On 8/1/2014 10:47 PM, Gardner Bell wrote: > > > On 1 August 2014 22:33, Harold Pritchett <harold at uga.edu> wrote: > >> I am having problems making selinux modules on CentOS 6. >> >> Under CentOS 5, the following procedure works: >> >> Procedure to make an seliux policy named mickey1... >> >> # su - >> # cd /var/log/audit >> # rm * >> # service auditd restart >> # echo 0 > /selinux/enforce >> # Do whatever selinux is blocking... >> # echo 1 > /selinux/enforce >> # touch /.autorelabel >> # shutdown -fr now >> >> log back on as root... >> >> # cd /root >> # mkdir tmp selinux >> # cd tmp >> # chcon -R -t usr_t . >> # ln -s /usr/share/selinux/devel/Makefile . >> # audit2allow -m mickey1 -i /var/log/audit/audit.log -o mickey1.te >> # make -f /usr/share/selinux/devel/Makefile >> # mv filename.te filename.pp ../selinux/ >> # cd ../selinux >> # semodule -i filename.pp >> >> This works fine on CentOS 5. I have been doing this on half a dozen >> servers I support. >> >> Unfortunately, on CentOS 6 I get the following: >> >> # semodule -i mickey1.pp >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. >> (No such file or directory). >> libsemanage.semanage_link_sandbox: Link packages failed (No such file or >> directory). >> semodule: Failed! >> >> Does anyone have any idea what I am doing wrong? How do I get this to >> work on CentOS 6? I've googled this until I'm blue in the face and can't >> seem to find the answer. >> >> More info: >> >> # cat /etc/redhat-release >> CentOS release 6.5 (Final) >> >> # uname -a >> Linux xyzzy.plugh.net 2.6.32-431.20.5.el6.x86_64 #1 SMP Fri Jul 25 >> 08:34:44 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >> >> # rpm -qa | grep selinux >> selinux-policy-minimum-3.7.19-231.el6_5.3.noarch >> libselinux-devel-2.0.94-5.3.el6_4.1.x86_64 >> selinux-policy-targeted-3.7.19-231.el6_5.3.noarch >> selinux-policy-doc-3.7.19-231.el6_5.3.noarch >> libselinux-python-2.0.94-5.3.el6_4.1.x86_64 >> libselinux-utils-2.0.94-5.3.el6_4.1.x86_64 >> libselinux-2.0.94-5.3.el6_4.1.i686 >> selinux-policy-mls-3.7.19-231.el6_5.3.noarch >> selinux-policy-3.7.19-231.el6_5.3.noarch >> libselinux-2.0.94-5.3.el6_4.1.x86_64 >> >> Thanks, >> >> Harold >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > Should you maybe recompile the module with the -M switch? > *-M,--mls* Enable the MLS/MCS support when checking and compiling the > policy module. > > Please don't top post... It makes it hard to follow the discussion. Using this advice, I checked out the Makefile which compiles the module. It uses the file "/etc/selinux/config" to determine the type of module to make. So, I changed: # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted to # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=mls ran "make clean" followed by "make" with the following results: # make Compiling mls spamass-milter module /usr/bin/checkmodule: loading policy configuration from tmp/spamass-milter.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/spamass-milter.mod Creating mls spamass-milter.pp policy package rm tmp/spamass-milter.mod.fc tmp/spamass-milter.mod Followed by: # semodule -vi spamass-milter.pp Attempting to install module 'spamass-milter.pp': Ok: return value of 0. Committing changes: libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! # semodule -l | grep spam spamassassin 2.2.0 Still no joy! The make command claims to have made a mls policy package, but the semodule -i command says it's non-MLS. I'm confused... Thanks Harold