On 11/15/2016 04:30 PM, Richard Haines wrote: > On Tue, 2016-11-15 at 16:02 +0100, Dominick Grift wrote: >> On 11/15/2016 03:58 PM, Stephen Smalley wrote: >>> >>> On 11/15/2016 07:19 AM, Dominick Grift wrote: >>>> >>>> I finished porting dssp-base to dssp1-base, however when i try >>>> testing it load_policy fails with ENOENT. >>>> >>>> Even though load_policy returns error status the policy seems to >>>> be loaded, except that it is not (or so it seems). When i reboot >>>> the system freezes for whatever reason. Whether it is due to >>>> systemd refusing due to load_policy failure or anything else i am >>>> not sure. >>>> >>>> I have double checked the policy. >>>> >>>> 1. secilc has no problems with it 2. the initial sids are >>>> declared >>>> and ordered 3. the classes are there (and the linux classes are >>>> ordered) >>>> >>>> I cannot think of anything that might cause this and i am looking >>>> for suggestions. >>>> >>>> It is easy to reproduce: >>>> >>>> 1. git clone https://github.com/DefenSec/dssp1-base.git 2. cd >>>> dssp1-base 3. secilc `ls *.cil` 4. seinfo policy.30 5. mv >>>> /etc/selinux/targeted/policy/policy.30 >>>> /etc/selinux/targeted/policy/policy.30.ori 6. cp policy.30 >>>> /etc/selinux/targeted/policy/ 7. setenforce 0 8. load_policy 9. >>>> sestatus, seinfo, ps uaxZ >>>> >>>> I have also uploaded a demo: >>>> >>>> https://youtu.be/8NCME9dLZd4 >>>> >>>> Suggestions and help are appreciated >>> >>> Any dmesg output at the time of the failed load? >>> What does strace load_policy show? >>> >> >> write(4, "\214\377|\371\10\0\0\0SE >> Linux\36\0\0\0\1\0\0\0\10\0\0\0\7\0\0\0"..., 296645) = -1 ENOENT (No >> such file or directory) >> >> dmesg shows exactly what it would show on a successful policy load >> AFAICT >> >> From dmesg there is no indication that anything went wrong (all the >> expected output is there (the stats the unmapped/invalidated >> contexts. >> also sestatus shows that the policy is loaded). It *seems* that only >> load policy throws this error. However as i said the system freezes >> on >> boot and i cannot tell whether that is due to systemd, the policy or >> load_policy. >> >> following the steps to reproduce will take less than five minutes: >> >>> >>>> >>>> 1. git clone https://github.com/DefenSec/dssp1-base.git 2. cd >>>> dssp1-base 3. secilc `ls *.cil` 4. seinfo policy.30 5. mv >>>> /etc/selinux/targeted/policy/policy.30 >>>> /etc/selinux/targeted/policy/policy.30.ori 6. cp policy.30 >>>> /etc/selinux/targeted/policy/ 7. setenforce 0 8. load_policy 9. >>>> sestatus, seinfo, ps uaxZ >> > > I found that the booleans are causing the problem. If you move the > (boolean ...) statements to global space your policy loads (the > booleanif statements are okay where they are). Not sure why yet but > kernel boolean check could get confused with sys.load_kernel_module Hmm, I consider that to be a bug, in any case. the sid declarations can also not be in any blocks but at least secilc tells me about it. > > BTW you are missing the netlink_socket class. I have not tried to boot > with the policy but I guess you would also need to update the config > files with the new contexts to boot system !!! The netlink_socket class is deprecated, no longer used. They left it in the kernel but my policy does not support it I know about the other prerequisites, thanks. >> _______________________________________________ >> Selinux mailing list >> Selinux@xxxxxxxxxxxxx >> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. >> To get help, send an email containing "help" to Selinux-request@tycho >> .nsa.gov. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
