Hi all,
I have installed the latest SELinux user space tools released at the Tresys
website on 2009-7-31, the max policy format version is 24. On the other side
the max policy version number on the latest kernel still is 23. My approach
are to first boot into "init=/bin/bash selinux=1" to load_policy and then
restore security contexts for the whole file system, second boot up SELinux
normally by "init=/sbin/bash selinux=1". On x86 targets(both 32bit and 64bit)
the load_policy program could finish uneventfully:
bash-3.2# /usr/sbin/load_policy -q /etc/selinux/target/policy/policy.24
type=1403 audit(1249926421.908:2): policy loaded auid=4294967295 ses=4294967295
bash-3.2#
However, on PPC 32 target(such as fsl_8548cds) the load_policy could run into
following error:
bash-3.2# /usr/sbin/load_policy -q /etc/selinux/target/policy/policy.24
SELinux: Could not downgrade policy file /etc/selinux/target/policy/policy.24, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/wr-strict/policy/policy.24: No such file or directory
/usr/sbin/load_policy: Can't load policy: No such file or directory
bash-3.2#
bash-3.2# /usr/sbin/load_policy -i
type=1404 audit(1888.016:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
libsepol.policydb_to_image: new policy image is invalid
libsepol.policydb_to_image: could not create policy image
SELinux: Could not downgrade policy file /etc/selinux/wr-strict/policy/policy.24, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/wr-strict/policy/policy.24: No such file or directory
/usr/sbin/load_policy: Can't load policy and enforcing mode requested: No such file or directory
bash-3.2#
The kernel I am using is 2.6.27, why would the policy downgrading from 24 to 23
succeed on x86 boards but fail on PPC boards? Do I have to udpate kernel to the
latest 2.6.31? and is there anything special I must pay attention to when building
SELinux policy for the PPC target?
Any comments are greatly appreciated, thanks a lot!
Harry
_________________________________________________________________
???????????????
http://www.microsoft.com/china/windows/windowslive/products/photos-share.aspx?tab=1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20090828/3a63f518/attachment.html
On Fri, 2009-08-28 at 09:01 +0000, TaurusHarry wrote:
> Hi all,
>
> I have installed the latest SELinux user space tools released at the
> Tresys
> website on 2009-7-31, the max policy format version is 24. On the
> other side
> the max policy version number on the latest kernel still is 23. My
> approach
> are to first boot into "init=/bin/bash selinux=1" to load_policy and
> then
> restore security contexts for the whole file system, second boot up
> SELinux
> normally by "init=/sbin/bash selinux=1". On x86 targets(both 32bit and
> 64bit)
> the load_policy program could finish uneventfully:
>
> bash-3.2# /usr/sbin/load_policy
> -q /etc/selinux/target/policy/policy.24
> type=1403 audit(1249926421.908:2): policy loaded auid=4294967295
> ses=4294967295
> bash-3.2#
>
> However, on PPC 32 target(such as fsl_8548cds) the load_policy could
> run into
> following error:
>
> bash-3.2# /usr/sbin/load_policy
> -q /etc/selinux/target/policy/policy.24
> SELinux: Could not downgrade policy
> file /etc/selinux/target/policy/policy.24, searching for an older
> version.
> SELinux: Could not open policy file
> <= /etc/selinux/wr-strict/policy/policy.24: No such file or directory
> /usr/sbin/load_policy: Can't load policy: No such file or
> directory
> bash-3.2#
> bash-3.2# /usr/sbin/load_policy -i
> type=1404 audit(1888.016:2): enforcing=1 old_enforcing=0
> auid=4294967295 ses=4294967295
> libsepol.policydb_to_image: new policy image is invalid
> libsepol.policydb_to_image: could not create policy image
> SELinux: Could not downgrade policy
> file /etc/selinux/wr-strict/policy/policy.24, searching for an older
> version.
> SELinux: Could not open policy file
> <= /etc/selinux/wr-strict/policy/policy.24: No such file or directory
> /usr/sbin/loa d_policy: Can't load policy and enforcing mode
> requested: No such file or directory
> bash-3.2#
>
> The kernel I am using is 2.6.27, why would the policy downgrading from
> 24 to 23
> succeed on x86 boards but fail on PPC boards? Do I have to udpate
> kernel to the
> latest 2.6.31? and is there anything special I must pay attention to
> when building
> SELinux policy for the PPC target?
