Bug 600749

Summary: Can't load newly created SELinux modules
Product: [Fedora] Fedora Reporter: Christopher J Tapp <lukaspress>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-07 20:50:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christopher J Tapp 2010-06-05 21:21:38 UTC 
Description of problem:
Using SEL targeted policy if that is relevant.  When creating a new module using audit2allow the new policy cannot be loaded.

Version-Release number of selected component (if applicable):
Fedora 13

How reproducible:
Every time (also tried a different test module, still couldn't load it.

Steps to Reproduce:
1. Set SEL to permissive.   
2. Carry out new action (starting googleearth in my case) then run "audit2allow -l -a -M filename".
3. Try to load the new module with "semodule -i filename"
  
Actual results:
[root@peony ~]# setenforce 0
[root@peony ~]# audit2allow -l -a -M selgoogleearth
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i selgoogleearth.pp

[root@peony ~]# semodule -i selgoogleearth.pp
libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
semodule:  Failed!
[root@peony ~]# 


Expected results:
module loaded!

Additional info:
I asked about this in the Fedora forum, see thread for more info - 
http://forums.fedoraforum.org/showthread.php?p=1367743&posted=1#post1367743
Comment 1 Daniel Walsh 2010-06-07 14:03:30 UTC 
Looks like something might be wrong with your policy install

Could you try 

yum reinstall selinux-policy-targeted

And see if this blows up.
Comment 2 Christopher J Tapp 2010-06-07 15:59:23 UTC 
OK - as it had already been suggested on the forum, i had previously reinstalled selinux-policy and policy-targeted prior to reporting the bug. It made no difference.

As you suggested it again though I reinstalled everything SEL-related including replacing one (or was there two?) sel libraries which I had somehow installed from fedora-updates-testing repo. I removed everything, reinstalled everything from fedora.repo, and lo and behold, it works. the selgoogleearth.pp loaded fine.

None of the sel-related GUI programs work though (SEL Mangament or Policy Generation Tool or any setools). None of them do anything when i click on 'em, but i expect this is a Fedora foible, probably unrelated.  I am looking into this.
Comment 3 Daniel Walsh 2010-06-07 17:22:54 UTC 
Run system-config-selinux from the command line and see what error happens?

Are you running with confined users?
Comment 4 Christopher J Tapp 2010-06-07 20:25:43 UTC 
Works fine now thanks.  After searching the repos with yum I found the policycoreutils-gui package, which for some reason wasn't installed along with policycoreutils as part of my boot.fedora.org installation.  

All the menu entries were present though, so I can forgive myself for missing a package I didn't even know existed.

So whether this is an SELinux bug or a boot.fedora.org bug, or just a one off unexplainable error with my installation I don't know.  Given the fact that different elements of SELinux had obviously not installed properly, and now this GUI thing, I guess it's a BFO bug.

I'm not about to try to reproduce it though; not got the time sorry.
Comment 5 Daniel Walsh 2010-06-07 20:50:07 UTC 
Ok if it happens again, I will reopen.