Hi, I've got a Centos 5 box (recently replaced a Centos4 box of the same function). The means of applying custom SELinux policy has changed somewhat from 4->5. I've got it mostly figured out; I have a local.te file with my custom policy and also which defines a few new file types, and a local.fc with appropriate defintions of file contexts. When I run: # checkmodule -M -m -o local.mod local.te # semodule_package -o local.pp -m local.mod # semodule -i local.pp (all in /usr/share/selinux/targeted), the policy gets installed and works properly. However, I can't then use fixfiles or the like to set the custom file contexts (my custom file contexts aren't installed in the main policy). I can apply them manually with chcon, but that's icky and not "The One True Way(tm)".

So, if I do: # checkmodule -M -m -o local.mod local.te # semodule_package -o local.pp -m local.mod -f local.fc # semodule -i local.pp

I get the following output: libsepol.context_from_record: MLS is enabled, but no MLS context found libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:file_upload_store_t to sid /etc/selinux/targeted/contexts/files/file_contexts: line 537 has invalid context system_u:object_r:file_upload_store_t libsemanage.semanage_install_active: setfiles returned error code 1.

Where file_upload_store_t is one of my custom types. My local.fc looks like this: /data/spool/blastreq(/.*)? system_u:object_r:blast_req_t /data/spool/blastres(/.*)? system_u:object_r:blast_res_t /data/upload(/.*)? system_u:object_r:file_upload_store_t /data/bfiles(/.*)? system_u:object_r:bfiles_t /var/www/possumbase/html/imagetemp(/.*)? system_u:object_r:http_image_temp_t /var/www/sheep/html/imagetemp(/.*)? system_u:object_r:http_image_temp_t

And my local.te contains (selected portions only for now): module local 1.1;

require { ... <various normal requires> ... } type blast_req_t,file_type; allow httpd_sys_script_t blast_req_t:file { create getattr write}; allow httpd_sys_script_t blast_req_t:dir { read getattr lock search ioctl add_name write }; ...etc

So, looks like I need to do something else, possibly in my local.fc. However, my google-fu is not strong enough to find any actual examples of successful custom file context type creation/installation using selinux modules.

I suspect something simple, but haven't a clue what it is. Anyone got any idea what I need to do different?

Thanks, Craig Miskell

NB: To avoid the whole flamewar: "Turn off SELinux" is not a useful answer in this case ;-)

Craig Miskell, Technical Support, AgResearch Invermay 03 489-9279 "I think that if I ever put a *nix distribution together, the mailer's installation will include several pieces of spam in the initial mail spool." -- Chris Reuter ======================================================================= Attention: The information contained in this message and/or attachments from AgResearch Limited is intended only for the persons or entities to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipients is prohibited by AgResearch Limited. If you have received this message in error, please notify the sender immediately. =======================================================================