Bug 518094 - semodule errors during install modules
Summary: semodule errors during install modules
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 11
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-18 20:52 UTC by tuxee
Modified: 2012-05-29 11:57 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-04 15:20:45 UTC


Attachments (Terms of Use)

Description tuxee 2009-08-18 20:52:11 UTC
Description of problem:
semodule errors during install any selinux module


Version-Release number of selected component (if applicable):
Updated Fedora 11 x86_64. SELinux Enforce Mode

How reproducible:

[root@fedora Desktop]# echo "policy_module(mymodule, 0.0.1)" > mymodule.te;
[root@fedora Desktop]# cat mymodule.te
policy_module(mymodule, 0.0.1)
[root@fedora Desktop]# make -f /usr/share/selinux/devel/Makefile mymodule.pp
Compiling targeted mymodule module
/usr/bin/checkmodule: loading policy configuration from tmp/mymodule.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/mymodule.mod
Creating targeted mymodule.pp policy package
rm tmp/mymodule.mod.fc tmp/mymodule.mod
[root@fedora Desktop]# semodule -i mymodule.pp
libsepol.module_package_read_offsets: wrong magic number for module package: expected 0xf97cff8f, got 0x646f6d0a
libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/moduleName.te.
semodule: Failed!
[root@fedora Desktop]# cat mymodule.te
policy_module(mymodule, 0.0.1)

Comment 1 Daniel Walsh 2009-08-18 22:36:44 UTC
Is this only happening with single line policies or are you claiming all policy modules are broken?

Comment 2 tuxee 2009-08-19 08:23:10 UTC
I'm trying to add my custom type sa_t:

[root@fedora Desktop]# cat local.te 

policy_module(local, 0.0.1)

type sa_t;

[root@fedora Desktop]# make -f /usr/share/selinux/devel/Makefile local.pp
Compiling targeted local module
/usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/local.mod
Creating targeted local.pp policy package
rm tmp/local.mod.fc tmp/local.mod
[root@fedora Desktop]# semodule -i local.pp 
libsepol.module_package_read_offsets: wrong magic number for module package:  expected 0xf97cff8f, got 0x646f6d0a
libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/moduleName.te.
semodule:  Failed!


All modules even created by audit2allow broke during install by same errors.

Setroubleshootd warns:

type=AVC msg=audit(1249638170.000:28): avc:  denied  { getattr } for  pid=7196 comm="fprintd" name="/" dev=sda2 ino=2 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.



I'm trying:


[root@fedora Desktop]# grep fprintd_t /var/log/audit/audit.log | audit2allow -M fprintd

[root@fedora Desktop]# cat fprintd.te 

module fprintd 1.0;

require {
	type fprintd_t;
	type fs_t;
	class filesystem getattr;
}

#============= fprintd_t ==============
allow fprintd_t fs_t:filesystem getattr;

[root@fedora Desktop]# semodule -i fprintd.pp 
libsepol.module_package_read_offsets: wrong magic number for module package:  expected 0xf97cff8f, got 0x646f6d0a
libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/moduleName.te.
semodule:  Failed!




And. The name of module in .te file should by like:

policy_module(local, 0.0.1)

or

like created by audit2allow

module fprintd 1.0;

Which declaration is right? 
I have read that declaration "module fprintd 1.0;" is obsolete. But why audit2allow creates obsolete syntax?

Comment 3 Daniel Walsh 2009-08-19 21:09:18 UTC
I think you might have something screwed up in your policy store.

You can probably clean this up by executing

setenforce 0
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy\*
restorecon -R -v /etc/selinux
setenforce 1

Comment 4 Daniel Walsh 2009-08-20 12:00:24 UTC
policy_module(local. 1.0) is a macro that ends up generating

module local 1.0;

plus a lot of other stuff.

Comment 5 tuxee 2009-08-20 13:31:32 UTC
I'm running:

setenforce 0
mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy\*
restorecon -R -v /etc/selinux

and this step locked down my system:
setenforce 1  

after reboot I could not login. 
load LiveCd - mount disk - and change selinux mode to permissive.

I installed Fedora 11 x86_64 on VirtualBox machine and a I didn't observe any semodule error during install same modules.

Comment 6 Daniel Walsh 2009-08-20 13:36:56 UTC
If you boot with the kernel line enforcing=0, you should be able to login.

I have a feeling you have a mislabeled system.  Are you seeing lots of AVC messages in /var/log/audit/audit.log?

