|Main Archive Page > Month Archives > gentoo-hardened archives|
I've been running a couple of Gentoo SELinux systems using the stock reference policy for a few months now, for testing & policy development, but have recently run into a snag. The SELinux folks directed me here since it seems to be only Gentoo that's giving me problems.
The latest refpolicy requires versions of the SELinux userland that aren't yet in portage. So I created a local overlay and wr0te ebuilds for all of them, which seemed to work fine. However, on more than one machine, I can reproduce a problem by upgrading libselinux from the latest version in portage to the latest development version (1.34.14 -> 2.0.65).
As soon as I install the v2.0 library, my system stops booting properly until I either disable SELinux in the kernel, or back down to 1.34.14. The problem manifests itself by causing every app that runs out of init to fail immediately. None of the /sbin/rc scripts run, and as soon as the gettys launch they immediately crash until init stops respawning them. CTRL-ALT-DEL also doesn't work, as init doesn't create the /dev/initctl socket, and only a hard power-down can get me out of this state.
If I boot with either "selinux=0" or "emergency" kernel parameters, the system boots but obviously not in a useable SELinux state. I have sucessfully used the new v2.0 set of userland tools on at least one other Gentoo system, as well as Fedora, with no issues. It only seems to happen if I start with the v1 library then upgrade to the v2 library, but I can't find any particular application that links to libselinux that would need to be rebuilt. I tried rebuilding init, pam, login, and agetty and none of that helped.
I'm not sure how to even start debugging this problem, though I'd be happy to spend the time if I could figure out how :) The system logger and audit daemons don't start when the failure occurs, I can't log in to trace the apps, and I'm not finding any core dumps anywhere. Can anyone point me in the right direction here?