Gentoo Logo

[ << ] [ < ] [ Home ] [ > ] [ >> ]


6. Troubleshooting SELinux

Content:

6.a. Unable To Load SELinux Policy

Problem Description

If you notice that SELinux is not functioning at all, a quick run of sestatus should give you closure if SELinux is enabled and loaded or not. If you get the following output, no SELinux policy is loaded:

Code Listing 1.1: sestatus output

SELinux status:                disabled

If this is the case, read on in this section to find out how to troubleshoot and resolve this.

No Policy Installed

One potential reason would be that there is no policy to load to begin with. Take a look inside /usr/share/selinux/strict or /usr/share/selinux/targeted (depending on your configuration) and look for a file called base.pp. If no such file exists, you will need to install the base policy. This policy is offered by the sec-policy/selinux-base-policy package, but it is better to read up on the chapter regarding Gentoo SELinux Installation / Conversion as more important changes might be missing.

Policy Not Loaded

If the base.pp file exists in /usr/share/selinux/strict (or targeted/), take a look inside /etc/selinux/strict/policy. This location too should contain a base.pp policy module (when a SELinux policy is loaded, it is copied from the first location to the second).

If no base.pp file exists, install and load the policy:

Code Listing 1.2: Installing the base policy

~# semodule -n -B

This is a one-time operation - once installed and loaded, it will be reloaded upon every reboot.

Init Can Not Load the SELinux Policy

During system boot, the init process is responsible for loading and interacting with the SELinux policy in memory. If init does not support SELinux, you will get no SELinux support in your environment.

To verify if init supports SELinux, we need to check if it uses the libselinux.so shared object:

Code Listing 1.3: Checking if init supports SELinux

~# ldd /sbin/init
        linux-vdso.so.1 =>  (0x00006ace30e84000)
	( You should see something similar to the following line: )
        libselinux.so.1 => /lib/libselinux.so.1 (0x00006ace30a46000)
        libc.so.6 => /lib/libc.so.6 (0x00006ace306e9000)
        libdl.so.2 => /lib/libdl.so.2 (0x00006ace304e5000)
        /lib64/ld-linux-x86-64.so.2 (0x00006ace30c68000)

If this is not the case, make sure that emerge --info shows that the selinux USE flag is in place, and reinstall sys-apps/sysvinit. If the selinux USE flag is not in place, check your Gentoo profile and make sure it points to a selinux/v2refpolicy/... profile.

Policy Store is Corrupt

If you encounter problems during boot-up or semodule operations which fail with loading problems, but cannot be resolved with the above solution, then you might need to reinstall the policies after eliminating the corrupt store.

Code Listing 1.4: Recovering from store corruption

~# semodule -n -B
libsemanage.semanage_load_module: Error while reading from module file
/etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory)

~# setenforce 0
~# mv /etc/selinux/targeted /etc/selinux/targeted.old
~# FEATURES="-selinux" emerge -1av $(qlist -IC sec-policy)
~# restorecon -R /etc/selinux

This will effectively disable the current, corrupted SELinux policy store and then use Portage to reinstall all SELinux policy packages that are installed on the system. When done, the file contexts of /etc/selinux are restored, after which you should be able to continue.

6.b. Unable to Log On

Problem Description

If you are unable to log on in a particular situation (remote, local, as root, as regular user, ...) there are a few possible problems which you might have hit. However, to resolve them you'll need to be able to log on to the system as sysadm_r in one way or the other.

If you can not log in as a sysadm_r user, disable SELinux (boot with enforcing=0) so that no SELinux enforcements are made. Changes that you make in permissive mode are equally effective as in enforcing mode.

Incorrect Context

In the majority of cases will you find that a security context is incorrect. Run sestatus -v and compare the Process contexts or File contexts that you see in the output with the next table.