Comment 7 tuxee 2009-08-20 16:22:41 UTC
cat /etc/selinux/config | grep SELINUX
# SELINUX= can take one of these three values:
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
SELINUXTYPE=targeted

mv /etc/selinux/targeted /etc/selinux/targeted.old
yum reinstall selinux-policy\*
restorecon -R -v /etc/selinux

reboot

After rebooting I can see many warnings in /var/log/audit/audit.log

Comment 8 Daniel Walsh 2009-08-20 16:29:30 UTC
Try relabeling your entire system and see if you can login.

# touch /.autorelabel; reboot

Comment 9 tuxee 2009-08-20 17:04:52 UTC
SELINUX=permissive
# touch /.autorelabel; reboot  
many selinux warnings during booting system
can login in gnome. many warnings in setroubleshoot

#--------------------------------------------------

SELINUX=enforcing
# touch /.autorelabel; reboot 
many selinux warnings during booting system
can't login in gdm
can login in shell, but any commands such: ls, cd, nano /etc/selinux/config continued with Permission Denied. So system not usable.

Comment 10 Daniel Walsh 2009-08-20 17:18:30 UTC
What file system are you using?

What kind of AVC messages are you seeing 
grep /var/log/audit/audit.log

Comment 11 tuxee 2009-08-20 20:17:12 UTC
ext4

cat /var/log/audit/audit.log  

type=DAEMON_START msg=audit(1249495269.054:1027): auditd start, ver=1.7.13 format=raw kernel=2.6.29.6-217.2.3.fc11.x86_64 auid=4294967295 pid=1154 subj=system_u:system_r:auditd_t:s0 res=success
type=CONFIG_CHANGE msg=audit(1249495269.176:4): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=USER_AUTH msg=audit(1249495274.576:5): user pid=1673 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="fulltux" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_ACCT msg=audit(1249495274.596:6): user pid=1673 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="fulltux" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=CRED_ACQ msg=audit(1249495274.605:7): user pid=1673 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="fulltux" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
type=LOGIN msg=audit(1249495274.606:8): login pid=1673 uid=0 old auid=4294967295 new auid=500 old ses=4294967295 new ses=1
type=USER_ROLE_CHANGE msg=audit(1249495274.709:9): user pid=1673 uid=0 auid=500 ses=1 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023: exe="/usr/libexec/gdm-session-worker"
type=AVC msg=audit(1250799194.800:93): avc:  denied  { dac_override } for  pid=2450 comm="bash" capability=1 scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=capability
type=SYSCALL msg=audit(1250799194.800:93): arch=c000003e syscall=4 success=yes exit=0 a0=4a1773 a1=7fff237b56b0 a2=7fff237b56b0 a3=a items=0 ppid=2434 pid=2450 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(1250799194.802:94): avc:  denied  { read } for  pid=2450 comm="bash" name=".bashrc" dev=sda2 ino=4712 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1250799194.802:94): avc:  denied  { open } for  pid=2450 comm="bash" name=".bashrc" dev=sda2 ino=4712 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1250799194.802:94): arch=c000003e syscall=2 success=yes exit=3 a0=17a1ad0 a1=0 a2=17a0be0 a3=1 items=0 ppid=2434 pid=2450 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)

Comment 12 Daniel Walsh 2009-08-21 19:20:21 UTC
You still are running with a bad policy environment

# setenforce 0
# yum remove selinux-policy selinux-policy-targeted
# yum install selinux-policy selinux-policy-targeted
# touch /.autorelabel
# reboot

Comment 13 tuxee 2009-08-22 10:17:07 UTC
Only this steps helps me:

# setenforce 0
# yum remove selinux-policy selinux-policy-targeted
# yum install selinux-policy selinux-policy-targeted
# touch /.autorelabel
# reboot  

But not processing yum reinstall.

After reboot:

# getenforce 
Enforcing
# echo "policy_module(mymodule, 0.0.1)" > mymodule.te;
# make -f /usr/share/selinux/devel/Makefile mymodule.pp
# semodule -i mymodule.pp
# semodule -l | grep mymodule
mymodule	0.0.1


Problem solved. Thanks!

Comment 14 Daniel Walsh 2009-09-04 15:20:45 UTC
Fixed in selinux-policy-3.6.12-81.fc11.noarch


Note You need to log in before you can comment on or make changes to this bug.