Re: [CentOS] SELinux : semodule_package, magic number does not match
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/18/2011 03:13 AM, Philippe Naudin wrote: > Le lun 17 jan 2011 14:32:22 CET, Daniel J Walsh a écrit: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 01/17/2011 08:25 AM, Philippe Naudin wrote: >>> Hello, >>> >>> I am trying to create a custom policy, but with no succes : >>> >>> $ cat < foo.te >>> module local 1.0; >>> >>> require { >>> type httpd_sys_script_exec_t; >>> type httpd_sys_script_t; >>> class lnk_file read; >>> } >>> >>> #= httpd_sys_script_t == >>> allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read; >>> EOF >>> >>> $ checkmodule -M -m -o foo.mod foo.te >>> checkmodule: loading policy configuration from foo.te >>> checkmodule: policy configuration loaded >>> checkmodule: writing binary representation (version 6) to foo.mod >>> >>> $ semodule_package -o foo.pp -m foo.mod >>> $ echo $? >>> 0 >>> # So far, so good. But : >>> >>> $ checkmodule -b foo.pp >>> checkmodule: loading policy configuration from foo.pp >>> libsepol.policydb_read: policydb magic number 0xf97cff8f does not match >>> expected magic number 0xf97cff8c or 0xf97cff8d >>> checkmodule: error(s) encountered while parsing configuration >>> # And trying to "semodule -i foo.pp" fails completely. >>> >> Wrong command. >> >> semodule -i foo.pp > > Yes, I have tried this one too : > > $ semodule -i /usr/share/selinux/targeted/http_lnk_exec.pp > $ echo $? > 0 > > Everything seems OK, but : > $ semodule -l > aisexec 1.0.0 > amavis 1.1.0 > ccs 1.0.0 > clamav 1.1.0 > clogd 1.0.0 > dcc 1.1.0 > dnsmasq 1.1.1 > evolution 1.1.0 > ipsec 1.4.0 > iscsid 1.0.0 > local 1.0 > milter 1.0.0 > mozilla 1.1.0 > mplayer 1.1.0 > nagios 1.1.0 > oddjob 1.0.1 > pcscd 1.0.0 > postgrey1.1.0 > prelude 1.0.0 > pyzor 1.1.0 > qemu1.1.2 > razor 1.1.0 > rgmanager 1.0.0 > rhcs1.1.0 > ricci 1.0.0 > smartmon1.1.0 > spamassassin1.9.0 > vhostmd 1.0.0 > virt1.2.1 > zosremote 1.0.0 > > My module is not listed, and testing shows that the new rule in not > used : > $ audit2why < /var/log/audit/audit.log | grep AVC > type=AVC msg=audit(1295337185.859:297): avc: denied { read } for > pid=1854 comm="httpd" name="post-commit" dev=sda3 ino=295635 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file > >> I am not sure what >> >> checkmodule -b foo.pp >> >> will do. > > Without "-o", it is supposed to check the syntax of foo.pp. It is > the only explanation I can get on why "semodule -i" fails in my case. > > Any other suggestion ? I am completely stuck... > I always build my pp files using make -f /usr/share/selinux/devel/Makefile And do not pay much attention to the man behind the curtain. The only reason I can imagine for a screw up would be a tool chain difference. Are you using all the same versions of tool chain. checkpolicy, libsemanage, policycoreutils, libselinux, selinux-policy as shipped with RHEL5? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk01oqQACgkQrlYvE4MpobMrKACgogGWZTehjBIlyX7/k5eq5MjY mlQAoJo5jpMvT7kE2WgDgg/YWQBQNLiJ =VGhN -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux : semodule_package, magic number does not match
Le lun 17 jan 2011 14:32:22 CET, Daniel J Walsh a écrit: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 01/17/2011 08:25 AM, Philippe Naudin wrote: > > Hello, > > > > I am trying to create a custom policy, but with no succes : > > > > $ cat < foo.te > > module local 1.0; > > > > require { > > type httpd_sys_script_exec_t; > > type httpd_sys_script_t; > > class lnk_file read; > > } > > > > #= httpd_sys_script_t == > > allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read; > > EOF > > > > $ checkmodule -M -m -o foo.mod foo.te > > checkmodule: loading policy configuration from foo.te > > checkmodule: policy configuration loaded > > checkmodule: writing binary representation (version 6) to foo.mod > > > > $ semodule_package -o foo.pp -m foo.mod > > $ echo $? > > 0 > > # So far, so good. But : > > > > $ checkmodule -b foo.pp > > checkmodule: loading policy configuration from foo.pp > > libsepol.policydb_read: policydb magic number 0xf97cff8f does not match > > expected magic number 0xf97cff8c or 0xf97cff8d > > checkmodule: error(s) encountered while parsing configuration > > # And trying to "semodule -i foo.pp" fails completely. > > > Wrong command. > > semodule -i foo.pp Yes, I have tried this one too : $ semodule -i /usr/share/selinux/targeted/http_lnk_exec.pp $ echo $? 