5 hours applying the most dirty and hideous hacks I haven't used since my university days, but in the end *all* setools packages were forced into submission and asked, not-so-politely, to use and link to python3 instead of the version I have on my FC13 system (2.6.4), thus bypassing the python 2.7 requirement for compilation and build.
After I installed the relevant setools-* packages, I executed sesearch again. It ran OK this time, but returned no matches - unsurprising, given that the kernel was complaining of lack of these in the policy.
Then I decided to recompile the policy again - from source - and during the build I realised the cause of these kernel errors: I installed my libsemanage packages *after* I have built and installed the new SELinux policy, which means that the selinux-policy-* packages were build and installed using my old libsemanage packages (the one coming with FC13).
I also remembered that I had a weird error when I tried to install selinux-policy-targeted (something about libsemanage.semanage_link_sandbox: Link packages failed - No such file or directory), though I did not pay attention to it at the time as the package was installed "correctly".
When I recompiled and installed the policy again (though I had to bump the version number from 26 to 27 to prevent rpm screaming at me) using the new version of all conceivable SELinux packages, bar the gui ones, all went well, during installation of selinux-policy-targeted I even had my system relabelled (that was missing with the previous run - probably because of the error I've got) and at the end everything was completed without any errors.
When I subsequently rebooted and checked my syslog again - the kernel errors were gone! Problem solved!
Now I have the rather unpleasant task of upgrading my own customised policy from the FC13 to FC15 version. Are there any changes from FC13 to FC15 in terms of the language syntax or anything else I need to be aware of before I start?
Not that I recall. F16 will add new stuff.
selinux@lists.fedoraproject.org