I have a simple helloworld example and policy module with the following
line in the helloworldfile.fc file:
/usr/local/test/HelloWorldFile --
gen_context(root:object_r:helloworld_exec_t,__SYSTEMLOW__)
When I make the policy using "make load", it appears to install the
helloworldfile.pp in /usr/share/selinux/mls and then install it using
semodule. After doing this if I use restorecon to set the file context
of /usr/local/test/HelloWorldFile, the context is incorrect. It has the
type usr_t, which is the type for the /usr/local/test directory. If I
then manually install the module using "/usr/sbin/semodule -i
/usr/share/selinux/mls/helloworldfile.pp", and again use restorecon to
reset the file context, it has the correct context. I have no idea why
the module install during the "make" process is not working correctly.
I'd appreciate any help in figuring out what is going on.
I'm using RHEL5.1 with the mls policy. Below I have captured the
sequence of commands described above, along with the output.
Thanks
[clarkson@m2ut5 test]# make load
Compliling mls helloworldfile.mod module
echo "ifdef(\`""helloworldfile""_per_role_template',\`" >
tmp/helloworldfile.mod.role
m4 -D strict_policy -D enable_mls -D mls_num_sens=5 -D mls_num_cats=256
-D mcs_num_cats=256 -D hide_broken_symptoms policy/rolemap | gawk
'/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $3 "; role " $1
";)\nhelloworldfile_per_role_template(" $2 "," $3 "," $1 ")" }' >>
tmp/helloworldfile.mod.role
echo "')" >> tmp/helloworldfile.mod.role
echo "ifdef(\`""helloworldfile""_per_userdomain_template',\`" >>
tmp/helloworldfile.mod.role
echo "errprint(\`Warning: per_userdomain_templates have been renamed to
per_role_templates
(""helloworldfile""_per_userdomain_template)'__endline__)" >>
tmp/helloworldfile.mod.role
m4 -D strict_policy -D enable_mls -D mls_num_sens=5 -D mls_num_cats=256
-D mcs_num_cats=256 -D hide_broken_symptoms policy/rolemap | gawk
'/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $3 "; role " $1
";)\nhelloworldfile_per_userdomain_template(" $2 "," $3 "," $1 ")" }' >>
tmp/helloworldfile.mod.role
echo "')" >> tmp/helloworldfile.mod.role
m4 -D strict_policy -D enable_mls -D mls_num_sens=5 -D mls_num_cats=256
-D mcs_num_cats=256 -D hide_broken_symptoms -s
policy/support/fc_dir_variables.spt policy/support/file_patterns.spt
policy/support/loadable_module.spt policy/support/misc_macros.spt
policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt
tmp/generated_definitions.conf tmp/all_interfaces.conf
policy/modules/apps/helloworldfile.te tmp/helloworldfile.mod.role >
tmp/helloworldfile.tmp
/usr/bin/checkmodule -M -m tmp/helloworldfile.tmp -o
tmp/helloworldfile.mod
/usr/bin/checkmodule: loading policy configuration from
tmp/helloworldfile.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 6) to
tmp/helloworldfile.mod
m4 -D strict_policy -D enable_mls -D mls_num_sens=5 -D mls_num_cats=256
-D mcs_num_cats=256 -D hide_broken_symptoms
policy/support/fc_dir_variables.spt policy/support/file_patterns.spt
policy/support/loadable_module.spt policy/support/misc_macros.spt
policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt
policy/support/fc_dir_variables.spt policy/support/file_patterns.spt
policy/support/loadable_module.spt policy/support/misc_macros.spt
policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt
policy/modules/apps/helloworldfile.fc > tmp/helloworldfile.mod.fc
Creating mls helloworldfile.pp policy package
/usr/bin/semodule_package -o helloworldfile.pp -m tmp/helloworldfile.mod
-f tmp/helloworldfile.mod.fc
Installing mls helloworldfile.pp policy package.
install -m 0644 helloworldfile.pp /usr/share/selinux/mls
Loading configured modules.