0 Everything seems OK, but : $ semodule -l aisexec 1.0.0 amavis 1.1.0 ccs 1.0.0 clamav 1.1.0 clogd 1.0.0 dcc 1.1.0 dnsmasq 1.1.1 evolution 1.1.0 ipsec 1.4.0 iscsid 1.0.0 local 1.0 milter 1.0.0 mozilla 1.1.0 mplayer 1.1.0 nagios 1.1.0 oddjob 1.0.1 pcscd 1.0.0 postgrey1.1.0 prelude 1.0.0 pyzor 1.1.0 qemu1.1.2 razor 1.1.0 rgmanager 1.0.0 rhcs1.1.0 ricci 1.0.0 smartmon1.1.0 spamassassin1.9.0 vhostmd 1.0.0 virt1.2.1 zosremote 1.0.0 My module is not listed, and testing shows that the new rule in not used : $ audit2why < /var/log/audit/audit.log | grep AVC type=AVC msg=audit(1295337185.859:297): avc: denied { read } for pid=1854 comm="httpd" name="post-commit" dev=sda3 ino=295635 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file > I am not sure what > > checkmodule -b foo.pp > > will do. Without "-o", it is supposed to check the syntax of foo.pp. It is the only explanation I can get on why "semodule -i" fails in my case. Any other suggestion ? I am completely stuck... -- Philippe ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux : semodule_package, magic number does not match
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/17/2011 08:25 AM, Philippe Naudin wrote: > Hello, > > I am trying to create a custom policy, but with no succes : > > $ cat < foo.te > module local 1.0; > > require { > type httpd_sys_script_exec_t; > type httpd_sys_script_t; > class lnk_file read; > } > > #= httpd_sys_script_t == > allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read; > EOF > > $ checkmodule -M -m -o foo.mod foo.te > checkmodule: loading policy configuration from foo.te > checkmodule: policy configuration loaded > checkmodule: writing binary representation (version 6) to foo.mod > > $ semodule_package -o foo.pp -m foo.mod > $ echo $? > 0 > # So far, so good. But : > > $ checkmodule -b foo.pp > checkmodule: loading policy configuration from foo.pp > libsepol.policydb_read: policydb magic number 0xf97cff8f does not match > expected magic number 0xf97cff8c or 0xf97cff8d > checkmodule: error(s) encountered while parsing configuration > # And trying to "semodule -i foo.pp" fails completely. > Wrong command. semodule -i foo.pp Is what you want to execute. I am not sure what checkmodule -b foo.pp will do. > So here come my questions : > > - is there a boolean to allow httpd to execute a script "symlinked" ? > (scontext=system_u:system_r:httpd_sys_script_t:s0 > tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file) > - can someone reproduce the error described above ? > - any clue on how to fix it ? > > (For the curious one : I am fighting svn hooks on a filesystem > mounted "-o noexec".) > > Additional infos : > $ rpm -qa 'kernel*' '*selinux*' > kernel-2.6.18-194.26.1.el5 > kernel-2.6.18-194.32.1.el5 > kernel-devel-2.6.18-194.26.1.el5 > kernel-devel-2.6.18-194.32.1.el5 > kernel-headers-2.6.18-194.32.1.el5 > libselinux-1.33.4-5.5.el5 > libselinux-devel-1.33.4-5.5.el5 > libselinux-python-1.33.4-5.5.el5 > libselinux-utils-1.33.4-5.5.el5 > selinux-policy-2.4.6-279.el5_5.2 > selinux-policy-devel-2.4.6-279.el5_5.2 > selinux-policy-targeted-2.4.6-279.el5_5.2 > $ uname -a > Linux despina 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:20 EST 2010 > x86_64 x86_64 x86_64 GNU/Linux > > Thanks, > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk00mUYACgkQrlYvE4MpobNtVQCg5M3XXnLm/o3DDyS8n6ex+yUW 1EsAnA66Y0XUPCp4z3pzIdlcyWy3vQgE =bcpK -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos