From: sds@tycho.nsa.gov (Stephen Smalley) Date: Fri, 28 Aug 2009 07:48:03 -0400 Subject: [refpolicy] SELinux: Could not downgrade policy file 24 on PPC boards In-Reply-To: References: Message-ID: <1251460083.2429.17.camel@moss-pluto.epoch.ncsc.mil> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2009-08-28 at 09:01 +0000, TaurusHarry wrote: > Hi all, > > I have installed the latest SELinux user space tools released at the > Tresys > website on 2009-7-31, the max policy format version is 24. On the > other side > the max policy version number on the latest kernel still is 23. My > approach > are to first boot into "init=/bin/bash selinux=1" to load_policy and > then > restore security contexts for the whole file system, second boot up > SELinux > normally by "init=/sbin/bash selinux=1". On x86 targets(both 32bit and > 64bit) > the load_policy program could finish uneventfully: > > bash-3.2# /usr/sbin/load_policy > -q /etc/selinux/target/policy/policy.24 > type=1403 audit(1249926421.908:2): policy loaded auid=4294967295 > ses=4294967295 > bash-3.2# > > However, on PPC 32 target(such as fsl_8548cds) the load_policy could > run into > following error: > > bash-3.2# /usr/sbin/load_policy > -q /etc/selinux/target/policy/policy.24 > SELinux: Could not downgrade policy > file /etc/selinux/target/policy/policy.24, searching for an older > version. > SELinux: Could not open policy file > <= /etc/selinux/wr-strict/policy/policy.24: No such file or directory > /usr/sbin/load_policy: Can't load policy: No such file or > directory > bash-3.2# > bash-3.2# /usr/sbin/load_policy -i > type=1404 audit(1888.016:2): enforcing=1 old_enforcing=0 > auid=4294967295 ses=4294967295 > libsepol.policydb_to_image: new policy image is invalid > libsepol.policydb_to_image: could not create policy image > SELinux: Could not downgrade policy > file /etc/selinux/wr-strict/policy/policy.24, searching for an older > version. > SELinux: Could not open policy file > <= /etc/selinux/wr-strict/policy/policy.24: No such file or directory > /usr/sbin/loa d_policy: Can't load policy and enforcing mode > requested: No such file or directory > bash-3.2# > > The kernel I am using is 2.6.27, why would the policy downgrading from > 24 to 23 > succeed on x86 boards but fail on PPC boards? Do I have to udpate > kernel to the > latest 2.6.31? and is there anything special I must pay attention to > when building > SELinux policy for the PPC target? > > Any comments are greatly appreciated, thanks a lot! This sounds like you have an older libsepol installed on the PPC system that does not know how to handle policy.24 and thus cannot downgrade it. You can of course force policy to be built to a particular version by setting OUTPUT_POLICY in build.conf. BTW, 2.6.27 had bugs in its open permission checking, so you should disable the open_perms capability in policy/policy_capabilities or back port the bug fixes to your kernel. -- Stephen Smalley National Security Agency