When I built a policy module with the latest selinux-policy-devel (3.0.5-1),
the Makefile didn't enable the MLS/MCS switch.
We had to add "TYPE=mcs" option to avoid the problem.
----------------
[kaigai@masu policy]$ make NAME=targted -f /usr/share/selinux/devel/Makefile
Compiling targted sepostgresql module
/usr/bin/checkmodule: loading policy configuration from tmp/sepostgresql.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 6) to tmp/sepostgresql.mod
Creating targted sepostgresql.pp policy package
rm tmp/sepostgresql.mod.fc tmp/sepostgresql.mod
[kaigai@masu policy]$ su
Password:
[root@masu policy]# /usr/sbin/semodule -i sepostgresql.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
[root@masu policy]#
----------------
I found the following differences between 3.0.4-1 and 3.0.5-1.
----------------
# enable MLS if requested.
-ifneq ($(findstring -mls,$(TYPE)),)
+ifeq "$(TYPE)" "mls"
M4PARAM += -D enable_mls
CHECKPOLICY += -M
CHECKMODULE += -M
endif
# enable MLS if MCS requested.
-ifneq ($(findstring -mcs,$(TYPE)),)
+ifeq "$(TYPE)" "mcs"
M4PARAM += -D enable_mcs
CHECKPOLICY += -M
CHECKMODULE += -M
----------------
Because $(TYPE) is set as "$(NAME)${MCSFLAG}" in /usr/share/selinux/devel/Makefile,
the above blocks are skipped, then MLS/MCS is disabled.
I think the above blocks should be reverted.
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
