[CentOS] SELinux : semodule_package, magic number does not match
Daniel J Walsh
dwalsh at redhat.com
Tue Jan 18 14:24:36 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/18/2011 03:13 AM, Philippe Naudin wrote:
> Le lun 17 jan 2011 14:32:22 CET, Daniel J Walsh a écrit:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 01/17/2011 08:25 AM, Philippe Naudin wrote:
>>> Hello,
>>>
>>> I am trying to create a custom policy, but with no succes :
>>>
>>> $ cat <<EOF> foo.te
>>> module local 1.0;
>>>
>>> require {
>>> type httpd_sys_script_exec_t;
>>> type httpd_sys_script_t;
>>> class lnk_file read;
>>> }
>>>
>>> #============= httpd_sys_script_t ==============
>>> allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read;
>>> EOF
>>>
>>> $ checkmodule -M -m -o foo.mod foo.te
>>> checkmodule: loading policy configuration from foo.te
>>> checkmodule: policy configuration loaded
>>> checkmodule: writing binary representation (version 6) to foo.mod
>>>
>>> $ semodule_package -o foo.pp -m foo.mod
>>> $ echo $?
>>> 0
>>> # So far, so good. But :
>>>
>>> $ checkmodule -b foo.pp
>>> checkmodule: loading policy configuration from foo.pp
>>> libsepol.policydb_read: policydb magic number 0xf97cff8f does not match
>>> expected magic number 0xf97cff8c or 0xf97cff8d
>>> checkmodule: error(s) encountered while parsing configuration
>>> # And trying to "semodule -i foo.pp" fails completely.
>>>
>> Wrong command.
>>
>> semodule -i foo.pp
>
> Yes, I have tried this one too :
>
> $ semodule -i /usr/share/selinux/targeted/http_lnk_exec.pp
> $ echo $?
> 0
>
> Everything seems OK, but :
> $ semodule -l
> aisexec 1.0.0
> amavis 1.1.0
> ccs 1.0.0
> clamav 1.1.0
> clogd 1.0.0
> dcc 1.1.0
> dnsmasq 1.1.1
> evolution 1.1.0
> ipsec 1.4.0
> iscsid 1.0.0
> local 1.0
> milter 1.0.0
> mozilla 1.1.0
> mplayer 1.1.0
> nagios 1.1.0
> oddjob 1.0.1
> pcscd 1.0.0
> postgrey 1.1.0
> prelude 1.0.0
> pyzor 1.1.0
> qemu 1.1.2
> razor 1.1.0
> rgmanager 1.0.0
> rhcs 1.1.0
> ricci 1.0.0
> smartmon 1.1.0
> spamassassin 1.9.0
> vhostmd 1.0.0
> virt 1.2.1
> zosremote 1.0.0
>
> My module is not listed, and testing shows that the new rule in not
> used :
> $ audit2why < /var/log/audit/audit.log | grep AVC
> type=AVC msg=audit(1295337185.859:297): avc: denied { read } for
> pid=1854 comm="httpd" name="post-commit" dev=sda3 ino=295635
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file
>
>> I am not sure what
>>
>> checkmodule -b foo.pp
>>
>> will do.
>
> Without "-o", it is supposed to check the syntax of foo.pp. It is
> the only explanation I can get on why "semodule -i" fails in my case.
>
> Any other suggestion ? I am completely stuck...
>
I always build my pp files using
make -f /usr/share/selinux/devel/Makefile
And do not pay much attention to the man behind the curtain. The only
reason I can imagine for a screw up would be a tool chain difference.
Are you using all the same versions of tool chain. checkpolicy,
libsemanage, policycoreutils, libselinux, selinux-policy as shipped with
RHEL5?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk01oqQACgkQrlYvE4MpobMrKACgogGWZTehjBIlyX7/k5eq5MjY
mlQAoJo5jpMvT7kE2WgDgg/YWQBQNLiJ
=VGhN
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list