Re: CentOS 6, selinux, and user modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 8/1/2014 10:47 PM, Gardner Bell wrote:
>
>
> On 1 August 2014 22:33, Harold Pritchett <harold@xxxxxxx> wrote:
>
>> I am having problems making selinux modules on CentOS 6.
>>
>> Under CentOS 5, the following procedure works:
>>
>> Procedure to make an seliux policy named mickey1...
>>
>> # su -
>> # cd /var/log/audit
>> # rm *
>> # service auditd restart
>> # echo 0 > /selinux/enforce
>> # Do whatever selinux is blocking...
>> # echo 1 > /selinux/enforce
>> # touch /.autorelabel
>> # shutdown -fr now
>>
>> log back on as root...
>>
>> # cd /root
>> # mkdir tmp selinux
>> # cd tmp
>> # chcon -R -t usr_t .
>> # ln -s /usr/share/selinux/devel/Makefile .
>> # audit2allow -m mickey1 -i /var/log/audit/audit.log -o mickey1.te
>> # make -f /usr/share/selinux/devel/Makefile
>> # mv filename.te filename.pp ../selinux/
>> # cd ../selinux
>> # semodule -i filename.pp
>>
>> This works fine on CentOS 5.  I have been doing this on half a dozen
>> servers I support.
>>
>> Unfortunately, on CentOS 6 I get the following:
>>
>> # semodule -i mickey1.pp
>> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
>> (No such file or directory).
>> libsemanage.semanage_link_sandbox: Link packages failed (No such file or
>> directory).
>> semodule:  Failed!
>>
>> Does anyone have any idea what I am doing wrong?  How do I get this to
>> work on CentOS 6?  I've googled this until I'm blue in the face and can't
>> seem to find the answer.
>>
>> More info:
>>
>> # cat /etc/redhat-release
>> CentOS release 6.5 (Final)
>>
>> # uname -a
>> Linux xyzzy.plugh.net 2.6.32-431.20.5.el6.x86_64 #1 SMP Fri Jul 25
>> 08:34:44 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>>
>> # rpm -qa | grep selinux
>> selinux-policy-minimum-3.7.19-231.el6_5.3.noarch
>> libselinux-devel-2.0.94-5.3.el6_4.1.x86_64
>> selinux-policy-targeted-3.7.19-231.el6_5.3.noarch
>> selinux-policy-doc-3.7.19-231.el6_5.3.noarch
>> libselinux-python-2.0.94-5.3.el6_4.1.x86_64
>> libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
>> libselinux-2.0.94-5.3.el6_4.1.i686
>> selinux-policy-mls-3.7.19-231.el6_5.3.noarch
>> selinux-policy-3.7.19-231.el6_5.3.noarch
>> libselinux-2.0.94-5.3.el6_4.1.x86_64
>>
>> Thanks,
>>
>> Harold
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS@xxxxxxxxxx
>> http://lists.centos.org/mailman/listinfo/centos
>>
> Should you maybe recompile the module with the -M switch?
> *-M,--mls* Enable the MLS/MCS support when checking and compiling the
> policy module.
>
>

Please don't top post...  It makes it hard to follow the discussion.

Using this advice, I checked out the Makefile which compiles the module.  It uses the file "/etc/selinux/config" to determine the type of module to make.  So, I changed:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

to

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=mls

ran "make clean" followed by "make" with the following results:

# make
Compiling mls spamass-milter module
/usr/bin/checkmodule:  loading policy configuration from tmp/spamass-milter.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/spamass-milter.mod
Creating mls spamass-milter.pp policy package
rm tmp/spamass-milter.mod.fc tmp/spamass-milter.mod

Followed by:

# semodule -vi spamass-milter.pp
Attempting to install module 'spamass-milter.pp':
Ok: return value of 0.
Committing changes:
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

# semodule -l | grep spam
spamassassin    2.2.0

Still no joy!  The make command claims to have made a mls policy package, but the semodule -i command says it's non-MLS.

I'm confused...

Thanks

Harold
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux