-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/18/2011 03:13 AM, Philippe Naudin wrote:
Le lun 17 jan 2011 14:32:22 CET, Daniel J Walsh a écrit:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/17/2011 08:25 AM, Philippe Naudin wrote:
Hello,
I am trying to create a custom policy, but with no succes :
$ cat <<EOF> foo.te module local 1.0;
require { type httpd_sys_script_exec_t; type httpd_sys_script_t; class lnk_file read; }
#============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read; EOF
$ checkmodule -M -m -o foo.mod foo.te checkmodule: loading policy configuration from foo.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 6) to foo.mod
$ semodule_package -o foo.pp -m foo.mod $ echo $? 0 # So far, so good. But :
$ checkmodule -b foo.pp checkmodule: loading policy configuration from foo.pp libsepol.policydb_read: policydb magic number 0xf97cff8f does not match expected magic number 0xf97cff8c or 0xf97cff8d checkmodule: error(s) encountered while parsing configuration # And trying to "semodule -i foo.pp" fails completely.
Wrong command.
semodule -i foo.pp
Yes, I have tried this one too :
$ semodule -i /usr/share/selinux/targeted/http_lnk_exec.pp $ echo $? 0
Everything seems OK, but : $ semodule -l aisexec 1.0.0 amavis 1.1.0 ccs 1.0.0 clamav 1.1.0 clogd 1.0.0 dcc 1.1.0 dnsmasq 1.1.1 evolution 1.1.0 ipsec 1.4.0 iscsid 1.0.0 local 1.0 milter 1.0.0 mozilla 1.1.0 mplayer 1.1.0 nagios 1.1.0 oddjob 1.0.1 pcscd 1.0.0 postgrey 1.1.0 prelude 1.0.0 pyzor 1.1.0 qemu 1.1.2 razor 1.1.0 rgmanager 1.0.0 rhcs 1.1.0 ricci 1.0.0 smartmon 1.1.0 spamassassin 1.9.0 vhostmd 1.0.0 virt 1.2.1 zosremote 1.0.0
My module is not listed, and testing shows that the new rule in not used : $ audit2why < /var/log/audit/audit.log | grep AVC type=AVC msg=audit(1295337185.859:297): avc: denied { read } for pid=1854 comm="httpd" name="post-commit" dev=sda3 ino=295635 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file
I am not sure what
checkmodule -b foo.pp
will do.
Without "-o", it is supposed to check the syntax of foo.pp. It is the only explanation I can get on why "semodule -i" fails in my case.
Any other suggestion ? I am completely stuck...
I always build my pp files using
make -f /usr/share/selinux/devel/Makefile
And do not pay much attention to the man behind the curtain. The only reason I can imagine for a screw up would be a tool chain difference. Are you using all the same versions of tool chain. checkpolicy, libsemanage, policycoreutils, libselinux, selinux-policy as shipped with RHEL5?