/usr/sbin/semodule -s mls -b /usr/share/selinux/mls/base.pp -i
/usr/share/selinux/mls/acct.pp -i /usr/share/selinux/mls/ada.pp -i
/usr/share/selinux/mls/afs.pp -i /usr/share/selinux/mls/aide.pp -i
/usr/share/selinux/mls/alsa.pp -i /usr/share/selinux/mls/amanda.pp -i
/usr/share/selinux/mls/amavis.pp -i /usr/share/selinux/mls/amtu.pp -i
/usr/share/selinux/mls/anaconda.pp -i /usr/share/selinux/mls/apache.pp
-i /usr/share/selinux/mls/apm.pp -i /usr/share/selinux/mls/apt.pp -i
/usr/share/selinux/mls/arpwatch.pp -i /usr/share/selinux/mls/asterisk.pp
-i /usr/share/selinux/mls/audioentropy.pp -i
/usr/share/selinux/mls/audit.pp -i /usr/share/selinux/mls/authbind.pp -i
/usr/share/selinux/mls/authlogin.pp -i
/usr/share/selinux/mls/automount.pp -i /usr/share/selinux/mls/avahi.pp
-i /usr/share/selinux/mls/backup.pp -i /usr/share/selinux/mls/bind.pp -i
/usr/share/selinux/mls/bluetooth.pp -i
/usr/share/selinux/mls/bootloader.pp -i
/usr/share/selinux/mls/calamaris.pp -i /usr/share/selinux/mls/canna.pp
-i /usr/share/selinux/mls/ccs.pp -i /usr/share/selinux/mls/cdrecord.pp
-i /usr/share/selinux/mls/certwatch.pp -i /usr/share/selinux/mls/cipe.pp
-i /usr/share/selinux/mls/clamav.pp -i /usr/share/selinux/mls/clock.pp
-i /usr/share/selinux/mls/clockspeed.pp -i
/usr/share/selinux/mls/comsat.pp -i
/usr/share/selinux/mls/consoletype.pp -i
/usr/share/selinux/mls/courier.pp -i
/usr/share/selinux/mls/cpucontrol.pp -i /usr/share/selinux/mls/cron.pp
-i /usr/share/selinux/mls/cups.pp -i /usr/share/selinux/mls/cvs.pp -i
/usr/share/selinux/mls/cyrus.pp -i /usr/share/selinux/mls/daemontools.pp
-i /usr/share/selinux/mls/dante.pp -i /usr/share/selinux/mls/dbskk.pp -i
/usr/share/selinux/mls/dbus.pp -i /usr/share/selinux/mls/dcc.pp -i
/usr/share/selinux/mls/ddclient.pp -i /usr/share/selinux/mls/ddcprobe.pp
-i /usr/share/selinux/mls/dhcp.pp -i /usr/share/selinux/mls/dictd.pp -i
/usr/share/selinux/mls/distcc.pp -i /usr/share/selinux/mls/djbdns.pp -i
/usr/share/selinux/mls/dmesg.pp -i /usr/share/selinux/mls/dmidecode.pp
-i /usr/share/selinux/mls/dnsmasq.pp -i
/usr/share/selinux/mls/dovecot.pp -i /usr/share/selinux/mls/dpkg.pp -i
/usr/share/selinux/mls/ethereal.pp -i
/usr/share/selinux/mls/evolution.pp -i /usr/share/selinux/mls/export.pp
-i /usr/share/selinux/mls/fail2ban.pp -i
/usr/share/selinux/mls/fetchmail.pp -i /usr/share/selinux/mls/finger.pp
-i /usr/share/selinux/mls/firstboot.pp -i
/usr/share/selinux/mls/frontgate.pp -i /usr/share/selinux/mls/fstools.pp
-i /usr/share/selinux/mls/ftp.pp -i /usr/share/selinux/mls/ftp_trans.pp
-i /usr/share/selinux/mls/games.pp -i
/usr/share/selinux/mls/gatekeeper.pp -i /usr/share/selinux/mls/getty.pp
-i /usr/share/selinux/mls/gift.pp -i /usr/share/selinux/mls/gnome.pp -i
/usr/share/selinux/mls/gpg.pp -i /usr/share/selinux/mls/gpm.pp -i
/usr/share/selinux/mls/hal.pp -i
/usr/share/selinux/mls/helloworldfile.pp -i
/usr/share/selinux/mls/hostname.pp -i /usr/share/selinux/mls/hotplug.pp
-i /usr/share/selinux/mls/howl.pp -i
/usr/share/selinux/mls/i18n_input.pp -i /usr/share/selinux/mls/imaze.pp
-i /usr/share/selinux/mls/import.pp -i /usr/share/selinux/mls/inetd.pp
