[CentOS] Selinux custom policy issue - Centos 5

Tue Jun 12 00:24:59 UTC 2007
Miskell, Craig <Craig.Miskell at agresearch.co.nz>

Hi,
	I've got a Centos 5 box (recently replaced a Centos4 box of the
same function).  The means of applying custom SELinux policy has changed
somewhat from 4->5.  I've got it mostly figured out; I have a local.te
file with my custom policy and also which defines a few new file types,
and a local.fc with appropriate defintions of file contexts.  When I
run:
# checkmodule -M -m -o local.mod local.te
# semodule_package -o local.pp -m local.mod
# semodule -i local.pp
(all in /usr/share/selinux/targeted), the policy gets installed and
works properly.  However, I can't then use fixfiles or the like to set
the custom file contexts (my custom file contexts aren't installed in
the main policy). I can apply them manually with chcon, but that's icky
and not "The One True Way(tm)".

So, if I do:
# checkmodule -M -m -o local.mod local.te 
# semodule_package -o local.pp -m local.mod -f local.fc
# semodule -i local.pp

I get the following output:
libsepol.context_from_record: MLS is enabled, but no MLS context found
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:file_upload_store_t to sid
/etc/selinux/targeted/contexts/files/file_contexts:  line 537 has
invalid context system_u:object_r:file_upload_store_t
libsemanage.semanage_install_active: setfiles returned error code 1.

Where file_upload_store_t is one of my custom types.  My local.fc looks
like this:
/data/spool/blastreq(/.*)?            system_u:object_r:blast_req_t
/data/spool/blastres(/.*)?            system_u:object_r:blast_res_t
/data/upload(/.*)?
system_u:object_r:file_upload_store_t
/data/bfiles(/.*)?                    system_u:object_r:bfiles_t
/var/www/possumbase/html/imagetemp(/.*)?
system_u:object_r:http_image_temp_t
/var/www/sheep/html/imagetemp(/.*)?
system_u:object_r:http_image_temp_t

And my local.te contains (selected portions only for now):
module local 1.1;

require {
...
 <various normal requires>
...
}
type blast_req_t,file_type;
allow httpd_sys_script_t blast_req_t:file { create getattr write};
allow httpd_sys_script_t blast_req_t:dir { read getattr lock search
ioctl add_name write };
...etc

So, looks like I need to do something else, possibly in my local.fc.
However, my google-fu is not strong enough to find any actual examples
of successful custom file context type creation/installation using
selinux modules.  

I suspect something simple, but haven't a clue what it is.  Anyone got
any idea what I need to do different?

Thanks,
Craig Miskell

NB: To avoid the whole flamewar: "Turn off SELinux" is not a useful
answer in this case ;-)

Craig Miskell,
Technical Support,
AgResearch Invermay
03 489-9279
"I think that if I ever put a *nix distribution together, the mailer's
installation 
will include several pieces of spam in the initial mail spool." 
	-- Chris Reuter 
=======================================================================
Attention: The information contained in this message and/or attachments
from AgResearch Limited is intended only for the persons or entities
to which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipients is prohibited by AgResearch
Limited. If you have received this message in error, please notify the
sender immediately.
=======================================================================