Bug 1470848

Summary: "semodule -i <module>" error message confusing (+ /usr/libexec/selinux/hll/mod not available distro-wide)
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pokorný [poki] <jpokorny>
Component: policycoreutilsAssignee: Vit Mojzis <vmojzis>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, ssekidde
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-01 16:04:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pokorný [poki] 2017-07-13 19:43:29 UTC
I was following audit2allow(1),  "Building module policy manually":

# >allow_crm_mon_cgi.te cat <<EOF
module allow_crm_mon_cgi 1.0;

require {
	type cluster_t;
	type httpd_sys_script_t;
	class unix_stream_socket connectto;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t cluster_t:unix_stream_socket connectto;
EOF

# checkmodule -M -m -o allow_crm_mon_cgi.{mod,te}
> checkmodule:  loading policy configuration from allow_crm_mon_cgi.te
> checkmodule:  policy configuration loaded
> checkmodule:  writing binary representation (version 17) to allow_crm_mon_cgi.mod

# semodule -i allow_crm_mon_cgi.mod 
> libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/mod failed with code: 1. (No such file or directory).
> allow_crm_mon_cgi: libsemanage.semanage_pipe_data: Unable to execute /usr/libexec/selinux/hll/mod : No such file or directory
> allow_crm_mon_cgi:  (No such file or directory).
> libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
>  (No such file or directory).
> semodule:  Failed!


Repoquery goes silent about /usr/libexec/selinux/hll/mod file.
What do I miss?

I suggest either to deliver the missing file or fix the audit2allow(1)
manpage.


# rpm -q policycoreutils libsemanage 
> policycoreutils-2.5-17.1.el7.x86_64
> libsemanage-2.5-8.el7.x86_64


Note that:

# cat audit_log_sample | audit2allow -M allow_crm_mon_cgi_round_2
# semodule -i allow_crm_mon_cgi_round_2.pp

works well, but I do want to factor audit2allow out from the procedure
for my use case.

Comment 2 Petr Lautrbach 2017-07-13 20:07:31 UTC
checkmodule is only part of the process which creates a binary policy module. But you need to create SELinux policy module using

semodule_package -o <output file> -m <module> [-f <file contexts>]

In your case it would be:

# semodule_package -o allow_crm_mon_cgi.pp -m allow_crm_mon_cgi.mod

# semodule -i allow_crm_mon_cgi.pp

# semodule -lfull | grep crm_mon
400 allow_crm_mon_cgi pp

Comment 3 Jan Pokorný [poki] 2017-07-13 20:08:51 UTC
Sorry, problem on my side, I skipped the middle step, correct recipe
is then:


# >allow_crm_mon_cgi.te cat <<EOF
module allow_crm_mon_cgi 1.0;

require {
	type cluster_t;
	type httpd_sys_script_t;
	class unix_stream_socket connectto;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t cluster_t:unix_stream_socket connectto;
EOF

# checkmodule -M -m -o allow_crm_mon_cgi.{mod,te}
> checkmodule:  loading policy configuration from allow_crm_mon_cgi.te
> checkmodule:  policy configuration loaded
> checkmodule:  writing binary representation (version 17) to allow_crm_mon_cgi.mod

# semodule_package -o allow_crm_mon_cgi.pp -m allow_crm_mon_cgi.mod

# semodule -i allow_crm_mon_cgi.pp


Hence, turning the bug into output when accidentally using module instead
of module package with "semodule -i" being unhelpful (and referring to
the executable which is not available in the distro).

Comment 4 Petr Lautrbach 2017-07-13 20:09:25 UTC
Note: audit2allow(1) man page already describes it:

       Building module policy manually

       # Compile the module
       $ checkmodule -M -m -o local.mod local.te

       # Create the package
       $ semodule_package -o local.pp -m local.mod

       # Load the module into the kernel
       $ semodule -i local.pp