-i /usr/share/selinux/mls/init.pp -i /usr/share/selinux/mls/inn.pp -i
/usr/share/selinux/mls/ipsec.pp -i /usr/share/selinux/mls/iptables.pp -i
/usr/share/selinux/mls/irc.pp -i /usr/share/selinux/mls/ircd.pp -i
/usr/share/selinux/mls/irqbalance.pp -i /usr/share/selinux/mls/iscsi.pp
-i /usr/share/selinux/mls/jabber.pp -i /usr/share/selinux/mls/java.pp -i
/usr/share/selinux/mls/kerberos.pp -i /usr/share/selinux/mls/ktalk.pp -i
/usr/share/selinux/mls/kudzu.pp -i /usr/share/selinux/mls/ldap.pp -i
/usr/share/selinux/mls/libraries.pp -i
/usr/share/selinux/mls/loadkeys.pp -i
/usr/share/selinux/mls/locallogin.pp -i
/usr/share/selinux/mls/lockdev.pp -i /usr/share/selinux/mls/logging.pp
-i /usr/share/selinux/mls/logrotate.pp -i
/usr/share/selinux/mls/logwatch.pp -i /usr/share/selinux/mls/lpd.pp -i
/usr/share/selinux/mls/lvm.pp -i /usr/share/selinux/mls/mailman.pp -i
/usr/share/selinux/mls/miscfiles.pp -i
/usr/share/selinux/mls/modutils.pp -i /usr/share/selinux/mls/mono.pp -i
/usr/share/selinux/mls/monop.pp -i /usr/share/selinux/mls/mount.pp -i
/usr/share/selinux/mls/mozilla.pp -i /usr/share/selinux/mls/mplayer.pp
-i /usr/share/selinux/mls/mrtg.pp -i /usr/share/selinux/mls/mta.pp -i
/usr/share/selinux/mls/munin.pp -i /usr/share/selinux/mls/mysql.pp -i
/usr/share/selinux/mls/nagios.pp -i /usr/share/selinux/mls/nessus.pp -i
/usr/share/selinux/mls/netlabel.pp -i /usr/share/selinux/mls/netutils.pp
-i /usr/share/selinux/mls/networkmanager.pp -i
/usr/share/selinux/mls/nis.pp -i /usr/share/selinux/mls/nscd.pp -i
/usr/share/selinux/mls/nsd.pp -i /usr/share/selinux/mls/ntop.pp -i
/usr/share/selinux/mls/ntp.pp -i /usr/share/selinux/mls/nx.pp -i
/usr/share/selinux/mls/oav.pp -i /usr/share/selinux/mls/oddjob.pp -i
/usr/share/selinux/mls/openca.pp -i /usr/share/selinux/mls/openct.pp -i
/usr/share/selinux/mls/openvpn.pp -i /usr/share/selinux/mls/oracle_db.pp
-i /usr/share/selinux/mls/oracle_sp.pp -i
/usr/share/selinux/mls/pcmcia.pp -i /usr/share/selinux/mls/pcs.pp -i
/usr/share/selinux/mls/pcscd.pp -i /usr/share/selinux/mls/pegasus.pp -i
/usr/share/selinux/mls/perdition.pp -i /usr/share/selinux/mls/portage.pp
-i /usr/share/selinux/mls/portmap.pp -i
/usr/share/selinux/mls/portslave.pp -i /usr/share/selinux/mls/postfix.pp
-i /usr/share/selinux/mls/postgresql.pp -i
/usr/share/selinux/mls/postgrey.pp -i /usr/share/selinux/mls/ppp.pp -i
/usr/share/selinux/mls/prelink.pp -i /usr/share/selinux/mls/privoxy.pp
-i /usr/share/selinux/mls/procmail.pp -i
/usr/share/selinux/mls/publicfile.pp -i /usr/share/selinux/mls/pxe.pp -i
/usr/share/selinux/mls/pyzor.pp -i /usr/share/selinux/mls/qmail.pp -i
/usr/share/selinux/mls/query.pp -i /usr/share/selinux/mls/quota.pp -i
/usr/share/selinux/mls/radius.pp -i /usr/share/selinux/mls/radvd.pp -i
/usr/share/selinux/mls/raid.pp -i /usr/share/selinux/mls/razor.pp -i
/usr/share/selinux/mls/rdisc.pp -i /usr/share/selinux/mls/readahead.pp
-i /usr/share/selinux/mls/remotelogin.pp -i
/usr/share/selinux/mls/resmgr.pp -i /usr/share/selinux/mls/rhgb.pp -i
/usr/share/selinux/mls/ricci.pp -i /usr/share/selinux/mls/rlogin.pp -i
