[CentOS] CentOS 6, selinux, and user modules

Tue Aug 5 18:50:58 UTC 2014
Harold Pritchett <harold at uga.edu>

On 8/2/2014 2:39 PM, Harold Pritchett wrote:
> On 8/1/2014 10:47 PM, Gardner Bell wrote:
>>
>>
>> On 1 August 2014 22:33, Harold Pritchett <harold at uga.edu> wrote:
>>
>>> I am having problems making selinux modules on CentOS 6.
>>>
>>> Under CentOS 5, the following procedure works:
>>>
>>> Procedure to make an seliux policy named mickey1...
>>>
>>> # su -
>>> # cd /var/log/audit
>>> # rm *
>>> # service auditd restart
>>> # echo 0 > /selinux/enforce
>>> # Do whatever selinux is blocking...
>>> # echo 1 > /selinux/enforce
>>> # touch /.autorelabel
>>> # shutdown -fr now
>>>
>>> log back on as root...
>>>
>>> # cd /root
>>> # mkdir tmp selinux
>>> # cd tmp
>>> # chcon -R -t usr_t .
>>> # ln -s /usr/share/selinux/devel/Makefile .
>>> # audit2allow -m mickey1 -i /var/log/audit/audit.log -o mickey1.te
>>> # make -f /usr/share/selinux/devel/Makefile
>>> # mv filename.te filename.pp ../selinux/
>>> # cd ../selinux
>>> # semodule -i filename.pp
>>>
>>> This works fine on CentOS 5.  I have been doing this on half a dozen
>>> servers I support.
>>>
>>> Unfortunately, on CentOS 6 I get the following:
>>>
>>> # semodule -i mickey1.pp
>>> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
>>> (No such file or directory).
>>> libsemanage.semanage_link_sandbox: Link packages failed (No such file or
>>> directory).
>>> semodule:  Failed!
>>>
>>> Does anyone have any idea what I am doing wrong?  How do I get this to
>>> work on CentOS 6?  I've googled this until I'm blue in the face and can't
>>> seem to find the answer.
>>>
>>> More info:
>>>
>>> # cat /etc/redhat-release
>>> CentOS release 6.5 (Final)
>>>
>>> # uname -a
>>> Linux xyzzy.plugh.net 2.6.32-431.20.5.el6.x86_64 #1 SMP Fri Jul 25
>>> 08:34:44 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>> # rpm -qa | grep selinux
>>> selinux-policy-minimum-3.7.19-231.el6_5.3.noarch
>>> libselinux-devel-2.0.94-5.3.el6_4.1.x86_64
>>> selinux-policy-targeted-3.7.19-231.el6_5.3.noarch
>>> selinux-policy-doc-3.7.19-231.el6_5.3.noarch
>>> libselinux-python-2.0.94-5.3.el6_4.1.x86_64
>>> libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
>>> libselinux-2.0.94-5.3.el6_4.1.i686
>>> selinux-policy-mls-3.7.19-231.el6_5.3.noarch
>>> selinux-policy-3.7.19-231.el6_5.3.noarch
>>> libselinux-2.0.94-5.3.el6_4.1.x86_64
>>>
>>> Thanks,
>>>
>>> Harold
>>>
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>> Should you maybe recompile the module with the -M switch?
>> *-M,--mls* Enable the MLS/MCS support when checking and compiling the
>> policy module.
>>
>>
>
> Please don't top post...  It makes it hard to follow the discussion.
>
> Using this advice, I checked out the Makefile which compiles the module.  It uses the file "/etc/selinux/config" to determine the type of module to make.  So, I changed:
>
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> #     enforcing - SELinux security policy is enforced.
> #     permissive - SELinux prints warnings instead of enforcing.
> #     disabled - No SELinux policy is loaded.
> SELINUX=enforcing
> # SELINUXTYPE= can take one of these two values:
> #     targeted - Targeted processes are protected,
> #     mls - Multi Level Security protection.
> SELINUXTYPE=targeted
>
> to
>
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> #     enforcing - SELinux security policy is enforced.
> #     permissive - SELinux prints warnings instead of enforcing.
> #     disabled - No SELinux policy is loaded.
> SELINUX=enforcing
> # SELINUXTYPE= can take one of these two values:
> #     targeted - Targeted processes are protected,
> #     mls - Multi Level Security protection.
> SELINUXTYPE=mls
>
> ran "make clean" followed by "make" with the following results:
>
> # make
> Compiling mls spamass-milter module
> /usr/bin/checkmodule:  loading policy configuration from tmp/spamass-milter.tmp
> /usr/bin/checkmodule:  policy configuration loaded
> /usr/bin/checkmodule:  writing binary representation (version 10) to tmp/spamass-milter.mod
> Creating mls spamass-milter.pp policy package
> rm tmp/spamass-milter.mod.fc tmp/spamass-milter.mod
>
> Followed by:
>
> # semodule -vi spamass-milter.pp
> Attempting to install module 'spamass-milter.pp':
> Ok: return value of 0.
> Committing changes:
> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. (No such file or directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
> semodule:  Failed!
>
> # semodule -l | grep spam
> spamassassin    2.2.0
>
> Still no joy!  The make command claims to have made a mls policy package, but the semodule -i command says it's non-MLS.
>
More testing seems to indicate that the Makefile is broken.

Running make followed by semodule to load the new module generates the error.  If, however, I manually run the following commands everything works fine, the module is loaded, and 
selinux no longer blocks the desired action:

audit2allow -m spamass-milter < /var/log/audit/audit.log > spamass-milter.te
checkmodule -M -m -o spamass-milter.mod spamass-milter.te
semodule_package -o spamass-milter.pp -m spamass-milter.mod
semodule -i spamass-milter.pp

Harold