[CentOS] SELinux : semodule_package, magic number does not match

Tue Jan 18 14:24:36 UTC 2011
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/18/2011 03:13 AM, Philippe Naudin wrote:
> Le lun 17 jan 2011 14:32:22 CET, Daniel J Walsh a écrit:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 01/17/2011 08:25 AM, Philippe Naudin wrote:
>>> Hello,
>>>
>>> I am trying to create a custom policy, but with no succes :
>>>
>>> $ cat <<EOF> foo.te
>>> module local 1.0;
>>>
>>> require {
>>>         type httpd_sys_script_exec_t;
>>>         type httpd_sys_script_t;
>>>         class lnk_file read;
>>> }
>>>
>>> #============= httpd_sys_script_t ==============
>>> allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read;
>>> EOF
>>>
>>> $ checkmodule -M -m -o foo.mod foo.te
>>> checkmodule:  loading policy configuration from foo.te
>>> checkmodule:  policy configuration loaded
>>> checkmodule:  writing binary representation (version 6) to foo.mod
>>>
>>> $ semodule_package -o foo.pp -m foo.mod
>>> $ echo $?
>>> 0
>>> # So far, so good. But :
>>>
>>> $ checkmodule -b foo.pp
>>> checkmodule:  loading policy configuration from foo.pp
>>> libsepol.policydb_read: policydb magic number 0xf97cff8f does not match 
>>> expected magic number 0xf97cff8c or 0xf97cff8d
>>> checkmodule:  error(s) encountered while parsing configuration
>>> # And trying to "semodule -i foo.pp" fails completely.
>>>
>> Wrong command.
>>
>> semodule -i foo.pp
> 
> Yes, I have tried this one too : 
> 
> $ semodule -i /usr/share/selinux/targeted/http_lnk_exec.pp
> $ echo $?
> 0
> 
> Everything seems OK, but :
> $ semodule -l
> aisexec 1.0.0
> amavis  1.1.0
> ccs     1.0.0
> clamav  1.1.0
> clogd   1.0.0
> dcc     1.1.0
> dnsmasq 1.1.1
> evolution       1.1.0
> ipsec   1.4.0
> iscsid  1.0.0
> local   1.0
> milter  1.0.0
> mozilla 1.1.0
> mplayer 1.1.0
> nagios  1.1.0
> oddjob  1.0.1
> pcscd   1.0.0
> postgrey        1.1.0
> prelude 1.0.0
> pyzor   1.1.0
> qemu    1.1.2
> razor   1.1.0
> rgmanager       1.0.0
> rhcs    1.1.0
> ricci   1.0.0
> smartmon        1.1.0
> spamassassin    1.9.0
> vhostmd 1.0.0
> virt    1.2.1
> zosremote       1.0.0
> 
> My module is not listed, and testing shows that the new rule in not
> used :
> $ audit2why < /var/log/audit/audit.log | grep AVC
> type=AVC msg=audit(1295337185.859:297): avc:  denied  { read } for
> pid=1854 comm="httpd" name="post-commit" dev=sda3 ino=295635
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file
> 
>> I am not sure what
>>
>> checkmodule -b foo.pp
>>
>> will do.
> 
> Without "-o", it is supposed to check the syntax of foo.pp. It is
> the only explanation I can get on why "semodule -i" fails in my case.
> 
> Any other suggestion ? I am completely stuck...
> 
I always build my pp files using

make -f /usr/share/selinux/devel/Makefile

And do not pay much attention to the man behind the curtain.   The only
reason I can imagine for a screw  up would be a tool chain difference.
Are you using all the same versions of tool chain. checkpolicy,
libsemanage, policycoreutils, libselinux, selinux-policy as shipped with
RHEL5?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk01oqQACgkQrlYvE4MpobMrKACgogGWZTehjBIlyX7/k5eq5MjY
mlQAoJo5jpMvT7kE2WgDgg/YWQBQNLiJ
=VGhN
-----END PGP SIGNATURE-----