Issues with selinux

Rodnower · 08-09-2010, 04:38 PM

Hello, I have very strange things with selinux. My post may be will bit disordered, because I'm not completely understand what is going on.
Before all the story, I had good and very stable Linux installation:
CentOS 5.5
uname -a:
Linux andreys-comp 2.6.18-194.8.1.el5xen #1 SMP Thu Jul 1 19:41:05 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux

getenforce
echo $?
0

But one day (yesterday) I decided to do "yum update" and in parallel:
cvs -d: pserver:anonymous@selinux.cvs.sourceforge.net:/cvsroot/selinux -z3 co nsa
(cvs downloaded all files to /selinux directory that created itself)

After downloading I read README where it says that for completely install self compiled selinux I need do:
make menuconfig
make
make install

I did only make (!), but directly after that my computer become crazy.
I don't know whether all this because of system update, or selinux compilation or both, but firefox stopped display pages and when I try to run system-config-selinux that I recently installed, I get:
/usr/lib64/python2.4/site-packages/selinux/_selinux.so: undefined symbol: selinux_check_securetty_context
and not run.
After that I rebooted the system, during system up I get kernel panic and some thing like: "failed to apply selinux policy" (I don't remember exactly, the message don't stay on screen enough time because computer go down)
So what I did, is to run from LiveCD for disable selinux in /etc/selinux/config file, but (!) (here comes culmination moment) when I run ls on / of LiveCD file system, I see:
[root@livecd /]# ls -la
total 180
.
drwxr-xr-x 4 root root 0 Aug 9 18:23 selinux
.

But it is virtual filesystem! I remember that cvs downloaded all source to /selinux.
This is context of this directory: system_u: object_r:security_t
More of this, /selinix directory even had files inside of it. One of them was null character device.
Is this regular directory of LiveCD's file system? Or this is my recently created by cvs directory in some mysterious storage and insidiously mounted to root file system of LiveCD?

After that I mounted my hard disk's root file system, I did ls and find my selinux directory that stay there completely competently:

[root@livecd VolGroup00-LogVol01]# ls -la
total 240
.
drwxr-xr-x 2 root root 4096 Jun 5 07:01 selinux
.

but (!) this directory now was empty inside!
This is context of the directory: system_u: object_r:file_t

This is mountings that were in LiveCD mode:
/dev/mapper/live-rw on / type ext3 (rw,noatime)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
/dev/hdc on /mnt/live type iso9660 (ro)
/dev/sda2 on /mnt/disc/sda2 type ext3 (ro)
/dev/sda6 on /mnt/disc/sda6 type vfat (ro,uid=500)
/dev/mapper/VolGroup00-LogVol01 on /mnt/lvm/VolGroup00-LogVol01 type ext3 (rw)
/dev/mapper/VolGroup00-LogVol00 on /mnt/lvm/VolGroup00-LogVol00 type ext3 (ro)

After all this I disabled selinux in appropriate file:
SELINUX=disabled
SELINUXTYPE=targeted
SETLOCALDEFS=0

and restarted computer. After booting up, I do ls on root again and see that again I have selinux directory, but it again empty!

[root@andreys-comp selinux]# pwd
/selinux
[root@andreys-comp selinux]# ls
[root@andreys-comp selinux]#

More of this. When I booted from hard disk, I mounted the squashfs.img on LiveCD and ext3fs.img on it, that contains all root file system, and this what I see:

[root@andreys-comp isotemp2]# mount
.
/isotemp/LiveOS/ext3fs.img on /isotemp2 type ext3 (ro,loop=/dev/loop1)
.
[root@andreys-comp isotemp2]# ls -l
total 180
.
drwxr-xr-x 2 root root 4096 Oct 2 2009 selinux
.
[root@andreys-comp isotemp2]# cd selinux/
[root@andreys-comp selinux]# ls
[root@andreys-comp selinux]#

It is also empty!
Where all selinux code?

Now, may be I tell much about selinux folders, but the question about my general trouble with selinux is not less important for me.
So, if I enable selinux I get kernel panic (even if I up in runlevel 1).
After booting with LiveCD and disabling it, all work again.

