Red Hat Bugzilla – Bug 600749
Can't load newly created SELinux modules
Last modified: 2010-06-07 16:50:07 EDT
Description of problem:
Using SEL targeted policy if that is relevant. When creating a new module using audit2allow the new policy cannot be loaded.
Version-Release number of selected component (if applicable):
Every time (also tried a different test module, still couldn't load it.
Steps to Reproduce:
1. Set SEL to permissive.
2. Carry out new action (starting googleearth in my case) then run "audit2allow -l -a -M filename".
3. Try to load the new module with "semodule -i filename"
[root@peony ~]# setenforce 0
[root@peony ~]# audit2allow -l -a -M selgoogleearth
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i selgoogleearth.pp
[root@peony ~]# semodule -i selgoogleearth.pp
libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
I asked about this in the Fedora forum, see thread for more info -
Looks like something might be wrong with your policy install
Could you try
yum reinstall selinux-policy-targeted
And see if this blows up.
OK - as it had already been suggested on the forum, i had previously reinstalled selinux-policy and policy-targeted prior to reporting the bug. It made no difference.
As you suggested it again though I reinstalled everything SEL-related including replacing one (or was there two?) sel libraries which I had somehow installed from fedora-updates-testing repo. I removed everything, reinstalled everything from fedora.repo, and lo and behold, it works. the selgoogleearth.pp loaded fine.
None of the sel-related GUI programs work though (SEL Mangament or Policy Generation Tool or any setools). None of them do anything when i click on 'em, but i expect this is a Fedora foible, probably unrelated. I am looking into this.
Run system-config-selinux from the command line and see what error happens?
Are you running with confined users?
Works fine now thanks. After searching the repos with yum I found the policycoreutils-gui package, which for some reason wasn't installed along with policycoreutils as part of my boot.fedora.org installation.
All the menu entries were present though, so I can forgive myself for missing a package I didn't even know existed.
So whether this is an SELinux bug or a boot.fedora.org bug, or just a one off unexplainable error with my installation I don't know. Given the fact that different elements of SELinux had obviously not installed properly, and now this GUI thing, I guess it's a BFO bug.
I'm not about to try to reproduce it though; not got the time sorry.
Ok if it happens again, I will reopen.