Description of problem: semodule errors during install any selinux module Version-Release number of selected component (if applicable): Updated Fedora 11 x86_64. SELinux Enforce Mode How reproducible: [root@fedora Desktop]# echo "policy_module(mymodule, 0.0.1)" > mymodule.te; [root@fedora Desktop]# cat mymodule.te policy_module(mymodule, 0.0.1) [root@fedora Desktop]# make -f /usr/share/selinux/devel/Makefile mymodule.pp Compiling targeted mymodule module /usr/bin/checkmodule: loading policy configuration from tmp/mymodule.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/mymodule.mod Creating targeted mymodule.pp policy package rm tmp/mymodule.mod.fc tmp/mymodule.mod [root@fedora Desktop]# semodule -i mymodule.pp libsepol.module_package_read_offsets: wrong magic number for module package: expected 0xf97cff8f, got 0x646f6d0a libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/moduleName.te. semodule: Failed! [root@fedora Desktop]# cat mymodule.te policy_module(mymodule, 0.0.1)
Is this only happening with single line policies or are you claiming all policy modules are broken?
I'm trying to add my custom type sa_t: [root@fedora Desktop]# cat local.te policy_module(local, 0.0.1) type sa_t; [root@fedora Desktop]# make -f /usr/share/selinux/devel/Makefile local.pp Compiling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/local.mod Creating targeted local.pp policy package rm tmp/local.mod.fc tmp/local.mod [root@fedora Desktop]# semodule -i local.pp libsepol.module_package_read_offsets: wrong magic number for module package: expected 0xf97cff8f, got 0x646f6d0a libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/moduleName.te. semodule: Failed! All modules even created by audit2allow broke during install by same errors. Setroubleshootd warns: type=AVC msg=audit(1249638170.000:28): avc: denied { getattr } for pid=7196 comm="fprintd" name="/" dev=sda2 ino=2 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. I'm trying: [root@fedora Desktop]# grep fprintd_t /var/log/audit/audit.log | audit2allow -M fprintd [root@fedora Desktop]# cat fprintd.te module fprintd 1.0; require { type fprintd_t; type fs_t; class filesystem getattr; } #============= fprintd_t ============== allow fprintd_t fs_t:filesystem getattr; [root@fedora Desktop]# semodule -i fprintd.pp libsepol.module_package_read_offsets: wrong magic number for module package: expected 0xf97cff8f, got 0x646f6d0a libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/moduleName.te. semodule: Failed! And. The name of module in .te file should by like: policy_module(local, 0.0.1) or like created by audit2allow module fprintd 1.0; Which declaration is right? I have read that declaration "module fprintd 1.0;" is obsolete. But why audit2allow creates obsolete syntax?
I think you might have something screwed up in your policy store. You can probably clean this up by executing setenforce 0 mv /etc/selinux/targeted /etc/selinux/targeted.old yum reinstall selinux-policy\* restorecon -R -v /etc/selinux setenforce 1
policy_module(local. 1.0) is a macro that ends up generating module local 1.0; plus a lot of other stuff.
I'm running: setenforce 0 mv /etc/selinux/targeted /etc/selinux/targeted.old yum reinstall selinux-policy\* restorecon -R -v /etc/selinux and this step locked down my system: setenforce 1 after reboot I could not login. load LiveCd - mount disk - and change selinux mode to permissive. I installed Fedora 11 x86_64 on VirtualBox machine and a I didn't observe any semodule error during install same modules.
If you boot with the kernel line enforcing=0, you should be able to login. I have a feeling you have a mislabeled system. Are you seeing lots of AVC messages in /var/log/audit/audit.log?
cat /etc/selinux/config | grep SELINUX # SELINUX= can take one of these three values: SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: SELINUXTYPE=targeted mv /etc/selinux/targeted /etc/selinux/targeted.old yum reinstall selinux-policy\* restorecon -R -v /etc/selinux reboot After rebooting I can see many warnings in /var/log/audit/audit.log
Try relabeling your entire system and see if you can login. # touch /.autorelabel; reboot
SELINUX=permissive # touch /.autorelabel; reboot many selinux warnings during booting system can login in gnome. many warnings in setroubleshoot #-------------------------------------------------- SELINUX=enforcing # touch /.autorelabel; reboot many selinux warnings during booting system can't login in gdm can login in shell, but any commands such: ls, cd, nano /etc/selinux/config continued with Permission Denied. So system not usable.
What file system are you using? What kind of AVC messages are you seeing grep /var/log/audit/audit.log
ext4 cat /var/log/audit/audit.log type=DAEMON_START msg=audit(1249495269.054:1027): auditd start, ver=1.7.13 format=raw kernel=2.6.29.6-217.2.3.fc11.x86_64 auid=4294967295 pid=1154 subj=system_u:system_r:auditd_t:s0 res=success type=CONFIG_CHANGE msg=audit(1249495269.176:4): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1 type=USER_AUTH msg=audit(1249495274.576:5): user pid=1673 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="fulltux" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_ACCT msg=audit(1249495274.596:6): user pid=1673 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="fulltux" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)' type=CRED_ACQ msg=audit(1249495274.605:7): user pid=1673 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="fulltux" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)' type=LOGIN msg=audit(1249495274.606:8): login pid=1673 uid=0 old auid=4294967295 new auid=500 old ses=4294967295 new ses=1 type=USER_ROLE_CHANGE msg=audit(1249495274.709:9): user pid=1673 uid=0 auid=500 ses=1 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023: exe="/usr/libexec/gdm-session-worker" type=AVC msg=audit(1250799194.800:93): avc: denied { dac_override } for pid=2450 comm="bash" capability=1 scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=capability type=SYSCALL msg=audit(1250799194.800:93): arch=c000003e syscall=4 success=yes exit=0 a0=4a1773 a1=7fff237b56b0 a2=7fff237b56b0 a3=a items=0 ppid=2434 pid=2450 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null) type=AVC msg=audit(1250799194.802:94): avc: denied { read } for pid=2450 comm="bash" name=".bashrc" dev=sda2 ino=4712 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file type=AVC msg=audit(1250799194.802:94): avc: denied { open } for pid=2450 comm="bash" name=".bashrc" dev=sda2 ino=4712 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file type=SYSCALL msg=audit(1250799194.802:94): arch=c000003e syscall=2 success=yes exit=3 a0=17a1ad0 a1=0 a2=17a0be0 a3=1 items=0 ppid=2434 pid=2450 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)
You still are running with a bad policy environment # setenforce 0 # yum remove selinux-policy selinux-policy-targeted # yum install selinux-policy selinux-policy-targeted # touch /.autorelabel # reboot
Only this steps helps me: # setenforce 0 # yum remove selinux-policy selinux-policy-targeted # yum install selinux-policy selinux-policy-targeted # touch /.autorelabel # reboot But not processing yum reinstall. After reboot: # getenforce Enforcing # echo "policy_module(mymodule, 0.0.1)" > mymodule.te; # make -f /usr/share/selinux/devel/Makefile mymodule.pp # semodule -i mymodule.pp # semodule -l | grep mymodule mymodule 0.0.1 Problem solved. Thanks!
Fixed in selinux-policy-3.6.12-81.fc11.noarch