On Wed, Dec 7, 2011 at 8:32 AM, Steve Lawrence <slawrence@xxxxxxxxxx> wrote: > On 12/03/2011 11:30 AM, Richard Haines wrote: >> 5) I could not load a new policy that had a boolean and supporting >> statements in it. The actual binary policy was fine (using apol), but >> load_policy had problems. I started with a Fedora 16 base and added >> the new Integration code with no problems. Is it a known problem as >> if not I'll check further. >> The errors I had when running semodule with a boolean were (Note: I >> had already built a new base policy (SELINUXTYPE=rch-test1) with no >> problems): > > > Hmmm, this is interesting. Both seinfo and apol are fine with my > CIL-generated binary, but fails to load when I add booleans. I also > generated a similar mdp policy.conf, ran checkpolicy, and that failed to > load as well. sediff also shows the two binaries to be the same. > > I'll look into this more, but because of that, I'm thinking this is a kernel > bug. If anyone else wants to look at it, I've attached a simple file that is > the standard mdp.conf with a single boolean defined, and single conditional > statement using that boolean. This builds a binary fine, and apol/seinfo > have no problem with it, but fails to load with load_policy. > >> >> ------ Start -------------- >> # semodule -i base.cil ext_gateway.cil int_gateway.cil move_file.cil >> >> SELinux: Could not load policy file >> /etc/selinux/rch-test1/policy/policy.26: No such file or directory >> /sbin/load_policy: Can't load policy: No such file or directory >> >> libsemanage.semanage_reload_policy: load_policy returned error code 2. (No >> such file or directory). >> SELinux: Could not load policy file >> /etc/selinux/rch-test1/policy/policy.26: No such file or directory >> /sbin/load_policy: Can't load policy: No such file or directory >> >> libsemanage.semanage_reload_policy: load_policy returned error code 2. (No >> such file or directory). >> semodule: Failed! >> >> ----- End ----------------- If you send me the policy.X in question I'll spend a couple minutes figuring out what the kernel is upset about... -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
