From: harrytaurus2002@hotmail.com (TaurusHarry) Date: Mon, 31 Aug 2009 06:37:53 +0000 Subject: [refpolicy] SELinux: Could not downgrade policy file 24 on PPC boards In-Reply-To: <1251460083.2429.17.camel@moss-pluto.epoch.ncsc.mil> References: <1251460083.2429.17.camel@moss-pluto.epoch.ncsc.mil> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Smalley, Thanks for helping me out once again, I'd really appreciated your kind help! So far I have not found out the root cause why the libsepol has not been properly compiled/installed for the ppc targets but I did am able to workaround this issue by specifying OUTPUT_POLICY=23 in the build.conf so that policy format downgrading won't have to take place at all. Best regards, Harry > Subject: Re: [refpolicy] SELinux: Could not downgrade policy file 24 on PPC boards > From: sds at tycho.nsa.gov > To: harrytaurus2002 at hotmail.com > CC: refpolicy at oss1.tresys.com > Date: Fri, 28 Aug 2009 07:48:03 -0400 > > On Fri, 2009-08-28 at 09:01 +0000, TaurusHarry wrote: > > Hi all, > > > > I have installed the latest SELinux user space tools released at the > > Tresys > > website on 2009-7-31, the max policy format version is 24. On the > > other side > > the max policy version number on the latest kernel still is 23. My > > approach > > are to first boot into "init=/bin/bash selinux=1" to load_policy and > > then > > restore security contexts for the whole file system, second boot up > > SELinux > > normally by "init=/sbin/bash selinux=1". On x86 targets(both 32bit and > > 64bit) > > the load_policy program could finish uneventfully: > > > > bash-3.2# /usr/sbin/load_policy > > -q /etc/selinux/target/policy/policy.24 > > type=1403 audit(1249926421.908:2): policy loaded auid=4294967295 > > ses=4294967295 > > bash-3.2# > > > > However, on PPC 32 target(such as fsl_8548cds) the load_policy could > > run into > > following error: > > > > bash-3.2# /usr/sbin/load_policy > > -q /etc/selinux/target/policy/policy.24 > > SELinux: Could not downgrade policy > > file /etc/selinux/target/policy/policy.24, searching for an older > > version. > > SELinux: Could not open policy file > > <= /etc/selinux/wr-strict/policy/policy.24: No such file or directory > > /usr/sbin/load_policy: Can't load policy: No such file or > > directory > > bash-3.2# > > bash-3.2# /usr/sbin/load_policy -i > > type=1404 audit(1888.016:2): enforcing=1 old_enforcing=0 > > auid=4294967295 ses=4294967295 > > libsepol.policydb_to_image: new policy image is invalid > > libsepol.policydb_to_image: could not create policy image > > SELinux: Could not downgrade policy > > file /etc/selinux/wr-strict/policy/policy.24, searching for an older > > version. > > SELinux: Could not open policy file > > <= /etc/selinux/wr-strict/policy/policy.24: No such file or directory > > /usr/sbin/loa d_policy: Can't load policy and enforcing mode > > requested: No such file or directory > > bash-3.2# > > > > The kernel I am using is 2.6.27, why would the policy downgrading from > > 24 to 23 > > succeed on x86 boards but fail on PPC boards? Do I have to udpate > > kernel to the > > latest 2.6.31? and is there anything special I must pay attention to > > when building > > SELinux policy for the PPC target? > > > > Any comments are greatly appreciated, thanks a lot! > > This sounds like you have an older libsepol installed on the PPC system > that does not know how to handle policy.24 and thus cannot downgrade it. > > You can of course force policy to be built to a particular version by > setting OUTPUT_POLICY in build.conf. > > BTW, 2.6.27 had bugs in its open permission checking, so you should > disable the open_perms capability in policy/policy_capabilities or back > port the bug fixes to your kernel. > > -- > Stephen Smalley > National Security Agency > _________________________________________________________________ ????????????360??????? http://club.msn.cn/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20090831/16a936fd/attachment.html