diff options
| author |   Sven Vermeulen <sven.vermeulen@siphos.be> | 2011-08-22 21:19:38 +0200 |
|---|---|---|
| committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2011-08-22 21:19:38 +0200 |
| commit | 8b9895c49057e7e499d22cf80748a94a8dab148f (patch) | |
| tree | 844e5d5ab3a09857443fc5e85f0f0391c6366540 /html/selinux-faq.html | |
| parent | Adding FAQ entry on the policy version mixing !#^$@°à (diff) | |
| download | hardened-docs-8b9895c49057e7e499d22cf80748a94a8dab148f.tar.gz hardened-docs-8b9895c49057e7e499d22cf80748a94a8dab148f.tar.bz2 hardened-docs-8b9895c49057e7e499d22cf80748a94a8dab148f.zip | |
Update previews
Diffstat (limited to 'html/selinux-faq.html')
| -rw-r--r-- | html/selinux-faq.html | 54 |
1 files changed, 53 insertions, 1 deletions
diff --git a/html/selinux-faq.html b/html/selinux-faq.html index e9c8608..ea9f968 100644 --- a/html/selinux-faq.html +++ b/html/selinux-faq.html @@ -79,6 +79,7 @@ as well. Cron fails to load in root's crontab with message '(root) ENTRYPOINT FAILED (crontabs/root)' </a></li> +<li><a href="#missingdatum">When querying the policy, I get 'ERROR: could not find datum for type ...'</a></li> </ul> <p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. </span>General SELinux Support Questions</p> @@ -504,11 +505,62 @@ To fix this, change the user of the file to root: Another fix would be to disable UBAC completely. This is accomplished with <span class="code" dir="ltr">USE="-ubac"</span>. </p> +<p class="secthead"><a name="missingdatum"></a><a name="doc_chap5_sect7">When querying the policy, I get 'ERROR: could not find datum for type ...'</a></p> +<p> +When using <span class="code" dir="ltr">seinfo</span> or <span class="code" dir="ltr">sesearch</span> to query the policy on the system, +you get errors similar to: +</p> +<a name="doc_chap5_pre10"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.10: Triggering the 'could not find datum' error</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +~# <span class="code-input">seinfo -tasterisk_t</span> +ERROR: could not find datum for type asterisk_t +</pre></td></tr> +</table> +<p> +This is most likely because your tools are using a newer binary policy to +enforce policy, but an older binary for querying. You can verify if this is the +case by listing the last modification time on the files: +</p> +<a name="doc_chap5_pre11"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.11: Checking last modification time of the policy files</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +~# <span class="code-input">ls -ltr /etc/selinux/strict/policy/policy.*</span> +</pre></td></tr> +</table> +<p> +The file modified last should be the same one as returned by checking +<span class="path" dir="ltr">/selinux/policyvers</span>: +</p> +<a name="doc_chap5_pre12"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.12: Checking the runtime policy version</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +~# <span class="code-input">cat /selinux/policyvers; echo</span> +24 +</pre></td></tr> +</table> +<p> +If this is not the case (which is very likely since you are reading this FAQ +entry) then try forcing the utilities policy version to the correct version: +</p> +<a name="doc_chap5_pre13"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0"> +<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing5.13: Editing semanage.conf</p></td></tr> +<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre> +~# <span class="code-input">vim /etc/selinux/semanage.conf</span> +<span class="code-comment"># Look for and uncomment the policy-version line and set it to the right version</span> +policy-version = <span class="code-input">24</span> +</pre></td></tr> +</table> +<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b> +If your system is upgrading its kernel, higher version(s) can be supported. In +this case, either unset the value again to automatically "jump" to a higher +version, or force set it to the higher version. +</p></td></tr></table> <br><br> </td> <td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> <tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux-faq.xml?style=printable">Print</a></p></td></tr> -<tr><td class="topsep" align="center"><p class="alttext">Updated August 10, 2011</p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated August 22, 2011</p></td></tr> <tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> Frequently Asked Questions on SELinux integration with Gentoo Hardened. The FAQ is a collection of solutions found on IRC, mailinglist, forums or |