>
> Any comments are greatly appreciated, thanks a lot!
This sounds like you have an older libsepol installed on the PPC system
that does not know how to handle policy.24 and thus cannot downgrade it.
You can of course force policy to be built to a particular version by
setting OUTPUT_POLICY in build.conf.
BTW, 2.6.27 had bugs in its open permission checking, so you should
disable the open_perms capability in policy/policy_capabilities or back
port the bug fixes to your kernel.
--
Stephen Smalley
National Security Agency
Hi Smalley,
Thanks for helping me out once again, I'd really appreciated your kind help!
So far I have not found out the root cause why the libsepol has not been properly compiled/installed for the ppc targets but I did am able to workaround this issue by specifying OUTPUT_POLICY=23 in the build.conf so that policy format downgrading won't have to take place at all.
Best regards,
Harry
> Subject: Re: [refpolicy] SELinux: Could not downgrade policy file 24 on PPC boards
> From: sds at tycho.nsa.gov
> To: harrytaurus2002 at hotmail.com
> CC: refpolicy at oss1.tresys.com
> Date: Fri, 28 Aug 2009 07:48:03 -0400
>
> On Fri, 2009-08-28 at 09:01 +0000, TaurusHarry wrote:
> > Hi all,
> >
> > I have installed the latest SELinux user space tools released at the
> > Tresys
> > website on 2009-7-31, the max policy format version is 24. On the
> > other side
> > the max policy version number on the latest kernel still is 23. My
> > approach
> > are to first boot into "init=/bin/bash selinux=1" to load_policy and
> > then
> > restore security contexts for the whole file system, second boot up
> > SELinux
> > normally by "init=/sbin/bash selinux=1". On x86 targets(both 32bit and
> > 64bit)
> > the load_policy program could finish uneventfully:
> >
> > bash-3.2# /usr/sbin/load_policy
> > -q /etc/selinux/target/policy/policy.24
> > type=1403 audit(1249926421.908:2): policy loaded auid=4294967295
> > ses=4294967295
> > bash-3.2#
> >
> > However, on PPC 32 target(such as fsl_8548cds) the load_policy could
> > run into
> > following error:
> >
> > bash-3.2# /usr/sbin/load_policy
> > -q /etc/selinux/target/policy/policy.24
> > SELinux: Could not downgrade policy
> > file /etc/selinux/target/policy/policy.24, searching for an older
> > version.
> > SELinux: Could not open policy file
> > <= /etc/selinux/wr-strict/policy/policy.24: No such file or directory
> > /usr/sbin/load_policy: Can't load policy: No such file or
> > directory
> > bash-3.2#
> > bash-3.2# /usr/sbin/load_policy -i
> > type=1404 audit(1888.016:2): enforcing=1 old_enforcing=0
> > auid=4294967295 ses=4294967295
> > libsepol.policydb_to_image: new policy image is invalid
> > libsepol.policydb_to_image: could not create policy image
> > SELinux: Could not downgrade policy
> > file /etc/selinux/wr-strict/policy/policy.24, searching for an older
> > version.
> > SELinux: Could not open policy file
> > <= /etc/selinux/wr-strict/policy/policy.24: No such file or directory
> > /usr/sbin/loa d_policy: Can't load policy and enforcing mode
> > requested: No such file or directory
> > bash-3.2#
> >
> > The kernel I am using is 2.6.27, why would the policy downgrading from
> > 24 to 23
> > succeed on x86 boards but fail on PPC boards? Do I have to udpate
> > kernel to the
> > latest 2.6.31? and is there anything special I must pay attention to
> > when building
> > SELinux policy for the PPC target?
> >
> > Any comments are greatly appreciated, thanks a lot!
>
> This sounds like you have an older libsepol installed on the PPC system
> that does not know how to handle policy.24 and thus cannot downgrade it.
>
> You can of course force policy to be built to a particular version by
> setting OUTPUT_POLICY in build.conf.
>
> BTW, 2.6.27 had bugs in its open permission checking, so you should
> disable the open_perms capability in policy/policy_capabilities or back
> port the bug fixes to your kernel.
>
> --
> Stephen Smalley
> National Security Agency
>
_________________________________________________________________
????????????360???????
http://club.msn.cn/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20090831/16a936fd/attachment.html