Process Context If wrong context...
Init context system_u:system_r:init_t First, verify that init itself is correclty labeled. Check the output of the previously run sestatus -v command for the /sbin/init file and make sure that it is set to system_u:object_r:init_exec_t. If that is not the case, relabel sys-apps/sysvinit using rlpkg sysvinit. Also make the same checks as in the Unable To Load SELinux Policy section. Reboot your system and retry.
agetty context system_u:system_r:getty_t Make sure that the /sbin/agetty binary is labeled system_u:object_r:getty_exec_t. If not, relabel the sys-apps/util-linux package using rlpkg util-linux. Then restart all the agetty processes using pkill agetty (they will automatically respawn).
File Context If wrong context...
/bin/login system_u:object_r:login_exec_t The login binary is part of sys-apps/shadow. Run rlpkg shadow to relabel the files of that package and retry logging in.
/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t This binary is part of the sys-libs/pam package and is used by SSH when it is configured to use PAM for user authentication. Relabel the package using rlpkg pam and retry logging in.
/etc/passwd system_u:object_r:etc_t The /etc/passwd and /etc/shadow must be labeled correctly, otherwise PAM will not be able to authenticate any user. Relabel the files through restorecon /etc/passwd /etc/shadow and retry logging in.
/etc/shadow system_u:object_r:shadow_t
/bin/bash system_u:object_r:shell_exec_t The users' shell (in this case, bash) must be labeled correctly so the user can transition into the user domain when logging in. To do so, relabel the app-shells/bash package using rlpkg bash. Then, try logging in again.

6.c. Unable to Emerge Anything (OSError: [Errno 22] Invalid argument)

Problem Description

When trying to install software with Portage, you get a huge python stacktrace and finally the error message OSError: [Errno 22] Invalid argument:

Code Listing 3.1: Stacktrace dump when portage fails to install software

Traceback (most recent call last):
  File "/usr/bin/emerge", line 43, in <module>
    retval = emerge_main()
  File "/usr/lib64/portage/pym/_emerge/main.py", line 1906, in emerge_main
    myopts, myaction, myfiles, spinner)
  File "/usr/lib64/portage/pym/_emerge/actions.py", line 437, in action_build
    retval = mergetask.merge()
...
  File "/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 104, in _doebuild_spawn
    return spawn(cmd, settings, **kwargs)
  File "/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 1255, in spawn
    return spawn_func(mystring, env=mysettings.environ(), **keywords)
  File "/usr/lib64/portage/pym/portage/_selinux.py", line 105, in wrapper_func
    setexec(con)
  File "/usr/lib64/portage/pym/portage/_selinux.py", line 79, in setexec
    if selinux.setexeccon(ctx) < 0: 
OSError: [Errno 22] Invalid argument

Wrong Context

The above error comes when you launch portage (through emerge) while you are not in sysadm_t context. You can verify this with id -Z:

Code Listing 3.2: Checking current context

~# id -Z
system_u:system_r:local_login_t

As long as the context isn't sysadm_t, then Portage will break. This is because Portage wants to switch its execution context from portage_t to portage_sandbox_t but fails (it isn't in portage_t to begin with because the user who launched Portage isn't in sysadm_t).

Please check Unable to Log On above first. Also make sure that you can dispatch-conf or etc-update after installing SELinux so that /etc/pam.d/system-login is updated with the right pam_selinux.so calls.

Forcing Installation

If you need to force Portage to continue regardless (for instance, you were in the middle of a SELinux installation so cannot properly resolve such issues now), run the emerge command but with FEATURES="-selinux". This will effectively disable Portage' SELinux integration, but allows you to continue installing software.

Code Listing 3.3: Running emerge without selinux support

~# FEATURES="-selinux" emerge -u world

Make sure that you relabel the entire file system after using this approach! Portage will not label the files installed on the system correctly if you disable its SELinux support. To relabel the entire file system, use rlpkg -a -r.


[ << ] [ < ] [ Home ] [ > ] [ >> ]


Print

View all

Page updated April 10, 2012

Summary: Everything made by a human can and will fail. In this chapter we will try to keep track of all potential issues you might come across and how to resolve them.

Chris PeBenito
Author

Sven Vermeulen
Author

Chris Richards
Author

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.