On Wed, 2006-09-27 at 11:33 -0400, Sandra Julieta Rueda Rodriguez wrote: > Hello, > > I was playing with semodule (trying to understand how it works) so I added > a module. Later I also played with refpolicy and monolithic building > (again trying to understand how it works). > > Now I want to delete the module I loaded before and this is the message I > am getting from the system: > > # semodule -v -r KnockServer > Attempting to remove module 'KnockServer': > Ok: return value of 0. > Committing changes: > /usr/sbin/load_policy: Can't load policy: Invalid argument > libsemanage.semanage_reload_policy: load_policy returned error code 2. > /usr/sbin/load_policy: Can't load policy: Invalid argument > libsemanage.semanage_reload_policy: load_policy returned error code 2. > semodule: Failed! > > semodule -l works fine (apparently) and one of the items in the list is > KnockServer and its version. > Is there any way to know why semodule -r is failing? What argument is > invalid? This typically means that the kernel rejected the policy, look for messages in /var/log/messages. This can happen e.g. if you load a policy that defines newer classes and permissions and later try to load a policy that lacks those definitions, which would happen if you tried loading a newer upstream policy and are now trying to revert to a stock FC5 policy. The kernel has an overly conservative check at present that no class or permission definitions can go away after initial policy load; the actual requirement is just that no class or permission definition on which the kernel relies should go away. To recover, do something like: # Remove the module, rebuild policy, but don't try to load it yet. semodule -n -r KnockServer Then reboot with the updated policy. > I have other questions about modules: what is the relationship between the > modules and the binary policy file installed at > /etc/selinux/(strict|targeted)/policy? Does this file include just base > modules? If so, where are the files for non-base modules stored? Is it > another binary file? The kernel binary policy file is generated from all of the kernel policy-related data in the policy module store, including all modules (base and non-base), local boolean settings, and network object contexts. This is done by libsemanage, which is used by semodule, semanage, and setsebool to apply changes to the policy. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