So I have two questions:
1. Where all compiled selinux objects?
2. How I give back harmony and peace to my computer's world?

Thank you for ahead.

unSpawn · 08-09-2010, 05:14 PM

I don't know what you intended to do at selinux.cvs.sourceforge.net but the reference policy is at 'git clone http://oss.tresys.com/git/refpolicy.git', see the SELinux Project Wiki for more. As for you running only 'make', I strongly doubt that... Anyway, for a quicky try restoring a backup (you do make backups, right?) or reinstall all the `grep -i selinux /var/log/rpmpkgs`. Else to restore your system you should run a Centos Live CD, mount your host LVMs and run 'rpm --nodeps --nosignature --noscripts --notriggers --dbpath /mnt/lvm/VolGroup00-{LOGVOLNAME]/var/lib/rpm --root /mnt/lvm/VolGroup00-{LOGVOLNAME]/ -Vva | grep -v '^.\{8\}[[:blank:]]\{2\}' > /path/to/log' to assess the damage. This list should then be scrutinized very carefully before feeding it into a 'rpm --dbpath /mnt/lvm/VolGroup00-{LOGVOLNAME]/var/lib/rpm --root /mnt/lvm/VolGroup00-{LOGVOLNAME]/ -qf' loop to determine which package the file belongs to with the intent to reinstall it (may require use of --force). * If you want to bypass all the "--dbpath /mnt/lvm/VolGroup00-{LOGVOLNAME]/var/lib/rpm --root /mnt/lvm/VolGroup00-{LOGVOLNAME]/" then try booting the machine with SELinux disabled.

John VV · 08-09-2010, 09:46 PM

first WHY buil the svn selinux????
svn is testing and NOT stable for Cent or RHEL

the cent repos are fine and built for CentOS 5.5 - and se and the polices will auto update
I have never needed to ( or wanted to build the SE k-mod from scratch ( about a 4+ hour process)

also "setenforce 0" is not needed for a update

Rodnower · 08-11-2010, 02:11 PM

Quote:

Originally Posted by unSpawn

I don't know what you intended to do at ...

Thank you for replay, I tried to do this from normal boot with disabled selinux. I get long list of lines each one begins with "prelink:".
How I'm understand, these are files that other files they are linked to was modified. Is it right?
Two of the lines were:

prelink: /lib/libssl.so.0.9.8e: Could not parse `/lib/libssl.so.0.9.8e: error while loading shared libraries: libselinux.so.1: wrong ELF class: ELFCLASS64'prelink: /usr/lib/libcurl.so.3.0.0: Could not parse `/usr/lib/libcurl.so.3.0.0: error while loading shared libraries: libselinux.so.1: wrong ELF class: ELFCLASS64'

I found the package with rpm -qf, but when I tried to do:

yum reinstall libselinux-1.33.4-5.5.el5

the command was hang. I guess this is because the file is in use, so I want to try do this with LiveCD, when it will not in use. Generally my computer behaves very strange, like Windows attacked by virus...

And more one thing, why in your grep regular exception, you much two spaces after eight characters? Why this works at all? I ask it because the matched lines have only one space after first eight characters and your expression have not '*' to match all rest of line.

Rodnower · 08-11-2010, 02:16 PM

Quote:

Originally Posted by John VV

first WHY buil the svn selinux????
svn is testing and NOT stable for Cent or RHEL

the cent repos are fine and built for CentOS 5.5 - and se and the polices will auto update
I have never needed to ( or wanted to build the SE k-mod from scratch ( about a 4+ hour process)

Yes, you possibly right, there is no reason to compile selinux from scratch, I simply wanted to see how comiled selinux looks: it's directory structure, file formats etc...

Quote:

Originally Posted by John VV

also "setenforce 0" is not needed for a update

I did not setenforce 0. I posted:
getenforce
echo $?
0

For show that selinux was active (0 at $? says about successful command return)

unSpawn · 08-11-2010, 04:05 PM

Quote: