Bug 1470848
Summary: | "semodule -i <module>" error message confusing (+ /usr/libexec/selinux/hll/mod not available distro-wide) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pokorný [poki] <jpokorny> |
Component: | policycoreutils | Assignee: | Vit Mojzis <vmojzis> |
Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.4 | CC: | dwalsh, lvrabec, mgrepl, mmalik, plautrba, ssekidde |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-02-01 16:04:55 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Pokorný [poki]
2017-07-13 19:43:29 UTC
checkmodule is only part of the process which creates a binary policy module. But you need to create SELinux policy module using semodule_package -o <output file> -m <module> [-f <file contexts>] In your case it would be: # semodule_package -o allow_crm_mon_cgi.pp -m allow_crm_mon_cgi.mod # semodule -i allow_crm_mon_cgi.pp # semodule -lfull | grep crm_mon 400 allow_crm_mon_cgi pp Sorry, problem on my side, I skipped the middle step, correct recipe
is then:
# >allow_crm_mon_cgi.te cat <<EOF
module allow_crm_mon_cgi 1.0;
require {
type cluster_t;
type httpd_sys_script_t;
class unix_stream_socket connectto;
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t cluster_t:unix_stream_socket connectto;
EOF
# checkmodule -M -m -o allow_crm_mon_cgi.{mod,te}
> checkmodule: loading policy configuration from allow_crm_mon_cgi.te
> checkmodule: policy configuration loaded
> checkmodule: writing binary representation (version 17) to allow_crm_mon_cgi.mod
# semodule_package -o allow_crm_mon_cgi.pp -m allow_crm_mon_cgi.mod
# semodule -i allow_crm_mon_cgi.pp
Hence, turning the bug into output when accidentally using module instead
of module package with "semodule -i" being unhelpful (and referring to
the executable which is not available in the distro).
Note: audit2allow(1) man page already describes it: Building module policy manually # Compile the module $ checkmodule -M -m -o local.mod local.te # Create the package $ semodule_package -o local.pp -m local.mod # Load the module into the kernel $ semodule -i local.pp |