[CentOS] SELinux : semodule_package, magic number does not match

Tue Jan 18 08:13:41 UTC 2011
Philippe Naudin <philippe.naudin at supagro.inra.fr>

Le lun 17 jan 2011 14:32:22 CET, Daniel J Walsh a écrit:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 01/17/2011 08:25 AM, Philippe Naudin wrote:
> > Hello,
> > 
> > I am trying to create a custom policy, but with no succes :
> > 
> > $ cat <<EOF> foo.te
> > module local 1.0;
> > 
> > require {
> >         type httpd_sys_script_exec_t;
> >         type httpd_sys_script_t;
> >         class lnk_file read;
> > }
> > 
> > #============= httpd_sys_script_t ==============
> > allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read;
> > EOF
> > 
> > $ checkmodule -M -m -o foo.mod foo.te
> > checkmodule:  loading policy configuration from foo.te
> > checkmodule:  policy configuration loaded
> > checkmodule:  writing binary representation (version 6) to foo.mod
> > 
> > $ semodule_package -o foo.pp -m foo.mod
> > $ echo $?
> > 0
> > # So far, so good. But :
> > 
> > $ checkmodule -b foo.pp
> > checkmodule:  loading policy configuration from foo.pp
> > libsepol.policydb_read: policydb magic number 0xf97cff8f does not match 
> > expected magic number 0xf97cff8c or 0xf97cff8d
> > checkmodule:  error(s) encountered while parsing configuration
> > # And trying to "semodule -i foo.pp" fails completely.
> > 
> Wrong command.
> 
> semodule -i foo.pp

Yes, I have tried this one too : 

$ semodule -i /usr/share/selinux/targeted/http_lnk_exec.pp
$ echo $?
0

Everything seems OK, but :
$ semodule -l
aisexec 1.0.0
amavis  1.1.0
ccs     1.0.0
clamav  1.1.0
clogd   1.0.0
dcc     1.1.0
dnsmasq 1.1.1
evolution       1.1.0
ipsec   1.4.0
iscsid  1.0.0
local   1.0
milter  1.0.0
mozilla 1.1.0
mplayer 1.1.0
nagios  1.1.0
oddjob  1.0.1
pcscd   1.0.0
postgrey        1.1.0
prelude 1.0.0
pyzor   1.1.0
qemu    1.1.2
razor   1.1.0
rgmanager       1.0.0
rhcs    1.1.0
ricci   1.0.0
smartmon        1.1.0
spamassassin    1.9.0
vhostmd 1.0.0
virt    1.2.1
zosremote       1.0.0

My module is not listed, and testing shows that the new rule in not
used :
$ audit2why < /var/log/audit/audit.log | grep AVC
type=AVC msg=audit(1295337185.859:297): avc:  denied  { read } for
pid=1854 comm="httpd" name="post-commit" dev=sda3 ino=295635
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file

> I am not sure what
> 
> checkmodule -b foo.pp
> 
> will do.

Without "-o", it is supposed to check the syntax of foo.pp. It is
the only explanation I can get on why "semodule -i" fails in my case.

Any other suggestion ? I am completely stuck...

-- 
Philippe