From: Dominick Grift <dac.override@gmail.com>
To: Richard Haines <richard_c_haines@btinternet.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
selinux@tycho.nsa.gov
Subject: Re: load_policy fails to load policy with ENOENT
Date: Tue, 15 Nov 2016 16:35:02 +0100 [thread overview]
Message-ID: <193049f3-cb37-871c-e730-eae054b62be9@gmail.com> (raw)
In-Reply-To: <1479223847.11104.12.camel@btinternet.com>
[-- Attachment #1.1: Type: text/plain, Size: 3865 bytes --]
On 11/15/2016 04:30 PM, Richard Haines wrote:
> On Tue, 2016-11-15 at 16:02 +0100, Dominick Grift wrote:
>> On 11/15/2016 03:58 PM, Stephen Smalley wrote:
>>>
>>> On 11/15/2016 07:19 AM, Dominick Grift wrote:
>>>>
>>>> I finished porting dssp-base to dssp1-base, however when i try
>>>> testing it load_policy fails with ENOENT.
>>>>
>>>> Even though load_policy returns error status the policy seems to
>>>> be loaded, except that it is not (or so it seems). When i reboot
>>>> the system freezes for whatever reason. Whether it is due to
>>>> systemd refusing due to load_policy failure or anything else i am
>>>> not sure.
>>>>
>>>> I have double checked the policy.
>>>>
>>>> 1. secilc has no problems with it 2. the initial sids are
>>>> declared
>>>> and ordered 3. the classes are there (and the linux classes are
>>>> ordered)
>>>>
>>>> I cannot think of anything that might cause this and i am looking
>>>> for suggestions.
>>>>
>>>> It is easy to reproduce:
>>>>
>>>> 1. git clone https://github.com/DefenSec/dssp1-base.git 2. cd
>>>> dssp1-base 3. secilc `ls *.cil` 4. seinfo policy.30 5. mv
>>>> /etc/selinux/targeted/policy/policy.30
>>>> /etc/selinux/targeted/policy/policy.30.ori 6. cp policy.30
>>>> /etc/selinux/targeted/policy/ 7. setenforce 0 8. load_policy 9.
>>>> sestatus, seinfo, ps uaxZ
>>>>
>>>> I have also uploaded a demo:
>>>>
>>>> https://youtu.be/8NCME9dLZd4
>>>>
>>>> Suggestions and help are appreciated
>>>
>>> Any dmesg output at the time of the failed load?
>>> What does strace load_policy show?
>>>
>>
>> write(4, "\214\377|\371\10\0\0\0SE
>> Linux\36\0\0\0\1\0\0\0\10\0\0\0\7\0\0\0"..., 296645) = -1 ENOENT (No
>> such file or directory)
>>
>> dmesg shows exactly what it would show on a successful policy load
>> AFAICT
>>
>> From dmesg there is no indication that anything went wrong (all the
>> expected output is there (the stats the unmapped/invalidated
>> contexts.
>> also sestatus shows that the policy is loaded). It *seems* that only
>> load policy throws this error. However as i said the system freezes
>> on
>> boot and i cannot tell whether that is due to systemd, the policy or
>> load_policy.
>>
>> following the steps to reproduce will take less than five minutes:
>>
>>>
>>>>
>>>> 1. git clone https://github.com/DefenSec/dssp1-base.git 2. cd
>>>> dssp1-base 3. secilc `ls *.cil` 4. seinfo policy.30 5. mv
>>>> /etc/selinux/targeted/policy/policy.30
>>>> /etc/selinux/targeted/policy/policy.30.ori 6. cp policy.30
>>>> /etc/selinux/targeted/policy/ 7. setenforce 0 8. load_policy 9.
>>>> sestatus, seinfo, ps uaxZ
>>
>
> I found that the booleans are causing the problem. If you move the
> (boolean ...) statements to global space your policy loads (the
> booleanif statements are okay where they are). Not sure why yet but
> kernel boolean check could get confused with sys.load_kernel_module
Hmm, I consider that to be a bug, in any case. the sid declarations can
also not be in any blocks but at least secilc tells me about it.
>
> BTW you are missing the netlink_socket class. I have not tried to boot
> with the policy but I guess you would also need to update the config
> files with the new contexts to boot system !!!
The netlink_socket class is deprecated, no longer used. They left it in
the kernel but my policy does not support it
I know about the other prerequisites, thanks.
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho
>> .nsa.gov.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]
next prev parent reply other threads:[~2016-11-15 15:35 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-15 12:19 load_policy fails to load policy with ENOENT Dominick Grift
2016-11-15 14:58 ` Stephen Smalley
2016-11-15 15:02 ` Dominick Grift
2016-11-15 15:30 ` Richard Haines
2016-11-15 15:35 ` Dominick Grift [this message]
2016-11-15 15:42 ` Stephen Smalley
2016-11-15 15:45 ` Dominick Grift
2016-11-15 15:51 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=193049f3-cb37-871c-e730-eae054b62be9@gmail.com \
--to=dac.override@gmail.com \
--cc=richard_c_haines@btinternet.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.