1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
<link REL="shortcut icon" HREF="favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Handbook Page
--
</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Unable To Load SELinux Policy</p>
<p class="secthead"><a name="doc_chap1_sect1">Problem Description</a></p>
<p>
If you notice that SELinux is not functioning at all, a quick run of
<span class="code" dir="ltr">sestatus</span> should give you closure if SELinux is enabled and loaded or not.
If you get the following output, no SELinux policy is loaded:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: sestatus output</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
SELinux status: disabled
</pre></td></tr>
</table>
<p>
If this is the case, read on in this section to find out how to troubleshoot and
resolve this.
</p>
<p class="secthead"><a name="doc_chap1_sect1">No Policy Installed</a></p>
<p>
One potential reason would be that there is no policy to load to begin with.
Take a look inside <span class="path" dir="ltr">/usr/share/selinux/strict</span> or
<span class="path" dir="ltr">/usr/share/selinux/targeted</span> (depending on your configuration) and
look for a file called <span class="path" dir="ltr">base.pp</span>. If no such file exists, you will
need to install the base policy. This policy is offered by the
<span class="path" dir="ltr">sec-policy/selinux-base-policy</span> package, but it is better to read up
on the chapter regarding <span title="Link to other book part not available"><font color="#404080">(Gentoo SELinux
Installation / Conversion)</font></span> as more important changes might be missing.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Policy Not Loaded</a></p>
<p>
If the <span class="path" dir="ltr">base.pp</span> file exists in
<span class="path" dir="ltr">/usr/share/selinux/strict</span> (or <span class="path" dir="ltr">targeted/</span>), take a look
inside <span class="path" dir="ltr">/etc/selinux/strict/policy</span>. This location too should contain
a <span class="path" dir="ltr">base.pp</span> policy module (when a SELinux policy is loaded, it is
copied from the first location to the second).
</p>
<p>
If no <span class="path" dir="ltr">base.pp</span> file exists, install and load the policy:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Installing the base policy</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">semodule -n -B</span>
</pre></td></tr>
</table>
<p>
This is a one-time operation - once installed and loaded, it will be reloaded
upon every reboot.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Init Can Not Load the SELinux Policy</a></p>
<p>
During system boot, the <span class="code" dir="ltr">init</span> process is responsible for loading and
interacting with the SELinux policy in memory. If <span class="code" dir="ltr">init</span> does not support
SELinux, you will get no SELinux support in your environment.
</p>
<p>
To verify if <span class="code" dir="ltr">init</span> supports SELinux, we need to check if it uses the
<span class="path" dir="ltr">libselinux.so</span> shared object:
</p>
<a name="doc_chap1_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing1.1: Checking if init supports SELinux</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">ldd /sbin/init</span>
linux-vdso.so.1 => (0x00006ace30e84000)
<span class="code-comment">( You should see something similar to the following line: )</span>
libselinux.so.1 => /lib/libselinux.so.1 (0x00006ace30a46000)
libc.so.6 => /lib/libc.so.6 (0x00006ace306e9000)
libdl.so.2 => /lib/libdl.so.2 (0x00006ace304e5000)
/lib64/ld-linux-x86-64.so.2 (0x00006ace30c68000)
</pre></td></tr>
</table>
<p>
If this is not the case, make sure that <span class="code" dir="ltr">emerge --info</span> shows that the
selinux USE flag is in place, and reinstall <span class="path" dir="ltr">sys-apps/sysvinit</span>. If
the selinux USE flag is not in place, check your Gentoo profile and make sure it
points to a <span class="path" dir="ltr">selinux/v2refpolicy/...</span> profile.
</p>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Unable to Log On</p>
<p class="secthead"><a name="doc_chap1_sect1">Problem Description</a></p>
<p>
If you are unable to log on in a particular situation (remote, local, as root,
as regular user, ...) there are a few possible problems which you might have
hit. However, to resolve them you'll need to be able to log on to the system as
<span class="emphasis">sysadm_r</span> in one way or the other.
</p>
<p>
If you can not log in as a <span class="emphasis">sysadm_r</span> user, disable SELinux (boot with
<span class="code" dir="ltr">enforcing=0</span>) so that no SELinux enforcements are made. Changes that you
make in permissive mode are equally effective as in enforcing mode.
</p>
<p class="secthead"><a name="doc_chap1_sect1">Incorrect Context</a></p>
<p>
In the majority of cases will you find that a security context is incorrect. Run
<span class="code" dir="ltr">sestatus -v</span> and compare the <span class="emphasis">Process contexts</span> or <span class="emphasis">File
contexts</span> that you see in the output with the next table.
</p>
<table class="ntable">
<tr>
<td class="infohead"><b>Process</b></td>
<td class="infohead"><b>Context</b></td>
<td class="infohead"><b>If wrong context...</b></td>
</tr>
<tr>
<td class="tableinfo">Init context</td>
<td class="tableinfo">system_u:system_r:init_t</td>
<td class="tableinfo">
First, verify that init itself is correclty labeled. Check the output of
the previously run <span class="code" dir="ltr">sestatus -v</span> command for the
<span class="path" dir="ltr">/sbin/init</span> file and make sure that it is set to
system_u:object_r:init_exec_t. If that is not the case, relabel
<span class="path" dir="ltr">sys-apps/sysvinit</span> using <span class="code" dir="ltr">rlpkg sysvinit</span>. Also make the
same checks as in the <a href="#doc_chap1">Unable To Load SELinux
Policy</a> section. Reboot your system and retry.
</td>
</tr>
<tr>
<td class="tableinfo">agetty context</td>
<td class="tableinfo">system_u:system_r:getty_t</td>
<td class="tableinfo">
Make sure that the <span class="path" dir="ltr">/sbin/agetty</span> binary is labeled
system_u:object_r:getty_exec_t. If not, relabel the
<span class="path" dir="ltr">sys-apps/util-linux</span> package using <span class="code" dir="ltr">rlpkg util-linux</span>. Then
restart all the agetty processes using <span class="code" dir="ltr">pkill agetty</span> (they will
automatically respawn).
</td>
</tr>
<tr>
<td class="infohead"><b>File</b></td>
<td class="infohead"><b>Context</b></td>
<td class="infohead"><b>If wrong context...</b></td>
</tr>
<tr>
<td class="tableinfo">/bin/login</td>
<td class="tableinfo">system_u:object_r:login_exec_t</td>
<td class="tableinfo">
The login binary is part of <span class="path" dir="ltr">sys-apps/shadow</span>. Run <span class="code" dir="ltr">rlpkg
shadow</span> to relabel the files of that package and retry logging in.
</td>
</tr>
<tr>
<td class="tableinfo">/sbin/unix_chkpwd</td>
<td class="tableinfo">system_u:object_r:chkpwd_exec_t</td>
<td class="tableinfo">
This binary is part of the <span class="path" dir="ltr">sys-libs/pam</span> package and is used by
SSH when it is configured to use PAM for user authentication. Relabel the
package using <span class="code" dir="ltr">rlpkg pam</span> and retry logging in.
</td>
</tr>
<tr>
<td class="tableinfo">/etc/passwd</td>
<td class="tableinfo">system_u:object_r:etc_t</td>
<td class="tableinfo" rowspan="2">
The <span class="path" dir="ltr">/etc/passwd</span> and <span class="path" dir="ltr">/etc/shadow</span> must be labeled
correctly, otherwise PAM will not be able to authenticate any user. Relabel
the files through <span class="code" dir="ltr">restorecon /etc/passwd /etc/shadow</span> and retry
logging in.
</td>
</tr>
<tr>
<td class="tableinfo">/etc/shadow</td>
<td class="tableinfo">system_u:object_r:shadow_t</td>
</tr>
<tr>
<td class="tableinfo">/bin/bash</td>
<td class="tableinfo">system_u:object_r:shell_exec_t</td>
<td class="tableinfo">
The users' shell (in this case, <span class="code" dir="ltr">bash</span>) must be labeled correctly so
the user can transition into the user domain when logging in. To do so,
relabel the <span class="path" dir="ltr">app-shells/bash</span> package using <span class="code" dir="ltr">rlpkg bash</span>.
Then, try logging in again.
</td>
</tr>
</table>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="alttext">Updated February 24, 2011</p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>
|
GitWeb