Hello, I am trying to create a custom policy, but with no succes : $ cat <<EOF> foo.te module local 1.0; require { type httpd_sys_script_exec_t; type httpd_sys_script_t; class lnk_file read; } #============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read; EOF $ checkmodule -M -m -o foo.mod foo.te checkmodule: loading policy configuration from foo.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 6) to foo.mod $ semodule_package -o foo.pp -m foo.mod $ echo $? 0 # So far, so good. But : $ checkmodule -b foo.pp checkmodule: loading policy configuration from foo.pp libsepol.policydb_read: policydb magic number 0xf97cff8f does not match expected magic number 0xf97cff8c or 0xf97cff8d checkmodule: error(s) encountered while parsing configuration # And trying to "semodule -i foo.pp" fails completely. So here come my questions : - is there a boolean to allow httpd to execute a script "symlinked" ? (scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file) - can someone reproduce the error described above ? - any clue on how to fix it ? (For the curious one : I am fighting svn hooks on a filesystem mounted "-o noexec".) Additional infos : $ rpm -qa 'kernel*' '*selinux*' kernel-2.6.18-194.26.1.el5 kernel-2.6.18-194.32.1.el5 kernel-devel-2.6.18-194.26.1.el5 kernel-devel-2.6.18-194.32.1.el5 kernel-headers-2.6.18-194.32.1.el5 libselinux-1.33.4-5.5.el5 libselinux-devel-1.33.4-5.5.el5 libselinux-python-1.33.4-5.5.el5 libselinux-utils-1.33.4-5.5.el5 selinux-policy-2.4.6-279.el5_5.2 selinux-policy-devel-2.4.6-279.el5_5.2 selinux-policy-targeted-2.4.6-279.el5_5.2 $ uname -a Linux despina 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:20 EST 2010 x86_64 x86_64 x86_64 GNU/Linux Thanks, -- Philippe