[ << ]
[ < ]
[ Home ]
[ > ]
[ >> ]
6. Troubleshooting SELinux
6.a. Unable To Load SELinux Policy
If you notice that SELinux is not functioning at all, a quick run of
sestatus should give you closure if SELinux is enabled and loaded or not.
If you get the following output, no SELinux policy is loaded:
Code Listing 1.1: sestatus output
SELinux status: disabled
If this is the case, read on in this section to find out how to troubleshoot and
No Policy Installed
One potential reason would be that there is no policy to load to begin with.
Take a look inside /usr/share/selinux/strict or
/usr/share/selinux/targeted (depending on your configuration) and
look for a file called base.pp. If no such file exists, you will
need to install the base policy. This policy is offered by the
sec-policy/selinux-base-policy package, but it is better to read up
on the chapter regarding Gentoo SELinux
Installation / Conversion as more important changes might be missing.
Policy Not Loaded
If the base.pp file exists in
/usr/share/selinux/strict (or targeted/), take a look
inside /etc/selinux/strict/policy. This location too should contain
a base.pp policy module (when a SELinux policy is loaded, it is
copied from the first location to the second).
If no base.pp file exists, install and load the policy:
Code Listing 1.2: Installing the base policy
~# semodule -n -B
This is a one-time operation - once installed and loaded, it will be reloaded
upon every reboot.
Init Can Not Load the SELinux Policy
During system boot, the init process is responsible for loading and
interacting with the SELinux policy in memory. If init does not support
SELinux, you will get no SELinux support in your environment.
To verify if init supports SELinux, we need to check if it uses the
libselinux.so shared object:
Code Listing 1.3: Checking if init supports SELinux
~# ldd /sbin/init
linux-vdso.so.1 => (0x00006ace30e84000)
libselinux.so.1 => /lib/libselinux.so.1 (0x00006ace30a46000)
libc.so.6 => /lib/libc.so.6 (0x00006ace306e9000)
libdl.so.2 => /lib/libdl.so.2 (0x00006ace304e5000)
If this is not the case, make sure that emerge --info shows that the
selinux USE flag is in place, and reinstall sys-apps/sysvinit. If
the selinux USE flag is not in place, check your Gentoo profile and make sure it
points to a selinux/v2refpolicy/... profile.
Policy Store is Corrupt
If you encounter problems during boot-up or semodule operations which
fail with loading problems, but cannot be resolved with the above solution, then
you might need to reinstall the policies after eliminating the corrupt store.
Code Listing 1.4: Recovering from store corruption
~# semodule -n -B
libsemanage.semanage_load_module: Error while reading from module file
/etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory)
~# setenforce 0
~# mv /etc/selinux/targeted /etc/selinux/targeted.old
~# FEATURES="-selinux" emerge -1av $(qlist -IC sec-policy)
~# restorecon -R /etc/selinux
This will effectively disable the current, corrupted SELinux policy store and
then use Portage to reinstall all SELinux policy packages that are installed on
the system. When done, the file contexts of /etc/selinux are
restored, after which you should be able to continue.
6.b. Unable to Log On
If you are unable to log on in a particular situation (remote, local, as root,
as regular user, ...) there are a few possible problems which you might have
hit. However, to resolve them you'll need to be able to log on to the system as
sysadm_r in one way or the other.
If you can not log in as a sysadm_r user, disable SELinux (boot with
enforcing=0) so that no SELinux enforcements are made. Changes that you
make in permissive mode are equally effective as in enforcing mode.
In the majority of cases will you find that a security context is incorrect. Run
sestatus -v and compare the Process contexts or File
contexts that you see in the output with the next table.
||If wrong context...
First, verify that init itself is correclty labeled. Check the output of
the previously run sestatus -v command for the
/sbin/init file and make sure that it is set to
system_u:object_r:init_exec_t. If that is not the case, relabel
sys-apps/sysvinit using rlpkg sysvinit. Also make the
same checks as in the Unable To Load SELinux
Policy section. Reboot your system and retry.
Make sure that the /sbin/agetty binary is labeled
system_u:object_r:getty_exec_t. If not, relabel the
sys-apps/util-linux package using rlpkg util-linux. Then
restart all the agetty processes using pkill agetty (they will
||If wrong context...
The login binary is part of sys-apps/shadow. Run rlpkg
shadow to relabel the files of that package and retry logging in.
This binary is part of the sys-libs/pam package and is used by
SSH when it is configured to use PAM for user authentication. Relabel the
package using rlpkg pam and retry logging in.
The /etc/passwd and /etc/shadow must be labeled
correctly, otherwise PAM will not be able to authenticate any user. Relabel
the files through restorecon /etc/passwd /etc/shadow and retry
The users' shell (in this case, bash) must be labeled correctly so
the user can transition into the user domain when logging in. To do so,
relabel the app-shells/bash package using rlpkg bash.
Then, try logging in again.
6.c. Unable to Emerge Anything (OSError: [Errno 22] Invalid argument)
When trying to install software with Portage, you get a huge python stacktrace
and finally the error message OSError: [Errno 22] Invalid argument:
Code Listing 3.1: Stacktrace dump when portage fails to install software
Traceback (most recent call last):
File "/usr/bin/emerge", line 43, in <module>
retval = emerge_main()
File "/usr/lib64/portage/pym/_emerge/main.py", line 1906, in emerge_main
myopts, myaction, myfiles, spinner)
File "/usr/lib64/portage/pym/_emerge/actions.py", line 437, in action_build
retval = mergetask.merge()
File "/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 104, in _doebuild_spawn
return spawn(cmd, settings, **kwargs)
File "/usr/lib64/portage/pym/portage/package/ebuild/doebuild.py", line 1255, in spawn
return spawn_func(mystring, env=mysettings.environ(), **keywords)
File "/usr/lib64/portage/pym/portage/_selinux.py", line 105, in wrapper_func
File "/usr/lib64/portage/pym/portage/_selinux.py", line 79, in setexec
if selinux.setexeccon(ctx) < 0:
OSError: [Errno 22] Invalid argument
The above error comes when you launch portage (through emerge) while you
are not in sysadm_t context. You can verify this with id -Z:
Code Listing 3.2: Checking current context
~# id -Z
As long as the context isn't sysadm_t, then Portage will break. This is
because Portage wants to switch its execution context from portage_t to
portage_sandbox_t but fails (it isn't in portage_t to begin with
because the user who launched Portage isn't in sysadm_t).
Please check Unable to Log On above first. Also
make sure that you can dispatch-conf or etc-update after
installing SELinux so that /etc/pam.d/system-login is updated with
the right pam_selinux.so calls.
If you need to force Portage to continue regardless (for instance, you were in
the middle of a SELinux installation so cannot properly resolve such issues
now), run the emerge command but with FEATURES="-selinux". This
will effectively disable Portage' SELinux integration, but allows you to
continue installing software.
Code Listing 3.3: Running emerge without selinux support
~# FEATURES="-selinux" emerge -u world
Make sure that you relabel the entire file system after using this approach!
Portage will not label the files installed on the system correctly if you
disable its SELinux support. To relabel the entire file system, use rlpkg -a
[ << ]
[ < ]
[ Home ]
[ > ]
[ >> ]
The contents of this document, unless otherwise expressly stated, are licensed under the CC-BY-SA-2.5 license. The Gentoo Name and Logo Usage Guidelines apply.