[refpolicy] SELinux: Could not downgrade policy file 24 on PPC boards

TaurusHarry harrytaurus2002 at hotmail.com
Mon Aug 31 01:37:53 CDT 2009


Hi Smalley,

Thanks for helping me out once again, I'd really appreciated your kind help!

So far I have not found out the root cause why the libsepol has not been properly compiled/installed for the ppc targets but I did am able to workaround this issue by specifying OUTPUT_POLICY=23 in the build.conf so that policy format downgrading won't have to take place at all.

Best regards,

Harry


> Subject: Re: [refpolicy] SELinux: Could not downgrade policy file 24 on PPC boards
> From: sds at tycho.nsa.gov
> To: harrytaurus2002 at hotmail.com
> CC: refpolicy at oss1.tresys.com
> Date: Fri, 28 Aug 2009 07:48:03 -0400
> 
> On Fri, 2009-08-28 at 09:01 +0000, TaurusHarry wrote:
> > Hi all,
> > 
> > I have installed the latest SELinux user space tools released at the
> > Tresys
> > website on 2009-7-31, the max policy format version is 24. On the
> > other side
> > the max policy version number on the latest kernel still is 23. My
> > approach
> > are to first boot into "init=/bin/bash selinux=1" to load_policy and
> > then 
> > restore security contexts for the whole file system, second boot up
> > SELinux
> > normally by "init=/sbin/bash selinux=1". On x86 targets(both 32bit and
> > 64bit)
> > the load_policy program could finish uneventfully:
> > 
> >    bash-3.2# /usr/sbin/load_policy
> > -q /etc/selinux/target/policy/policy.24
> >    type=1403 audit(1249926421.908:2): policy loaded auid=4294967295
> > ses=4294967295
> >    bash-3.2#
> > 
> > However, on PPC 32 target(such as fsl_8548cds) the load_policy could
> > run into
> > following error:
> > 
> >    bash-3.2# /usr/sbin/load_policy
> > -q /etc/selinux/target/policy/policy.24
> >    SELinux:  Could not downgrade policy
> > file /etc/selinux/target/policy/policy.24, searching for an  older
> > version.
> >    SELinux:  Could not open policy file
> > <= /etc/selinux/wr-strict/policy/policy.24:  No such file or directory
> >    /usr/sbin/load_policy:  Can't load policy:  No such file or
> > directory
> >    bash-3.2#    
> >    bash-3.2# /usr/sbin/load_policy  -i
> >    type=1404 audit(1888.016:2): enforcing=1 old_enforcing=0
> > auid=4294967295 ses=4294967295
> >    libsepol.policydb_to_image: new policy image is invalid
> >    libsepol.policydb_to_image: could not create policy image
> >    SELinux:  Could not downgrade policy
> > file /etc/selinux/wr-strict/policy/policy.24, searching for an older
> > version.
> >    SELinux:  Could not open policy file
> > <= /etc/selinux/wr-strict/policy/policy.24:  No such file or directory
> >    /usr/sbin/loa d_policy:  Can't load policy and enforcing mode
> > requested:  No such file or directory
> >    bash-3.2# 
> > 
> > The kernel I am using is 2.6.27, why would the policy downgrading from
> > 24 to 23
> > succeed on x86 boards but fail on PPC boards? Do I have to udpate
> > kernel to the
> > latest 2.6.31? and is there anything special I must pay attention to
> > when building
> > SELinux policy for the PPC target?
> > 
> > Any comments are greatly appreciated, thanks a lot!
> 
> This sounds like you have an older libsepol installed on the PPC system
> that does not know how to handle policy.24 and thus cannot downgrade it.
> 
> You can of course force policy to be built to a particular version by
> setting OUTPUT_POLICY in build.conf.
> 
> BTW, 2.6.27 had bugs in its open permission checking, so you should
> disable the open_perms capability in policy/policy_capabilities or back
> port the bug fixes to your kernel.
> 
> -- 
> Stephen Smalley
> National Security Agency
> 

_________________________________________________________________
心跳斗地主新版体验,给你360度的心跳体验!
http://club.msn.cn/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20090831/16a936fd/attachment.html 


More information about the refpolicy mailing list