/usr/share/selinux/mls/roundup.pp -i /usr/share/selinux/mls/rpc.pp -i
/usr/share/selinux/mls/rpm.pp -i /usr/share/selinux/mls/rshd.pp -i
/usr/share/selinux/mls/rssh.pp -i /usr/share/selinux/mls/rsync.pp -i
/usr/share/selinux/mls/samba.pp -i /usr/share/selinux/mls/sasl.pp -i
/usr/share/selinux/mls/screen.pp -i
/usr/share/selinux/mls/selinuxutil.pp -i
/usr/share/selinux/mls/sendmail.pp -i
/usr/share/selinux/mls/setcontest.pp -i
/usr/share/selinux/mls/setrans.pp -i
/usr/share/selinux/mls/setroubleshoot.pp -i
/usr/share/selinux/mls/slocate.pp -i /usr/share/selinux/mls/slrnpull.pp
-i /usr/share/selinux/mls/smartmon.pp -i /usr/share/selinux/mls/snmp.pp
-i /usr/share/selinux/mls/snort.pp -i
/usr/share/selinux/mls/soundserver.pp -i
/usr/share/selinux/mls/spamassassin.pp -i
/usr/share/selinux/mls/speedtouch.pp -i /usr/share/selinux/mls/squid.pp
-i /usr/share/selinux/mls/ssh.pp -i /usr/share/selinux/mls/storage.pp -i
/usr/share/selinux/mls/stunnel.pp -i /usr/share/selinux/mls/su.pp -i
/usr/share/selinux/mls/sudo.pp -i /usr/share/selinux/mls/sxid.pp -i
/usr/share/selinux/mls/sysnetwork.pp -i
/usr/share/selinux/mls/sysstat.pp -i /usr/share/selinux/mls/tcpd.pp -i
/usr/share/selinux/mls/telnet.pp -i /usr/share/selinux/mls/tftp.pp -i
/usr/share/selinux/mls/thunderbird.pp -i
/usr/share/selinux/mls/timidity.pp -i
/usr/share/selinux/mls/tmpreaper.pp -i /usr/share/selinux/mls/tor.pp -i
/usr/share/selinux/mls/transproxy.pp -i
/usr/share/selinux/mls/tripwire.pp -i /usr/share/selinux/mls/tvtime.pp
-i /usr/share/selinux/mls/tzdata.pp -i
/usr/share/selinux/mls/ucspitcp.pp -i /usr/share/selinux/mls/udev.pp -i
/usr/share/selinux/mls/uml.pp -i /usr/share/selinux/mls/unconfined.pp -i
/usr/share/selinux/mls/updfstab.pp -i /usr/share/selinux/mls/uptime.pp
-i /usr/share/selinux/mls/usbmodules.pp -i
/usr/share/selinux/mls/userdomain.pp -i
/usr/share/selinux/mls/userhelper.pp -i
/usr/share/selinux/mls/usermanage.pp -i
/usr/share/selinux/mls/usernetctl.pp -i /usr/share/selinux/mls/uucp.pp
-i /usr/share/selinux/mls/uwimap.pp -i /usr/share/selinux/mls/vbetool.pp
-i /usr/share/selinux/mls/vmware.pp -i /usr/share/selinux/mls/vpn.pp -i
/usr/share/selinux/mls/watchdog.pp -i
/usr/share/selinux/mls/webalizer.pp -i
/usr/share/selinux/mls/weblogic.pp -i /usr/share/selinux/mls/wine.pp -i
/usr/share/selinux/mls/xen.pp -i /usr/share/selinux/mls/xfs.pp -i
/usr/share/selinux/mls/xprint.pp -i /usr/share/selinux/mls/xserver.pp -i
/usr/share/selinux/mls/yam.pp -i /usr/share/selinux/mls/zebra.pp
rm tmp/helloworldfile.mod.fc tmp/helloworldfile.mod
[clarkson@m2ut5 policy]# cd /usr/local/test
[clarkson@m2ut5 test]# /sbin/restorecon HelloWorldFile
[clarkson@m2ut5 test]# ls -Z HelloWorldFile
-rwxr-xr-x clarkson m2 system_u:object_r:usr_t:SystemLow HelloWorldFile
[clarkson@m2ut5 test]# /usr/sbin/semodule -i
/usr/share/selinux/mls/helloworldfile.pp
[clarkson@m2ut5 test]# /sbin/restorecon HelloWorldFile
[clarkson@m2ut5 test]# ls -Z HelloWorldFile
-rwxr-xr-x clarkson m2 root:object_r:helloworld_exec_t:SystemLow
HelloWorldFile
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
