Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> livecd-tools and selinux booleans
Bluejay
 Posted: Mar 7 2016, 08:33 PM
Quote Post


SLF Member
***

Group: Members
Posts: 62
Member No.: 42
Joined: 13-April 11









This is something that worked back circa SL 6.5, but now seems to be broken.

We have a custom live CD for a particular application we run booted from the CD. In it, I set several selinux booleans during the CD creation. Now, trying to create a new version with the sane kickstart file, the booleans are failing to set. If, in my %post section, I use setsebool, I just get

setsebool: SELinux is disabled.

If I try using semanage, I get the somewhat more verbose:

SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.24, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.24: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.24, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.24: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
/usr/sbin/semanage: Could not commit semanage transaction

The kickstart file does have
selinux --enforcing

I've tried this with both the livecd-tools from EPEL (13.4-10) and from the SL 6.7 addons (13.4.9-1). selinux is enforcing on the host build machine.

The resulting livecd system does come up with selinux enforcing. Just without the required booleans set.

Anyone have any ideas?
PM
^
helikaon
 Posted: Mar 8 2016, 07:35 PM
Quote Post


SLF Administrator
*******

Group: Admins
Posts: 836
Member No.: 4
Joined: 8-April 11










Hi,
i'm not a SElinux expert, but if i understand it well, you try to build new live CD based on SL 6.7 and use booleans that worked at 6.5 (+add new ones), i think this message is clearly saying, you're using syntax that is not compatible with 6.7

I think there were done changes in selinux betwen 6.5 -> 6.6 and some rules were redone, being stricter. So if your application is based on some existing OS service (eg. httpd) there really could be a problem.

I think also that version of kernel and maybe initrd also matters. It is complex problem and hard to say for sure.

cheers,

--------------------
PMEmail Poster
^
Bluejay
 Posted: Mar 8 2016, 08:37 PM
Quote Post


SLF Member
***

Group: Members
Posts: 62
Member No.: 42
Joined: 13-April 11









QUOTE (helikaon @ Mar 8 2016, 02:35 PM)
i'm not a SElinux expert, but if i understand it well, you try to build new live CD based on SL 6.7 and use booleans that worked at 6.5 (+add new ones), i think this message is clearly saying, you're using syntax that is not compatible with 6.7
I believe the syntax is correct, as I can execute the same commands from the created system once it's running, or from the build machine (also 6.7) for that matter.
QUOTE (helikaon @ Mar 8 2016, 02:35 PM)
I think there were done changes in selinux betwen 6.5 -> 6.6 and some rules were redone, being stricter. So if your application is based on some existing OS service (eg. httpd) there really could be a problem.

The application works if I set those booleans, so that's not the problem. The booleans work, I just can't set them at live CD build time.

I can work around this by placing the setsebool commands in the livecd's init file, but I'd really rather have them set at build time for a cleaner implementation.

Thanks for the input!
PM
^
helikaon
 Posted: Mar 9 2016, 03:51 AM
Quote Post


SLF Administrator
*******

Group: Admins
Posts: 836
Member No.: 4
Joined: 8-April 11










hmm,
then OK, if i apply 'robotic' logic without much thinking (so sorry if it's dumb thought smile.gif ) it would appear to me, that it looks like you try to apply those selinux values before the selinux itself is started / installed?

cheers,

--------------------
PMEmail Poster
^
Bluejay
 Posted: Mar 11 2016, 02:05 PM
Quote Post


SLF Member
***

Group: Members
Posts: 62
Member No.: 42
Joined: 13-April 11









QUOTE (helikaon @ Mar 8 2016, 10:51 PM)
hmm,
it would appear to me, that it looks like you try to apply those selinux values before the selinux itself is started / installed?

They're pretty late in the %post section, there's just a little cleanup afterwards. When would selinux be "started" in the livecd build environment?
PM
^
tux99
 Posted: Mar 11 2016, 04:57 PM
Quote Post


SLF Moderator
********

Group: Moderators
Posts: 1273
Member No.: 224
Joined: 28-May 11









I probably know less about selinux than you do so excuse me if this isn't relevant for your situation, but can't you just dump your settings and rules in some selinux settings file?

I found that this is possible when I was doing a package that needed some selinux rules, see the following spec-file:
http://pkgrepo.linuxtech.net/el6/release/spec-files/bind-altchroot.spec

I'm simply dumping the new rules into /etc/selinux/targeted/contexts/files/file_contexts.local which seems to work fine (IIRC I got the idea to do it this way from some other spec-file).

This post has been edited by tux99: Mar 11 2016, 04:58 PM

--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
Bluejay
 Posted: Mar 11 2016, 08:06 PM
Quote Post


SLF Member
***

Group: Members
Posts: 62
Member No.: 42
Joined: 13-April 11









QUOTE (tux99 @ Mar 11 2016, 11:57 AM)
but can't you just dump your settings and rules in some selinux settings file?

I was looking for that too. Near as I can tell, the booleans are in a file under /etc/selinux/targeted/policy, but it's a binary file http://dl.dropbox.com/u/2835777/BangHead1.gif and so not very amenable to editing. I'm not sure what would happen if I just replaced that file, especially as versions change.
PM
^
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll