Re: [CentOS] SELinux : semodule_package, magic number does not match
Le lun 17 jan 2011 14:32:22 CET, Daniel J Walsh a écrit:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/17/2011 08:25 AM, Philippe Naudin wrote:
Hello,
I am trying to create a custom policy, but with no succes :
$ cat EOF foo.te
module local 1.0;
require {
type httpd_sys_script_exec_t;
type httpd_sys_script_t;
class lnk_file read;
}
#= httpd_sys_script_t ==
allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read;
EOF
$ checkmodule -M -m -o foo.mod foo.te
checkmodule: loading policy configuration from foo.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to foo.mod
$ semodule_package -o foo.pp -m foo.mod
$ echo $?
0
# So far, so good. But :
$ checkmodule -b foo.pp
checkmodule: loading policy configuration from foo.pp
libsepol.policydb_read: policydb magic number 0xf97cff8f does not match
expected magic number 0xf97cff8c or 0xf97cff8d
checkmodule: error(s) encountered while parsing configuration
# And trying to semodule -i foo.pp fails completely.
Wrong command.
semodule -i foo.pp
Yes, I have tried this one too :
$ semodule -i /usr/share/selinux/targeted/http_lnk_exec.pp
$ echo $?
0
Everything seems OK, but :
$ semodule -l
aisexec 1.0.0
amavis 1.1.0
ccs 1.0.0
clamav 1.1.0
clogd 1.0.0
dcc 1.1.0
dnsmasq 1.1.1
evolution 1.1.0
ipsec 1.4.0
iscsid 1.0.0
local 1.0
milter 1.0.0
mozilla 1.1.0
mplayer 1.1.0
nagios 1.1.0
oddjob 1.0.1
pcscd 1.0.0
postgrey1.1.0
prelude 1.0.0
pyzor 1.1.0
qemu1.1.2
razor 1.1.0
rgmanager 1.0.0
rhcs1.1.0
ricci 1.0.0
smartmon1.1.0
spamassassin1.9.0
vhostmd 1.0.0
virt1.2.1
zosremote 1.0.0
My module is not listed, and testing shows that the new rule in not
used :
$ audit2why /var/log/audit/audit.log | grep AVC
type=AVC msg=audit(1295337185.859:297): avc: denied { read } for
pid=1854 comm=httpd name=post-commit dev=sda3 ino=295635
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file
I am not sure what
checkmodule -b foo.pp
will do.
Without -o, it is supposed to check the syntax of foo.pp. It is
the only explanation I can get on why semodule -i fails in my case.
Any other suggestion ? I am completely stuck...
--
Philippe
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux : semodule_package, magic number does not match
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/18/2011 03:13 AM, Philippe Naudin wrote:
Le lun 17 jan 2011 14:32:22 CET, Daniel J Walsh a écrit:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/17/2011 08:25 AM, Philippe Naudin wrote:
Hello,
I am trying to create a custom policy, but with no succes :
$ cat EOF foo.te
module local 1.0;
require {
type httpd_sys_script_exec_t;
type httpd_sys_script_t;
class lnk_file read;
}
#= httpd_sys_script_t ==
allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read;
EOF
$ checkmodule -M -m -o foo.mod foo.te
checkmodule: loading policy configuration from foo.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to foo.mod
$ semodule_package -o foo.pp -m foo.mod
$ echo $?
0
# So far, so good. But :
$ checkmodule -b foo.pp
checkmodule: loading policy configuration from foo.pp
libsepol.policydb_read: policydb magic number 0xf97cff8f does not match
expected magic number 0xf97cff8c or 0xf97cff8d
checkmodule: error(s) encountered while parsing configuration
# And trying to semodule -i foo.pp fails completely.
Wrong command.
semodule -i foo.pp
Yes, I have tried this one too :
$ semodule -i /usr/share/selinux/targeted/http_lnk_exec.pp
$ echo $?
0
Everything seems OK, but :
$ semodule -l
aisexec 1.0.0
amavis 1.1.0
ccs 1.0.0
clamav 1.1.0
clogd 1.0.0
dcc 1.1.0
dnsmasq 1.1.1
evolution 1.1.0
ipsec 1.4.0
iscsid 1.0.0
local 1.0
milter 1.0.0
mozilla 1.1.0
mplayer 1.1.0
nagios 1.1.0
oddjob 1.0.1
pcscd 1.0.0
postgrey1.1.0
prelude 1.0.0
pyzor 1.1.0
qemu1.1.2
razor 1.1.0
rgmanager 1.0.0
rhcs1.1.0
ricci 1.0.0
smartmon1.1.0
spamassassin1.9.0
vhostmd 1.0.0
virt1.2.1
zosremote 1.0.0
My module is not listed, and testing shows that the new rule in not
used :
$ audit2why /var/log/audit/audit.log | grep AVC
type=AVC msg=audit(1295337185.859:297): avc: denied { read } for
pid=1854 comm=httpd name=post-commit dev=sda3 ino=295635
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file
I am not sure what
checkmodule -b foo.pp
will do.
Without -o, it is supposed to check the syntax of foo.pp. It is
the only explanation I can get on why semodule -i fails in my case.
Any other suggestion ? I am completely stuck...
I always build my pp files using
make -f /usr/share/selinux/devel/Makefile
And do not pay much attention to the man behind the curtain. The only
reason I can imagine for a screw up would be a tool chain difference.
Are you using all the same versions of tool chain. checkpolicy,
libsemanage, policycoreutils, libselinux, selinux-policy as shipped with
RHEL5?
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk01oqQACgkQrlYvE4MpobMrKACgogGWZTehjBIlyX7/k5eq5MjY
mlQAoJo5jpMvT7kE2WgDgg/YWQBQNLiJ
=VGhN
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux : semodule_package, magic number does not match
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/17/2011 08:25 AM, Philippe Naudin wrote:
Hello,
I am trying to create a custom policy, but with no succes :
$ cat EOF foo.te
module local 1.0;
require {
type httpd_sys_script_exec_t;
type httpd_sys_script_t;
class lnk_file read;
}
#= httpd_sys_script_t ==
allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read;
EOF
$ checkmodule -M -m -o foo.mod foo.te
checkmodule: loading policy configuration from foo.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to foo.mod
$ semodule_package -o foo.pp -m foo.mod
$ echo $?
0
# So far, so good. But :
$ checkmodule -b foo.pp
checkmodule: loading policy configuration from foo.pp
libsepol.policydb_read: policydb magic number 0xf97cff8f does not match
expected magic number 0xf97cff8c or 0xf97cff8d
checkmodule: error(s) encountered while parsing configuration
# And trying to semodule -i foo.pp fails completely.
Wrong command.
semodule -i foo.pp
Is what you want to execute.
I am not sure what
checkmodule -b foo.pp
will do.
So here come my questions :
- is there a boolean to allow httpd to execute a script symlinked ?
(scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file)
- can someone reproduce the error described above ?
- any clue on how to fix it ?
(For the curious one : I am fighting svn hooks on a filesystem
mounted -o noexec.)
Additional infos :
$ rpm -qa 'kernel*' '*selinux*'
kernel-2.6.18-194.26.1.el5
kernel-2.6.18-194.32.1.el5
kernel-devel-2.6.18-194.26.1.el5
kernel-devel-2.6.18-194.32.1.el5
kernel-headers-2.6.18-194.32.1.el5
libselinux-1.33.4-5.5.el5
libselinux-devel-1.33.4-5.5.el5
libselinux-python-1.33.4-5.5.el5
libselinux-utils-1.33.4-5.5.el5
selinux-policy-2.4.6-279.el5_5.2
selinux-policy-devel-2.4.6-279.el5_5.2
selinux-policy-targeted-2.4.6-279.el5_5.2
$ uname -a
Linux despina 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:20 EST 2010
x86_64 x86_64 x86_64 GNU/Linux
Thanks,
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk00mUYACgkQrlYvE4MpobNtVQCg5M3XXnLm/o3DDyS8n6ex+yUW
1EsAnA66Y0XUPCp4z3pzIdlcyWy3vQgE
=bcpK
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
