On 8/2/2014 2:39 PM, Harold Pritchett wrote: > On 8/1/2014 10:47 PM, Gardner Bell wrote: >> >> >> On 1 August 2014 22:33, Harold Pritchett <harold at uga.edu> wrote: >> >>> I am having problems making selinux modules on CentOS 6. >>> >>> Under CentOS 5, the following procedure works: >>> >>> Procedure to make an seliux policy named mickey1... >>> >>> # su - >>> # cd /var/log/audit >>> # rm * >>> # service auditd restart >>> # echo 0 > /selinux/enforce >>> # Do whatever selinux is blocking... >>> # echo 1 > /selinux/enforce >>> # touch /.autorelabel >>> # shutdown -fr now >>> >>> log back on as root... >>> >>> # cd /root >>> # mkdir tmp selinux >>> # cd tmp >>> # chcon -R -t usr_t . >>> # ln -s /usr/share/selinux/devel/Makefile . >>> # audit2allow -m mickey1 -i /var/log/audit/audit.log -o mickey1.te >>> # make -f /usr/share/selinux/devel/Makefile >>> # mv filename.te filename.pp ../selinux/ >>> # cd ../selinux >>> # semodule -i filename.pp >>> >>> This works fine on CentOS 5. I have been doing this on half a dozen >>> servers I support. >>> >>> Unfortunately, on CentOS 6 I get the following: >>> >>> # semodule -i mickey1.pp >>> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. >>> (No such file or directory). >>> libsemanage.semanage_link_sandbox: Link packages failed (No such file or >>> directory). >>> semodule: Failed! >>> >>> Does anyone have any idea what I am doing wrong? How do I get this to >>> work on CentOS 6? I've googled this until I'm blue in the face and can't >>> seem to find the answer. >>> >>> More info: >>> >>> # cat /etc/redhat-release >>> CentOS release 6.5 (Final) >>> >>> # uname -a >>> Linux xyzzy.plugh.net 2.6.32-431.20.5.el6.x86_64 #1 SMP Fri Jul 25 >>> 08:34:44 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >>> >>> # rpm -qa | grep selinux >>> selinux-policy-minimum-3.7.19-231.el6_5.3.noarch >>> libselinux-devel-2.0.94-5.3.el6_4.1.x86_64 >>> selinux-policy-targeted-3.7.19-231.el6_5.3.noarch >>> selinux-policy-doc-3.7.19-231.el6_5.3.noarch >>> libselinux-python-2.0.94-5.3.el6_4.1.x86_64 >>> libselinux-utils-2.0.94-5.3.el6_4.1.x86_64 >>> libselinux-2.0.94-5.3.el6_4.1.i686 >>> selinux-policy-mls-3.7.19-231.el6_5.3.noarch >>> selinux-policy-3.7.19-231.el6_5.3.noarch >>> libselinux-2.0.94-5.3.el6_4.1.x86_64 >>> >>> Thanks, >>> >>> Harold >>> >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> http://lists.centos.org/mailman/listinfo/centos >>> >> Should you maybe recompile the module with the -M switch? >> *-M,--mls* Enable the MLS/MCS support when checking and compiling the >> policy module. >> >> > > Please don't top post... It makes it hard to follow the discussion. > > Using this advice, I checked out the Makefile which compiles the module. It uses the file "/etc/selinux/config" to determine the type of module to make. So, I changed: > > # This file controls the state of SELinux on the system. > # SELINUX= can take one of these three values: > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - No SELinux policy is loaded. > SELINUX=enforcing > # SELINUXTYPE= can take one of these two values: > # targeted - Targeted processes are protected, > # mls - Multi Level Security protection. > SELINUXTYPE=targeted > > to > > # This file controls the state of SELinux on the system. > # SELINUX= can take one of these three values: > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - No SELinux policy is loaded. > SELINUX=enforcing > # SELINUXTYPE= can take one of these two values: > # targeted - Targeted processes are protected, > # mls - Multi Level Security protection. > SELINUXTYPE=mls > > ran "make clean" followed by "make" with the following results: > > # make > Compiling mls spamass-milter module > /usr/bin/checkmodule: loading policy configuration from tmp/spamass-milter.tmp > /usr/bin/checkmodule: policy configuration loaded > /usr/bin/checkmodule: writing binary representation (version 10) to tmp/spamass-milter.mod > Creating mls spamass-milter.pp policy package > rm tmp/spamass-milter.mod.fc tmp/spamass-milter.mod > > Followed by: > > # semodule -vi spamass-milter.pp > Attempting to install module 'spamass-milter.pp': > Ok: return value of 0. > Committing changes: > libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). > semodule: Failed! > > # semodule -l | grep spam > spamassassin 2.2.0 > > Still no joy! The make command claims to have made a mls policy package, but the semodule -i command says it's non-MLS. > More testing seems to indicate that the Makefile is broken. Running make followed by semodule to load the new module generates the error. If, however, I manually run the following commands everything works fine, the module is loaded, and selinux no longer blocks the desired action: audit2allow -m spamass-milter < /var/log/audit/audit.log > spamass-milter.te checkmodule -M -m -o spamass-milter.mod spamass-milter.te semodule_package -o spamass-milter.pp -m spamass-milter.mod semodule -i spamass-milter.pp Harold